MySQL enumeration starts with identity, grants, server variables, schema, and data.
Connect
Standard connection:
mysql -h HOST -u USER -p
Password inline when the lab requires it:
mysql -h HOST -u USER -p'PASSWORD'
Specific port:
mysql -h HOST -P 3306 -u USER -p
Local Unix socket:
mysql -u USER -p -S /var/run/mysqld/mysqld.sock
TLS with permissive certificate handling in a lab:
mysql -h HOST -u USER -p'PASSWORD' --ssl --skip-ssl-verify-server-cert
TLS with explicit certificates:
mysql -h HOST -u USER -p'PASSWORD' \
--ssl \
--ssl-ca=/path/to/ca.pem \
--ssl-cert=/path/to/client-cert.pem \
--ssl-key=/path/to/client-key.pem \
--skip-ssl-verify-server-cert
Identity
SELECT USER(), CURRENT_USER();
USER() shows how the client authenticated.
CURRENT_USER() shows the effective account used for privilege checks.
Check grants:
SHOW GRANTS FOR CURRENT_USER();
Check users with dangerous file or administrative privileges:
SELECT User, Host, File_priv, Super_priv
FROM mysql.user
WHERE File_priv='Y' OR Super_priv='Y';
Compact version:
SELECT USER(), CURRENT_USER();
SHOW GRANTS FOR CURRENT_USER();
SELECT User,Host,File_priv,Super_priv FROM mysql.user WHERE File_priv='Y' OR Super_priv='Y';
Strong grants to notice:
FILE
SUPER
PROCESS
SHUTDOWN
CREATE FUNCTION
ALL PRIVILEGES
Server Context
SELECT VERSION();
SELECT @@version;
SHOW VARIABLES LIKE 'hostname';
SHOW VARIABLES LIKE 'version_compile_os';
SHOW VARIABLES LIKE 'secure_file_priv';
SHOW VARIABLES LIKE 'local_infile';
SHOW VARIABLES LIKE 'plugin_dir';
SHOW PLUGINS;
No-output fingerprinting:
SELECT SLEEP(5);
Databases And Schema
List databases:
SHOW DATABASES;
Alternative:
SELECT schema_name
FROM information_schema.schemata;
Switch database:
USE target_database;
List tables:
SHOW TABLES;
Alternative:
SELECT table_name
FROM information_schema.tables
WHERE table_schema = 'target_database';
Inspect a table:
DESCRIBE target_table;
SHOW COLUMNS FROM target_table;
Alternative:
SELECT column_name, data_type
FROM information_schema.columns
WHERE table_schema = 'target_database'
AND table_name = 'target_table';
Data Dumping
Preview data:
SELECT * FROM target_table LIMIT 10;
Specific table:
SELECT username, password
FROM inlanefreight.users;
Sort and limit:
SELECT * FROM logins ORDER BY id DESC LIMIT 10;
SELECT * FROM logins WHERE username LIKE 'admin%';
Export query output to disk through MySQL server file write:
SELECT id, name, email
INTO OUTFILE '/var/lib/mysql-files/users_export.csv'
FIELDS TERMINATED BY ','
LINES TERMINATED BY '\n'
FROM users;
Import a CSV if the server permits it:
LOAD DATA INFILE '/var/lib/mysql-files/data.csv'
INTO TABLE my_table
FIELDS TERMINATED BY ','
LINES TERMINATED BY '\n'
IGNORE 1 ROWS;
Non-Interactive Queries
Show databases:
mysql -h HOST -u USER -p'PASSWORD' -e "SHOW DATABASES;"
Show tables:
mysql -h HOST -u USER -p'PASSWORD' -D DB -e "SHOW TABLES;"
Describe a table:
mysql -h HOST -u USER -p'PASSWORD' -D DB -e "DESCRIBE users;"
Dump first rows:
mysql -h HOST -u USER -p'PASSWORD' -D DB -e "SELECT * FROM users LIMIT 10;"
Save output:
mysql -h HOST -u USER -p'PASSWORD' -D DB -e "SELECT * FROM users;" > users.txt
Dump a database:
mysqldump -h HOST -u USER -p'PASSWORD' DB > dump.sql
Dump one table:
mysqldump -h HOST -u USER -p'PASSWORD' DB table_name > table.sql