Command Line MySQL for Hackers

Learning to connect to a MySQL server via command line is extremely useful in many situations especially for penetration testing. It’s quick, easy to learn and the fastest way to get in.

General MySQL CLI

Connect to the Database

This command will log you into the MySQL server with user “user” on host address 192.168.0.26.

┌─[✗]─[user@parrot]─[~]
└──╼ $ nmap -sV 127.0.0.1

Enter password: <br> Welcome to the MariaDB monitor. Commands end with ; or \g.<br><br> Your MySQL connection id is 4 <br> <br> Server version: 5.7.28-0ubuntu0.16.04.2 (Ubuntu) <br><br> <br> Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. <br><br> <br> Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement. <br><br> <br> MySQL [(none)]>

View and Connect to a Database

To see what databases are available to the user you’ve logged in with type the “show” command. To start viewing information about the database use the “use” command.”.

Table Viewing and Manipulation

The two most important things you should know is how to see the tables of a database and view the definition.

To see information about a table such as the schema use the “describe” command.

Advanced MySQL Commands for Hackers

Creating Local Database

Importing data from a SQL file is easy…

Ex-filtrating Database Schema

The user is “root” and the password is “plbkac”.. Yes, there isn’t a space between “-p” and the password. That is the way you do it…

If you just want one table with no data… try this…

Ex-filtrating Data

Reading Data

It is possible to read sensitive files using MySQL commands.

Create Backdoor PHP Script

This will create a PHP backdoor script that will execute commands against the system. You can easily call home with a reverse shell.

WordPress Privilege Escalation

You can create a new user with administrative access very easily using SQL. There are 2 tables and 3 sets of data the must be inserted to accomplish this. If you don’t want to create a new user and have compromised a low privileged user you can use SQL to elevate your privileges by updating the wp_usermeta table. Adjusting the meta_value for the meta_keys “wp_capabilities” and “wp_user_level” will elevate access if done correctly.

This script isn’t 100% accurate. WordPress no longer users MD5 hashes for passwords. There’s a script that adds a salt in WordPress. You’ll have to reset your password or copy in a known user’s password.

The key thing about WordPress is understanding how data is saved. Some of the data in WordPress is saved in composite JSON strings.

 a:1:{s:6:"author";b:1;}

You can’t just change “author” to “administrator”. The “s” stands for string and the 6 means it is 6 characters long. You must update the entire JSON string to make this work.

 a:1:{s:13:"administrator";s:1:"1";}

You will need to find the TOP value for the ID. This will not work if the ID already exists.