MySQL stores credentials in mysql.user . Hash types: mysql_native_password (SHA1-based) or caching_sha2_password (MySQL 8+).
If you have the FILE privilege, you can drop a web shell into the server's web directory. mysql hacktricks verified