MySQL Service UDF Exploit
Last updated
Last updated
MySQL provides multiple ways to execute shell commands directly on the system. Here we are going to exploit using the user defined function.
Once you gain initial access to the target machine, you need to verify that the MySQL service is running as the root user and that you can log in without a password as the root user. Alternatively, you can proceed if you have the root user's password.
We can use a popular exploit 'raptor' that leverages User Defined Functions (UDFs) to execute system commands as the root user through the MySQL service. Before proceeding with the exploit, we need to compile it and convert it into a shared object, similar to a DLL on a Windows machine service.
As a typical user, we usually do not have write access to ‘/usr/lib/mysql/plugin/’. In this scenario, we are going to write the shared object file using the MySQL service. We selected the ‘mysql’ database within the SQL service that is available in my compromised machine, created a table named ‘foo,’ inserted the converted shared object file into the ‘foo’ table, then wrote the file into the MySQL plugin directory at ‘/usr/lib/mysql/plugin/’, and created a new function named ‘do_system’ using the written shared object file.
Using the created ‘do_system’ function, we copy the ‘/bin/bash’ binary to ‘/tmp/rootbash’ and modify the permissions of ‘/tmp/rootbash’ to make it executable with the group SUID (Set User ID) permission.
Afterward, you can run the ‘/tmp/rootbash’ executable with the ‘-p’ option to obtain a shell running with root privileges.
㊙️Follow us on our below official handles for future updates:
sekkio_LinkedIn, sekkio_X, sekkio_Insta, sekkio_Medium, sekkio_Gitbook