This technique can bypass secure‑file‑priv restrictions entirely because logs are written by the MySQL server process, not by SQL file operations.
Begin with an aggressive Nmap scan to identify the exact service version, running scripts, and underlying operating system details: nmap -sV -sC -p 3306 Use code with caution. Banner Grabbing
Once you find an open MySQL port, you test how secure the door is. Empty Passwords
Prevent clients from loading local files using: local_infile = 0 Use code with caution. Principle of Least Privilege (PoLP) mysql hacktricks verified
This is the pivot point for most MySQL hacks. If secure_file_priv is not restricting you to a specific directory, you can write files to the disk.
When data reflection is disabled but database errors are printed to the screen, functions like EXTRACTVALUE or UPDATEXML can be leveraged to force an error containing data: ' AND EXTRACTVALUE(1, CONCAT(0x5c, (SELECT version())))-- - Use code with caution. Blind and Time-Based Injection
: Check if the MySQL service is running as a high-privileged user (like root or SYSTEM ), which directly grants those privileges upon successful shell execution. Empty Passwords Prevent clients from loading local files
Ensure application users do not have SUPER or FILE privileges unless strictly necessary.
Many WAFs block information_schema but forget to block mysql.innodb_table_stats , which can be used to extract table names and schema information in modern MySQL versions.
If secure_file_priv is empty or permits access, the LOAD_FILE() function can read system configuration files, source code, or SSH keys: SELECT LOAD_FILE('/etc/passwd'); Use code with caution. Writing Files ( INTO OUTFILE ) When data reflection is disabled but database errors
| Attack Vector | Verified HackTricks Technique | Defensive Mitigation | |---------------|-------------------------------|----------------------| | Credential brute‑force | hydra -l root -P wordlist.txt mysql://target | Enforce account lockout, use strong passwords, restrict network access to 3306 | | UDF privilege escalation | Uploading udf.so to plugin directory | Set secure_file_priv = "" or a specific safe directory; run MySQL as non‑root user | | File read via LOAD_FILE | SELECT LOAD_FILE('/etc/shadow') | Disable FILE privilege unless absolutely necessary; use SELinux/apparmor | | Writing web shell | INTO OUTFILE to webroot | Set secure_file_priv to a directory not accessible by the web server; use prepared statements against SQLi |
Connecting directly to the port can reveal the exact patch version, which is critical for identifying known CVEs. nc -nv 3306 telnet 3306 Use code with caution. Enumeration via Auxiliary Modules
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.