In some older MySQL/MariaDB versions, a race condition exists between checking secure_file_priv and opening the file. Not reliable on patched systems, but for CTFs, try:
: Testing true/false conditions like substr(database(),1,1)='r' to infer data one character at a time. mysql hacktricks verified
Before exploiting, you must enumerate. Nmap is the standard bearer. In some older MySQL/MariaDB versions, a race condition
HackTricks provides a checklist of verified commands and tools for MySQL (Port 3306): External Enumeration : Verified scripts like mysql-audit mysql-databases mysql-dump-hashes are used to extract information without full system access. Local/Remote Connection : Direct connection methods using mysql -u root (with or without passwords) to verify credential security. Privilege Escalation In some older MySQL/MariaDB versions
Example: