Verified technique: If the secure_file_priv variable is empty (or points to a writable directory) and the MySQL service runs as root or a high‑privileged user, an attacker can:
Before any exploitation, understanding the MySQL footprint is essential.
The phrase “MySQL HackTricks verified” is not a marketing slogan; it represents a community‑vetted collection of practical attack paths that have been executed and proven effective against real MySQL configurations. From credential theft to OS command execution via UDFs, these techniques highlight the importance of least privilege, proper configuration of secure_file_priv , and regular auditing of MySQL user grants. For penetration testers, the verified methods offer a reliable toolkit. For defenders, they provide a concrete baseline for security validation. Ultimately, the value of HackTricks lies in its verification – bridging the gap between theoretical vulnerability and demonstrable compromise. mysql hacktricks verified
MySQL servers commonly listen on . A simple Nmap scan with default scripts can reveal version details:
Administrative oversights often leave default accounts active. Common combinations include: root : [blank] root : root root : password anonymous : [blank] Automated Brute Forcing For penetration testers, the verified methods offer a
Expose the OS command execution function inside MySQL:
nmap -sV -sC -p3306 <target>
| Technique | MySQL 5.7 | MySQL 8.0 | MySQL 8.4 | MySQL 9.x | Requires File / SUPER | Bypasses secure_file_priv | |----------------------------------------------|-----------|-----------|-----------|-----------|------------------------|----------------------------| | UDF sys_eval / sys_exec | ✅ | ✅ | ✅ | ✅ | FILE + write to plugin_dir | No (needs dir write) | | INTO OUTFILE WebShell | ✅ | ✅ | ✅ | ✅ | FILE + empty secure_file_priv | No | | General Log WebShell | ✅ | ✅ | ✅ | ✅ | SUPER / SYSTEM_VARIABLES_ADMIN | ✅ Yes | | LOAD_FILE() | ✅ | ✅ | ✅ | ✅ | FILE | No | | SSRF + Gopher to MySQL | ✅ | ✅ | ✅ | ✅ | none (depends on network) | No | | Malicious MySQL server (client file read) | ✅ | ✅ | ✅ | ✅ | none | ✅ Yes (client‑side) | | Auth bypass (CVE‑2012‑2122) | ✅ (≤5.5.23) | ❌ | ❌ | ❌ | none | N/A | | Info schema privilege bypass | ✅ (partial) | ❌ (most) | ❌ | ❌ | none | N/A |
Application database users should never run as root . Create specific users with restricted scopes: MySQL servers commonly listen on
