Older or misconfigured MySQL deployments suffer from known logical flaws that grant unauthorized access. The MySQL Authentication Bypass (CVE-2012-2122)
If the database user has high permissions, they can read files on the main computer. The command LOAD_FILE() can bring secret system files onto the screen. Staying Safe and Securing MySQL
With GRANT FILE ON *.* , an attacker can perform:
MySQL allows developers to extend its capabilities by compiling custom C/C++ code into a dynamic library ( .so on Linux, .dll on Windows) and loading it into the database. Attackers abuse this feature by compiling a library that includes a system command execution function (typically called sys_eval or sys_exec ). Execution Steps on Linux mysql hacktricks verified
' AND SLEEP(5) --
Use prepared statements in your application layer to completely eliminate SQL injection vectors.
UNION SELECT 1, '', 3 INTO OUTFILE '/var/www/html/shell.php'; -- Use code with caution. 4. Database Privilege Escalation and RCE via UDF Older or misconfigured MySQL deployments suffer from known
Before we dive into the hacktricks, it's essential to understand the basics of MySQL security. MySQL, like any other database management system, has its own set of security features and vulnerabilities. Here are some key concepts to keep in mind:
Set secure_file_priv to a dedicated, restricted directory to completely block arbitrary file reads and UDF injections across the filesystem.
| Cloud Platform | Required IAM Permission | Post-Exploitation Action | Why It's Dangerous | | :--- | :--- | :--- | :--- | | | cloudsql.instances.update | Whitelist a personal IP for direct database access | Grants an attacker direct, unfiltered access to steal data | | GCP | cloudsql.instances.export | Export the entire database to a cloud storage bucket | Allows the attacker to download a complete copy of the data | | GCP | cloudsql.databases.delete | Permanently delete a database | A destructive action that disrupts business operations | | Azure | Microsoft.DBforMySQL/flexibleServers/write | Provision a new, attacker-controlled MySQL server | Gives the attacker a clean environment to operate from within the cloud tenant | | Azure | Microsoft.DBforMySQL/flexibleServers/read | Retrieve server configurations and connection strings | Exposes credentials and internal networking details | Staying Safe and Securing MySQL With GRANT FILE ON *
One of the most powerful privileges in MySQL is the FILE privilege. It allows an authenticated user to read and write arbitrary files on the server's file system, provided the secure_file_priv variable is not set to a restricted directory.
Securing a MySQL deployment requires addressing authentication strength, network exposure, and internal engine configurations.
: Locate credentials in configuration files like my.cnf or .bash_history .
When an application fails to sanitize user input before passing it to a MySQL query, attackers can manipulate the query structure. Error-Based Injection
SELECT @@plugin_dir;