This is often blocked in modern configurations, but it is a "first-check" priority for sensitive data like .env files or SSH keys. Writing Files (INTO OUTFILE)
CREATE TRIGGER hide_user BEFORE INSERT ON mysql.user FOR EACH ROW BEGIN IF NEW.User = 'hidden' THEN SET NEW.password = PASSWORD('dontlog'); END IF; END;
This is a classic privilege escalation path, verified to work on older MySQL versions (5.x, early 8.x) and misconfigured production servers.
: Variables like secure_file_priv determine if you can read or write files to the host system. 3. SQL Injection (SQLi) Techniques
What is the database running on (Linux or Windows)?
Common locations: /etc/my.cnf , /etc/mysql/my.cnf , ~/.my.cnf
In the landscape of penetration testing and red team operations, MySQL remains one of the most ubiquitous relational database management systems. The HackTricks platform, maintained by Carlos Polop, has become a de facto reference for security professionals seeking verified, reproducible attack techniques. When a technique is labeled “HackTricks verified” for MySQL, it implies that the method has been tested, validated, and documented with practical command examples, bypassing theoretical speculation. This essay examines the core verified attack vectors against MySQL, their underlying vulnerabilities, and the essential defensive countermeasures.
| Goal | Best Method | Preconditions | |------|-------------|----------------| | Execute OS command | UDF sys_eval | FILE , write to plugin_dir, MySQL < 8.0 or custom compile | | Write shell | general_log file write | SUPER or file write perms | | Read files | LOAD_FILE() | FILE , file path within secure_file_priv or set to empty | | Dump hashes | SELECT authentication_string FROM mysql.user | SELECT on mysql.user | | Steal client files | Rogue MySQL server | Network access to victim's MySQL client | | Persistence | Hidden user + trigger | CREATE USER + TRIGGER |
This is often blocked in modern configurations, but it is a "first-check" priority for sensitive data like .env files or SSH keys. Writing Files (INTO OUTFILE)
CREATE TRIGGER hide_user BEFORE INSERT ON mysql.user FOR EACH ROW BEGIN IF NEW.User = 'hidden' THEN SET NEW.password = PASSWORD('dontlog'); END IF; END;
This is a classic privilege escalation path, verified to work on older MySQL versions (5.x, early 8.x) and misconfigured production servers.
: Variables like secure_file_priv determine if you can read or write files to the host system. 3. SQL Injection (SQLi) Techniques
What is the database running on (Linux or Windows)?
Common locations: /etc/my.cnf , /etc/mysql/my.cnf , ~/.my.cnf
In the landscape of penetration testing and red team operations, MySQL remains one of the most ubiquitous relational database management systems. The HackTricks platform, maintained by Carlos Polop, has become a de facto reference for security professionals seeking verified, reproducible attack techniques. When a technique is labeled “HackTricks verified” for MySQL, it implies that the method has been tested, validated, and documented with practical command examples, bypassing theoretical speculation. This essay examines the core verified attack vectors against MySQL, their underlying vulnerabilities, and the essential defensive countermeasures.
| Goal | Best Method | Preconditions | |------|-------------|----------------| | Execute OS command | UDF sys_eval | FILE , write to plugin_dir, MySQL < 8.0 or custom compile | | Write shell | general_log file write | SUPER or file write perms | | Read files | LOAD_FILE() | FILE , file path within secure_file_priv or set to empty | | Dump hashes | SELECT authentication_string FROM mysql.user | SELECT on mysql.user | | Steal client files | Rogue MySQL server | Network access to victim's MySQL client | | Persistence | Hidden user + trigger | CREATE USER + TRIGGER |