Premise
In this tutorial, I went through Database exploitation through the use of user-defined functions. The vulnerabilities in user-defined functions can be exploited on MariaDB and MYSQL with slight modifications in the path of the plugin directory. Then through system execution function and with our shellcode created we can use our root access to the database to establish and jump from MySQL into system-wide root reverse shell.
Skills Learned
- Database Exploitation
- Maria DB
- MYSQL DB
Objective & Setup
I start as a low‑privilege user (like www‑data
) and discover a local MySQL service running—interestingly, the MySQL server process is owned by root
. That’s a huge red flag because any code executed via the MySQL server inherits root privileges
Finding Credentials
By inspecting web configuration files (config.php
), I extract the root password for MySQL. It’s surprising, but this scenario often happens in real-world pentests. Armed with the password, I log in as MySQL root.
Creating a Malicious UDF
This is the technical heart of the video. I build a malicious UDF library that allows me to run shell commands via SQL. Step‑by‑step:
Download the UDF exploit code (
raptor_udf2.c
) viawget
.Compile it into a shared object (
.so
) targeting the correct architecture:
Locate MySQL’s plugin directory and upload the compiled
.so
file there.Connect to MySQL as root and execute:
Then create the UDF, such as:
Once registered, I can invoke the function with:
This spins up a reverse shell running as root!
Why It Works
Since MySQL is running as root, any UDF execution via the server inherits root permissions. It’s effectively a backdoor to full system compromise.
Key Takeaways
Never run DBMS as root—always use least‑privilege service accounts.
Keep plugin directories secure and not writable by unprivileged accounts.
Monitor UDF creation and enforce limits on DLL loading.
Use filesystem permissions to prevent unauthorized library uploads.