Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 05. SQL / MySQL

Cleanup, Detection & Remediation

Cleanup, detection, and remediation matter because MySQL exploitation often leaves obvious artifacts: written webshells, UDF libraries, created SQL functions, unusual file imports, and suspicious client-side file reads.


Cleanup

Drop UDF functions created during the lab:

DROP FUNCTION IF EXISTS sys_eval;
DROP FUNCTION IF EXISTS sys_bineval;
DROP FUNCTION IF EXISTS sys_exec;

Remove written files:

/var/www/html/shell.php
/usr/lib/mysql/plugin/udf.so
C:\xampp\mysql\lib\plugin\udf.dll
/var/lib/mysql-files/*.csv
temporary payload files

If SQL cannot remove the files, cleanup requires shell access, administrator action, or lab reset.


Detection

Watch for:

  • SELECT ... INTO OUTFILE
  • SELECT ... INTO DUMPFILE
  • LOAD_FILE()
  • LOAD DATA LOCAL INFILE
  • CREATE FUNCTION ... SONAME
  • new files under plugin_dir
  • PHP files written by the MySQL service account
  • MySQL process making outbound network connections
  • unexpected use of MySQLX / port 33060
  • large exports to secure_file_priv directories

Useful queries:

SHOW VARIABLES LIKE 'general_log';
SHOW VARIABLES LIKE 'log_output';
SHOW VARIABLES LIKE 'secure_file_priv';
SHOW VARIABLES LIKE 'local_infile';
SHOW VARIABLES LIKE 'plugin_dir';

Check registered functions:

SELECT * FROM mysql.func;

Check dangerous users:

SELECT User, Host, File_priv, Super_priv
FROM mysql.user
WHERE File_priv='Y' OR Super_priv='Y';

Remediation

  • Remove FILE privilege from application users.
  • Disable local_infile unless explicitly required.
  • Set secure_file_priv to a narrow controlled directory.
  • Keep the plugin directory writable only by administrators.
  • Do not run MySQL as root.
  • Keep database and webroot on separated permission boundaries.
  • Prevent MySQL service account writes to web directories.
  • Avoid storing reusable OS, SSH, cloud, or admin credentials in application databases.
  • Monitor creation of UDF functions and plugin files.
  • Restrict MySQL network exposure to trusted hosts.
  • Require TLS where credentials cross the network.
  • Rotate credentials after file-read or dump exposure.