Mysql Hacktricks Verified May 2026

| Attack | Prevention | |--------|-------------| | File read/write | secure_file_priv = NULL, remove FILE privilege from non-root | | UDF | Disable dynamic loading (plugin_dir read-only), audit mysql.func table | | Credential theft | Encrypt connections (TLS), restrict .mysql_history, use auth plugins (PAM) | | SUPER abuse | Never grant SUPER to apps, use granular privileges (e.g., SYSTEM_VARIABLES_ADMIN separately) | | Weak password hashes | Use caching_sha2_password (MySQL 8.0+), enforce strong passwords |

SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('/var/www/html/config.php');

The most common "Verified" technique documented in HackTricks is writing a webshell to the server. This bridges the gap between the database layer and the web layer. mysql hacktricks verified

This is a classic but often overlooked. If you can trick an admin or app server into connecting to your malicious MySQL server, you can read arbitrary files from the client. | Attack | Prevention | |--------|-------------| | File

How it works (verified):
Your fake server sends a LOAD DATA LOCAL INFILE request during handshake. Vulnerable clients (e.g., old PHP mysqli with allow_local_infile=ON, MySQL Workbench, or outdated connectors) will send back any file the client user can read. old PHP mysqli with allow_local_infile=ON

Automation: Use RogueMySQL or mysql-fake-server tools. The payload is:

-- Your malicious server sends:
execute_command_request("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test FIELDS TERMINATED BY '\n';")

This is a verified hacktricks classic for network pivoting.