A brief analysis of MysqlDoor function creation

Many times, we use mysqldoor to retain our server permissions, and sometimes we often use udf to escalate privileges. We often encounter this situation, Can’t open shared library ‘mysqlDll_1278197415.dll’.
The UDF privilege escalation tool written by Gushui Raocheng is used here. Figure 1.

First rule out several possibilities.

1. Killed by server-side anti-virus software.

2. The file is not written.

3. Because the file name generated by the script in the system32 directory is random, the program cannot find the file name.

1. I tested it locally and turned off the anti-virus software, so this situation does not exist and is ruled out.

2. Open the system32 directory, and the generated program lies quietly in the directory. Figure 2

1. Making the third assumption already eliminates the first two possibilities. Since we are afraid that the program is the problem, let's create it manually. (mysql5.0 or above does not support absolute paths, so it is generated under system32) Figure 3

Figure: 4

I went to Google for a while, but there is still no final answer on the Internet. It is better to just find one The article is the one about creating functions written by ninty. But after thinking about it for a while, I still didn’t understand it. Finally, I saw Wuming online. He has been in the PHP environment all year round and has a good understanding of MySQL.

After discussing with him, he gave the solution to the problem by placing the udf in the data directory in mysql. As shown in the picture: 5

He can succeed on his machine, but I just can't pass it. Finally, I used QQ to assist and let him operate my computer. In the end, I still couldn't get the answer, so I had to end it with a miracle.

In desperation, I went to the BK group for help. Ninty said it was a path problem. Later, I added Q and went remote, and it was solved. Finally, I finally understood his article, haha, don’t blame me here, I’ll sort out the information.

Before elevating privileges, confirm the mysql permissions. If it is version 4.0, use the path directly; if it is version 5.0, if it is not enough to put it in the system32 directory, just put it in data. If it is version 5.1, the operation will be more troublesome. Use

show variables like %plugin%;

as long as you put the file under this path, it can be executed successfully! But the prerequisite is that you must have directory creation permissions under the mysql directory.