Verified Updated - Mysql Hacktricks

If the MySQL user has the FILE privilege and the secure_file_priv configuration allows it (or is empty), you can read arbitrary files from the server's disk using a standard SELECT statement.

If secure_file_priv is disabled (empty), an attacker can use the SELECT ... INTO OUTFILE statement.

Drop all inbound traffic to port 3306 except from explicitly whitelisted application server IPs. Strict Configuration Adjustments mysql hacktricks verified

For SQL injection into MySQL, use these to bypass WAFs:

If the user has FILE privileges, LOAD_FILE() can read sensitive files, and INTO OUTFILE can be used to write shells. If the MySQL user has the FILE privilege

Explicitly set secure_file_priv to NULL in your configuration file to prevent unauthorized file reads/writes. secure_file_priv = NULL Use code with caution.

If the database server shares a host with a web server and you know the absolute path of the web root, you can drop a web shell: Drop all inbound traffic to port 3306 except

✅ : This technique still works across MySQL 5.7, 8.0, 8.4, and 9.x when the secure_file_priv variable is empty and the MySQL user has FILE privilege. Newer UDF exploit repositories (2025‑2026) provide pre‑compiled libraries for both x86 and x86_64 architectures, as well as automatic payload generation.

The compiled shared object file must be placed inside the official MySQL plugin directory. Find this path using: SHOW VARIABLES LIKE 'plugin_dir'; Use code with caution.

In MySQL 5.5 and earlier, the default for secure_file_priv was "" (unrestricted). After 5.6.34+, the default became NULL , which forces attackers to rely on alternative techniques such as log writing.

Prevent clients from loading local files using: local_infile = 0 Use code with caution. Principle of Least Privilege (PoLP)