MySql is a widely used open-source database. As we all know, a database is used to store large amounts of relational data. Databases also have the ability to execute system commands depending on who the database is running as.

Before we jump into exploiting MySql, let’s get familiar with a few basic commands:

Logging In

Interacting With MySql

Dump All Databases

Exploiting MySql

So in order to interact with the database, we need a password. This may be found in some sort of configuration file in the web root (/var/www) or something similar. Below is an example of something you might see in a config file containing a database password. See my Password Hunting post for more details on finding passwords.

Note: Keep in mind that MySql running with root privileges is different than a MySql user called root. They are two different things. You can have a user named bob on a Linux machine, and you can also have a user bob for logging to the MySql database to manage it, but they are not correlated at all.

After we have determined what the password for the database is (or maybe there is no password), we will have to customize the attack depending on the operating system we are using. I will give examples for Windows and Linux.

Windows 32/64 bit

If we are exploiting a 64 bit version of Windows, we need to download the 64 bit UDF library from the SQLMap program. You can download it here. The file should be called lib_mysqludf_sys.dll and we need to copy it to the target location. This could be in a user folder or a temp directory.

After we have successfully copied the file to the server, we will be running a series of commands to load the file into a new row, dump the contents of that row to a new file, create a new function to point to the new file, then execute the function and hopefully get SYSTEM. Below is the series of commands we will be running after connecting to MySql:

This will add a new user hacker to the Administrators group on the computer. If we want to do this for a 32 bit Windows machine, the steps are the same but we need to download the 32 bit UDF library instead.

Linux

The steps are very similar for Linux. We need to download the UDF binary first. We are going to use the 64 bit UDF library for this example. You can download it here. For 32 bit machines, you can download the library here.

The file should be called lib_mysqludf_sys.so and we need to copy it to the target location. This could be in a user folder or the /tmp/ directory. We will then be issuing commands to load the file into a new row, dump the contents of that row to a new file, create a new function to point to the new file, then execute the function to get a reverse shell as root.

Before running the last command, we should have a netcat listener up. We can run this on our Kali machine by typing in nc -nvlp 443 and we are assuming our IP address is 192.168.1.99 in this example. If all goes well, we should have a reverse shell back to our machine as root.

MySql 4x/5.0 Exploit

If there is a MySql server that is version 4.x to 5.0, there is a known exploit to get root on the system. The proof of concept code can be found here.

First, on our Kali machine we need to download the file from Exploit-DB and compile the code:

Now we should have a .so file that we need to transfer to the target machine. Use your favorite file transfer method. Put it in the /tmp/ directory of the target machine for now.

Change the permissions of the file:

Now login to the MySql Database:

Now we will follow the instructions in the exploit to trigger the vulnerability with our new .so file. Before running the commands make sure you have a netcat listener running on your Kali machine:

The last command should run the reverse shell and you should now have root shell on your machine.

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP