Geoff Jones 29 August, 2012

Loading UDF Files On MySQL 5

Command execution via SQL injection is rarely possible on MySQL 5, as specifying the path to a shared library is not permitted due to security concerns - in other words it is not possible to create a UDF allowing you to run shell commands. Normally, if you can write to the default plugins location (/usr/lib/mysql/plugin), you already have root privileges and it's already game over. With MySQL 4 you could specify the full path to a shared library, so the install of a dangerous function was relatively straightforward.

Before giving up altogether however, check to see if you can write to the defined plugin_dir directory. You can retrieve this information in a SELECT statement (so you can retrieve it via SQL injection), using the following statement:

SELECT @@GLOBAL.plugin_dir

Once retrieved, test you can write to the directory using 'INTO OUTFILE', or by whatever means you may have at your disposal. If you can write to this location, installation of UDF files should still be possible, even on MySQL 5. Grab yourself a copy of your favourite UDF (I personally use, upload, compile if necessary (i.e. if the target is x64), and create your function. You should now have command execution through MySQL.

Improve your security

Our experienced team will identify and address your most critical information security concerns.