| Description: | | MySQL’s plugin interface permits privileged users to register external shared-library routines as User-Defined Functions (UDFs) callable from SQL. After obtaining a high-privileged database account, an attacker can upload a malicious shared object (commonly lib_mysqludf_sys) to a directory the server is allowed to load, then issue a CREATE FUNCTION statement that declares a routine named sys_exec. Once this function exists, any subsequent query can invoke it to execute arbitrary operating-system commands with the privileges of the mysqld process—typically the OS account that runs the database service. Because the function’s return value is limited to an integer exit code, attackers combine it with time-based delays, DNS exfiltration, or file writes to obtain command output. The technique provides a stealthy, OS-independent backdoor that can be used for lateral movement, persistence, data theft, cryptocurrency mining, ransomware deployment, or turning the database server into a springboard for deeper network compromise. |