Mysql Hacktricks Verified

A "verified" vulnerability is one confirmed through observable, deterministic behavior rather than just scanner flags: Logical Operations

For automated testing, SQLMap tamper scripts like space2mysqlblank.py and space2mysqldash.py can replace payload spaces with random whitespace characters to bypass WAF rules.

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'malicious_udf.so'; Use code with caution.

This is often blocked in modern configurations, but it is a "first-check" priority for sensitive data like .env files or SSH keys. Writing Files (INTO OUTFILE) mysql hacktricks verified

You can write text or binary data to the disk. This is frequently used to drop web shells into a web server's root directory.

The FILE privilege allows an attacker to interact directly with the underlying operating system file system through SQL queries. Reading Local Files ( LOAD_FILE )

| Technique | MySQL 5.7 | MySQL 8.0 | MySQL 8.4 | MySQL 9.x | Requires File / SUPER | Bypasses secure_file_priv | |----------------------------------------------|-----------|-----------|-----------|-----------|------------------------|----------------------------| | UDF sys_eval / sys_exec | ✅ | ✅ | ✅ | ✅ | FILE + write to plugin_dir | No (needs dir write) | | INTO OUTFILE WebShell | ✅ | ✅ | ✅ | ✅ | FILE + empty secure_file_priv | No | | General Log WebShell | ✅ | ✅ | ✅ | ✅ | SUPER / SYSTEM_VARIABLES_ADMIN | ✅ Yes | | LOAD_FILE() | ✅ | ✅ | ✅ | ✅ | FILE | No | | SSRF + Gopher to MySQL | ✅ | ✅ | ✅ | ✅ | none (depends on network) | No | | Malicious MySQL server (client file read) | ✅ | ✅ | ✅ | ✅ | none | ✅ Yes (client‑side) | | Auth bypass (CVE‑2012‑2122) | ✅ (≤5.5.23) | ❌ | ❌ | ❌ | none | N/A | | Info schema privilege bypass | ✅ (partial) | ❌ (most) | ❌ | ❌ | none | N/A | Writing Files (INTO OUTFILE) You can write text

HackTricks provides a checklist of verified commands and tools for MySQL (Port 3306): External Enumeration : Verified scripts like mysql-audit mysql-databases mysql-dump-hashes are used to extract information without full system access. Local/Remote Connection : Direct connection methods using mysql -u root (with or without passwords) to verify credential security. Privilege Escalation

This comprehensive guide compiles verified methodologies, advanced exploitation vectors, and robust hardening strategies inspired by the HackTricks methodology. 1. Initial Reconnaissance and Enumeration

Check if the service is running as root . If so, a UDF exploit grants full system control. Reading Local Files ( LOAD_FILE ) | Technique | MySQL 5

: You can read and write files anywhere on the operating system, subject to the OS-level permissions of the user running the mysqld process.

Parameterized queries (prepared statements) are the single most effective defense against SQL injection. No amount of WAF configuration can replace proper query parameterization.