If you can execute LOAD_FILE or SELECT but the host has no outbound internet except DNS, use DNS leaks.
Example:
-- Read SSH keys (if MySQL running as root — rare but possible) SELECT LOAD_FILE('/root/.ssh/id_rsa'); mysql hacktricks verified
FILE privilege + ability to write to MySQL plugin directory ( @@plugin_dir ). Check plugin dir: If you can execute LOAD_FILE or SELECT but
: Use LOAD_FILE() to read sensitive local files or INTO OUTFILE to write webshells if permissions allow. mysql hacktricks verified
: Transfer a compiled shared library (e.g., lib_mysqludf_sys.so for Linux or .dll for Windows) into that directory. Create Function : Map the library to a new MySQL function: