Mysql Hacktricks Verified Page

Mastering MySQL Attacks: The Ultimate HackTricks Verified Cheatsheet

Keyword Focus: mysql hacktricks verified

Scenario C: Abusing SELECT ... INTO DUMPFILE for binary execution

-- Write a SUID binary
SELECT 0x7f454c46... INTO DUMPFILE '/tmp/suid_bin';
-- Then chmod +s via sys_exec if available

2. MySQL User Defined Functions (UDF) Exploitation

Pre-requisite: FILE privilege + ability to write to MySQL plugin directory (@@plugin_dir).
Check plugin dir:

SELECT @@plugin_dir;

4. Bypassing Security Features

Verified techniques often focus on circumventing modern protections:

  • Bypassing secure_file_priv – If set to a specific directory, attackers can still write temporary tables or logs within that path. HackTricks documents verified edge cases where log file writes lead to code execution (e.g., writing to general_log_file and setting general_log=1).
  • Blind SQL injection to command execution – On Windows systems with sys_exec() UDF, attackers have verified command execution even in out‑of‑band conditions.
  • Abusing stored procedures – Verified examples of escalating EXECUTE privileges on procedures that run with DEFINER rights higher than the current user.

4. File Upload and Read

  • Payload: LOAD_FILE('path/to/file')
  • Description: This payload is used to read files from the server.

Example:

http://example.com/vulnerable-page?id=1 UNION SELECT LOAD_FILE('/etc/passwd') -- -

Verified attack techniques (with brief reproduction notes)

  1. Credential harvesting via default/weak passwords

    • Description: Attempt login with default accounts (root with no password) or bruteforce.
    • Reproduction: Connect using mysql client or scripts to 3306; successful auth grants full DB control.
    • Mitigation: Enforce strong unique passwords, disable remote root login, use scram-sha-256 where supported.

  2. SQL Injection leading to data exfiltration

    • Description: Exploit web app injection to run arbitrary SELECTs, UNION, time-based exfil.
    • Reproduction: Inject payloads into vulnerable parameter to dump tables, use stacked queries where allowed.
    • Mitigation: Use parameterized queries, ORM safe APIs, least privilege DB user for app.

  3. INTO OUTFILE / LOAD DATA INFILE for file write/read mysql hacktricks verified

    • Description: SELECT ... INTO OUTFILE writes server-side files (e.g., webroot), enabling webshells.
    • Reproduction: With FILE privilege and writable server filesystem path, execute INTO OUTFILE to place PHP/ASP webshell.
    • Mitigation: Remove FILE privilege from app accounts, restrict mysqld user filesystem permissions, disable local_infile.

  4. User-Defined Functions (UDF) for remote code execution

    • Description: Create a malicious UDF shared library and register function to execute system commands.
    • Reproduction: Requires file write ability into plugin directory or use INTO OUTFILE + local file move; then CREATE FUNCTION points to library.
    • Mitigation: Harden filesystem, restrict plugin_dir, keep mysqld running as unprivileged user, monitor new functions.

  5. Replication abuse to read binary log / obtain credentials

    • Description: Attacker sets up a replica using compromised credentials to stream data and binary logs.
    • Reproduction: CREATE REPLICATION SLAVE with MASTER_USER/MASTER_PASSWORD and read-only access to binlog events.
    • Mitigation: Protect replication accounts, use SSL for replication, limit privileges, rotate replication credentials.

  6. Privilege escalation via GRANT/ROLE misuse secure object storage buckets

    • Description: Misconfigured users with GRANT OPTION or excessive roles allow privilege spreading.
    • Reproduction: Compromise one account with GRANT OPTION and grant privileges to attacker-controlled accounts.
    • Mitigation: Audit GRANT OPTION usage, implement role-based access, remove unnecessary global privileges.

  7. Exploiting insecure defaults & exposed ports

    • Description: Publicly exposed 3306 often accepts connections; combined with weak auth leads to takeover.
    • Reproduction: Internet scan for open 3306, attempt auth.
    • Mitigation: Firewall rules, bind-address to localhost, use private networking/VPN.

  8. Backup & snapshot leakage

    • Description: Backups stored with DB credentials or data accessible in object storage.
    • Reproduction: Locate backup files with credentials or sensitive dumps.
    • Mitigation: Encrypt backups, secure object storage buckets, avoid embedding secrets in scripts.

MySQL HackTricks Verified: A Practical Analysis of Attack Vectors and Defensive Validation