Cleanup, detection, and remediation matter because MySQL exploitation often leaves obvious artifacts: written webshells, UDF libraries, created SQL functions, unusual file imports, and suspicious client-side file reads.
Cleanup
Drop UDF functions created during the lab:
DROP FUNCTION IF EXISTS sys_eval;
DROP FUNCTION IF EXISTS sys_bineval;
DROP FUNCTION IF EXISTS sys_exec;
Remove written files:
/var/www/html/shell.php
/usr/lib/mysql/plugin/udf.so
C:\xampp\mysql\lib\plugin\udf.dll
/var/lib/mysql-files/*.csv
temporary payload files
If SQL cannot remove the files, cleanup requires shell access, administrator action, or lab reset.
Detection
Watch for:
SELECT ... INTO OUTFILESELECT ... INTO DUMPFILELOAD_FILE()LOAD DATA LOCAL INFILECREATE FUNCTION ... SONAME- new files under
plugin_dir - PHP files written by the MySQL service account
- MySQL process making outbound network connections
- unexpected use of MySQLX / port
33060 - large exports to
secure_file_privdirectories
Useful queries:
SHOW VARIABLES LIKE 'general_log';
SHOW VARIABLES LIKE 'log_output';
SHOW VARIABLES LIKE 'secure_file_priv';
SHOW VARIABLES LIKE 'local_infile';
SHOW VARIABLES LIKE 'plugin_dir';
Check registered functions:
SELECT * FROM mysql.func;
Check dangerous users:
SELECT User, Host, File_priv, Super_priv
FROM mysql.user
WHERE File_priv='Y' OR Super_priv='Y';
Remediation
- Remove
FILEprivilege from application users. - Disable
local_infileunless explicitly required. - Set
secure_file_privto a narrow controlled directory. - Keep the plugin directory writable only by administrators.
- Do not run MySQL as root.
- Keep database and webroot on separated permission boundaries.
- Prevent MySQL service account writes to web directories.
- Avoid storing reusable OS, SSH, cloud, or admin credentials in application databases.
- Monitor creation of UDF functions and plugin files.
- Restrict MySQL network exposure to trusted hosts.
- Require TLS where credentials cross the network.
- Rotate credentials after file-read or dump exposure.