open to work
MySQL Security

Introduction to MySQL Security

Youssef
17 May 2026

Introduction to MySQL Security

What is MySQL?

MySQL is the world's most popular open-source relational database management system (RDBMS). It powers WordPress, Drupal, Joomla, and countless web applications. Acquired by Oracle in 2010, it remains the default database for LAMP/LEMP stacks and is deployed on millions of servers worldwide — making it the single most targeted database engine by attackers.

MySQL stores data in tables, uses SQL for queries, and communicates over TCP port 3306 by default. Understanding its architecture, privilege model, and dangerous features is fundamental for any web application penetration tester.

MySQL Architecture

  • Servermysqld daemon listening on port 3306 (or via Unix socket)
  • Databases — collections of tables, including the built-in information_schema, mysql, performance_schema
  • Users — identified by username AND host ('root'@'localhost''root'@'%')
  • Privileges — granted per database, table, or column; stored in mysql.user table
  • Plugins — authentication plugins, UDF (User Defined Functions) for extending functionality

Critical System Databases

-- information_schema: metadata about all databases, tables, columns
SELECT * FROM information_schema.tables;
SELECT * FROM information_schema.columns WHERE table_name='users';

-- mysql: stores user credentials, privileges, plugin settings
SELECT user, host, authentication_string FROM mysql.user;

-- performance_schema: runtime metrics (less useful for attackers)

-- sys: human-readable performance views (MySQL 5.7+)

The MySQL Privilege Model

MySQL privileges are the core of its security model. Misconfigurations here are the primary source of privilege escalation and unauthorized access.

-- Check current user and privileges
SELECT user(), current_user();
SELECT * FROM information_schema.user_privileges;

-- Check if FILE privilege is granted (critical for read/write attacks)
SELECT file_priv FROM mysql.user WHERE user = 'webapp';

-- Check if current user has SUPER privilege
SHOW GRANTS FOR CURRENT_USER();

-- Dangerous privilege combinations:
-- FILE    → read/write OS files
-- SUPER   → set global variables, kill connections, bypass binlog
-- CREATE  → create tables (needed for UDF attack)
-- INSERT  → write to mysql.user (privilege escalation)
-- PROCESS → see all running queries (credential leaks)

Default Dangerous Configuration

-- Check if root has no password (old installations)
SELECT user, host, authentication_string FROM mysql.user WHERE user='root';

-- Check if anonymous users exist
SELECT user, host FROM mysql.user WHERE user='';

-- Check if test database exists (world-readable by default)
SHOW DATABASES LIKE 'test';

-- Check bind-address (0.0.0.0 = exposed to network)
SHOW VARIABLES LIKE 'bind_address';

-- Check secure_file_priv (empty = no restriction on file operations)
SHOW VARIABLES LIKE 'secure_file_priv';

-- Check if local_infile is enabled (LOAD DATA LOCAL INFILE attacks)
SHOW VARIABLES LIKE 'local_infile';
🔴

Critical: secure_file_priv = "" (empty) means MySQL can read and write files anywhere on the filesystem. Combined with the FILE privilege, this leads to RCE via webshell creation or sensitive file disclosure.

MySQL Authentication Mechanisms

-- MySQL 5.7 and below: mysql_native_password (SHA1-based)
-- MySQL 8.0+: caching_sha2_password (default, SHA256)

-- Check authentication plugin per user
SELECT user, host, plugin FROM mysql.user;

-- Old password hash format (MySQL < 4.1) — extremely weak
-- New format: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19

-- Crack with hashcat
-- hashcat -m 300 hash.txt wordlist.txt  (MySQL4.1/MySQL5+)
-- hashcat -m 3200 hash.txt wordlist.txt (bcrypt — rare in MySQL)

MySQL Attack Surface Overview

  • SQL Injection — most common; union-based, blind, time-based, error-based
  • FILE privilege abuse — read sensitive files, write webshells
  • UDF injection — load malicious shared library → OS command execution
  • Authentication bypass — CVEs, logic flaws, empty passwords
  • Privilege escalation — via misconfigurations, stored procedures, triggers
  • Out-of-band exfiltration — DNS via LOAD_FILE + UNC paths (Windows)
  • CVE exploitation — buffer overflows, authentication bypass bugs

Connecting to MySQL During a Pentest

-- Direct connection
mysql -u root -p -h 127.0.0.1 -P 3306

-- Via SQLmap (automated exploitation)
sqlmap -u "http://target.com/page?id=1" --dbms=mysql --dbs

-- Via Metasploit
use auxiliary/scanner/mysql/mysql_login
use auxiliary/admin/mysql/mysql_sql
use exploit/multi/mysql/mysql_udf_payload

-- Check if port 3306 is exposed
nmap -sV -p 3306 target.com
nmap -p 3306 --script mysql-info,mysql-empty-password,mysql-databases target.com
📋

Pentest Checklist Start: Always begin by checking: (1) Is port 3306 exposed externally? (2) Are there empty/default passwords? (3) What privileges does the web app DB user have? (4) Is secure_file_priv empty? (5) Are UDFs loaded? Each answer opens a different attack path covered in the following articles.