I have access to a site via SQL injection. Through that I have root MySQL access with full permissions.
MySQL is NOT running as root.
The web directories (that I have found/are public) are NOT writable by MySQL/outfile.
The MySQL plugin directory is not writable (no UDF)
I cannot find any files that reveal other (SSH?) credentials.
Only SSH, MySQL, and Nginx 1.4.6 are running/open to the outside.
Via load_file I have total world-readable access to the filesystem.
Via outfile I have write access to public spaces like /tmp.
I'm out of ideas. Are there other options/routes I can use to get a backdoor/shell onto this machine? Thought I'd ask around some forums and see if anyone knew something I didn't.
