MySQL: MySQL is an open-source relational database management system(RDBMS) based on Structured Query Language (SQL). It is developed and managed by oracle corporation and initially released on 23 may, 1995. It is widely being used in many small and large scale industrial applications and capable of handling a large volume of data. After the acquisition of MySQL by Oracle, some issues happened with the usage of the database and hence MariaDB was developed.
mysql-uusername-pPassword123-h$ip# -h host/ip # -u user As default mysql has a root user with no authenticationmysql--host=INSTANCE_IP--user=root--password=thepassword
mysql-h<host/IP>-uroot-p<password>
mysql-uroot-h<host/IP>
mysql-uroot-hexample.com-P3306-pPassword123
# -P: port
If we can guess or gain access to credentials, this allows us to remotely connect to the MSSQL server and start interacting with databases using T-SQL (Transact-SQL). Authenticating with MSSQL will enable us to interact directly with databases through the SQL Database Engine. From Pwnbox or a personal attack host, we can use Impacket's mssqlclient.py to connect as seen in the output below. Once connected to the server, it may be good to get a lay of the land and list the databases present on the system.
sqlcmd-S<server>-U<username>-P'MyPassword!'-y30-Y30# When we authenticate to MSSQL using `sqlcmd` we can use the parameters `-y` (SQLCMDMAXVARTYPEWIDTH) and `-Y` (SQLCMDMAXFIXEDTYPEWIDTH) for better looking output. Keep in mind it may affect performance.
dbeaver is a multi-platform database tool for Linux, macOS, and Windows that supports connecting to multiple database engines such as MSSQL, MySQL, PostgreSQL, among others, making it easy for us, as an attacker, to interact with common database servers.
# Show datasesSHOWdatabases;# Show tablesSHOWtables;# Create new databaseCREATEDATABASEnameofdatabase;# Delete databaseDROPDATABASEnameofdatabase;# Select a databaseUSEnameofdatabase;# Show tablesSHOWtables;# DESCRIBE keyword is used to list the table structure with its fields and data types:DESCRIBEnameoftable;# Dump columns from nameOftableSELECT*FROMNameOfTable;# SELECT name, description FROM products WHERE id=9;# Another useful SQL clause is LIKE, enabling selecting records by matching a certain pattern. The query below retrieves all records with usernames starting with admin. The % symbol acts as a wildcard and matches all characters after admin. It is used to match zero or more characters. SELECT*FROMloginsWHEREusernameLIKE'admin%';SELECT*FROMloginsWHEREusernameNOTLIKE'Bear';# Create a table with some columns in the previously selected databaseCREATETABLEperson(nombreVARCHAR(255),edadINT,idINT);# Modify, add, or remove a column attribute of a tableALTERTABLEpersonaDROPedadVARCHAR(200);ALTERTABLEpersonaADDedadVARCHAR(200);# `NOT NULL` constraint ensures that a particular column is never left emptyALTERTABLEpersonaMODIFYidINTNOTNULLAUTO_INCREMENT;# `UNIQUE` constraint to ensure that the inserted item are always uniqueALTERTABLEpersonaMODIFYnombreVARCHAR(100)UNIQUENOTNULL;# Another important keyword is the `DEFAULT` keyword, which is used to specify the default value. `Now()` in MySQL returns the current date and time:ALTERTABLEpersonaADDdate_of_joiningDATETIMEDEFAULTNOW();# `PRIMARY KEY`, which we can use to uniquely identify each record in the tableCREATETABLElogins(idINTNOTNULLAUTO_INCREMENT,usernameVARCHAR(100)UNIQUENOTNULL,passwordVARCHAR(100)NOTNULL,date_of_joiningDATETIMEDEFAULTNOW(),PRIMARYKEY(id));# Finally, We can use ALTER to change the name of any table and any of its fields or to delete or add a new column to an existing table. TALTERTABLEtableNameADDnewColumnINT;# We can also rename a column:ALTERTABLEtableNameRENAMECOLUMNnewColumnTOoldColumn;# Or delete a column: ALTERTABLEtableNameDROPoldColumn;# Insert a new row with values in a table# INSERT INTO table_name VALUES (column1_value, column2_value, column3_value, ...);INSERTINTOpersonaVALUES("alvaro",54,1);# Insert a new row with values in a table, but skipping some columnsINSERTINTOtable_name(column2,column3,...)VALUES(column2_value,column3_value,...);# We can also insert multiple records at once by separating them with a comma:INSERTINTOlogins(username,password)VALUES('john','john123!'),('tom','tom123!');# Show all columns from tableSELECT*FROMtableName# Show only some columns from the tableSELECTcolumn1,column2FROMtableName# Select a row from a table filtering by the value of a given columnSELECT*FROMpersonaWHEREnombre="alvaro";# JOIN querySELECT*FROMoficinaJOINpersonaONpersona.id=oficina.user_id;# UNION query. This means, for an attack, that the number of columns has to be the sameSELECT*FROMoficinaUNIONSELECT*frompersona;# Sorting data on the bases on edad columnSELECT*FROMpersonaORDERBYedad;# Retrieving first record from the table.SELECT*frompersonaorderbyedadlimit1;# Count the number of people stored in personaSELECTcount(*)frompersona;# Context: a wordpress database# Identify how many distinct authors have published a post in the blogSELECTDISTINCT(post_author)fromwpdatabase.wp_posts;# Remove tables and databases from serverDROPTABLEtableName;# the UPDATE statement can be used to update specific records within a table, based on certain conditions. Its general syntax is:UPDATEtableNameSETcolumn1=newvalue1,column2=newvalue2,...WHERE<condition>;
# UNION Statement syntax#<SELECT statement> UNION <other SELECT statement>;# Example:SELECTname,descriptionFROMproductsWHEREid=9UNIONSELECTpriceFROMproductsWHEREid=9;
# Show current usercurrent_user()user()# Show current databasedatabase()
Well-know vulnerabilities
Misconfigurations
Anonymous access enabled.
Vulnerabilities
MySQL 5.6.x servers: CVE-2012-2122 , among others. It allowed us to bypass authentication by repeatedly using the same incorrect password for the given account because the timing attack vulnerability existed in the way MySQL handled authentication attempts. In this timing attack, MySQL repeatedly attempts to authenticate to a server and measures the time it takes for the server to respond to each attempt. By measuring the time it takes the server to respond, we can determine when the correct password has been found, even if the server does not indicate success or failure.
Last update: 1 month ago2024-11-03
Created: January 3, 2023 12:54:46