Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 05. SQL / MySQL

Enumeration

MySQL enumeration starts with identity, grants, server variables, schema, and data.


Connect

Standard connection:

mysql -h HOST -u USER -p

Password inline when the lab requires it:

mysql -h HOST -u USER -p'PASSWORD'

Specific port:

mysql -h HOST -P 3306 -u USER -p

Local Unix socket:

mysql -u USER -p -S /var/run/mysqld/mysqld.sock

TLS with permissive certificate handling in a lab:

mysql -h HOST -u USER -p'PASSWORD' --ssl --skip-ssl-verify-server-cert

TLS with explicit certificates:

mysql -h HOST -u USER -p'PASSWORD' \
  --ssl \
  --ssl-ca=/path/to/ca.pem \
  --ssl-cert=/path/to/client-cert.pem \
  --ssl-key=/path/to/client-key.pem \
  --skip-ssl-verify-server-cert

Identity

SELECT USER(), CURRENT_USER();

USER() shows how the client authenticated.

CURRENT_USER() shows the effective account used for privilege checks.

Check grants:

SHOW GRANTS FOR CURRENT_USER();

Check users with dangerous file or administrative privileges:

SELECT User, Host, File_priv, Super_priv
FROM mysql.user
WHERE File_priv='Y' OR Super_priv='Y';

Compact version:

SELECT USER(), CURRENT_USER();
SHOW GRANTS FOR CURRENT_USER();
SELECT User,Host,File_priv,Super_priv FROM mysql.user WHERE File_priv='Y' OR Super_priv='Y';

Strong grants to notice:

FILE
SUPER
PROCESS
SHUTDOWN
CREATE FUNCTION
ALL PRIVILEGES

Server Context

SELECT VERSION();
SELECT @@version;
SHOW VARIABLES LIKE 'hostname';
SHOW VARIABLES LIKE 'version_compile_os';
SHOW VARIABLES LIKE 'secure_file_priv';
SHOW VARIABLES LIKE 'local_infile';
SHOW VARIABLES LIKE 'plugin_dir';
SHOW PLUGINS;

No-output fingerprinting:

SELECT SLEEP(5);

Databases And Schema

List databases:

SHOW DATABASES;

Alternative:

SELECT schema_name
FROM information_schema.schemata;

Switch database:

USE target_database;

List tables:

SHOW TABLES;

Alternative:

SELECT table_name
FROM information_schema.tables
WHERE table_schema = 'target_database';

Inspect a table:

DESCRIBE target_table;
SHOW COLUMNS FROM target_table;

Alternative:

SELECT column_name, data_type
FROM information_schema.columns
WHERE table_schema = 'target_database'
AND table_name = 'target_table';

Data Dumping

Preview data:

SELECT * FROM target_table LIMIT 10;

Specific table:

SELECT username, password
FROM inlanefreight.users;

Sort and limit:

SELECT * FROM logins ORDER BY id DESC LIMIT 10;
SELECT * FROM logins WHERE username LIKE 'admin%';

Export query output to disk through MySQL server file write:

SELECT id, name, email
INTO OUTFILE '/var/lib/mysql-files/users_export.csv'
FIELDS TERMINATED BY ','
LINES TERMINATED BY '\n'
FROM users;

Import a CSV if the server permits it:

LOAD DATA INFILE '/var/lib/mysql-files/data.csv'
INTO TABLE my_table
FIELDS TERMINATED BY ','
LINES TERMINATED BY '\n'
IGNORE 1 ROWS;

Non-Interactive Queries

Show databases:

mysql -h HOST -u USER -p'PASSWORD' -e "SHOW DATABASES;"

Show tables:

mysql -h HOST -u USER -p'PASSWORD' -D DB -e "SHOW TABLES;"

Describe a table:

mysql -h HOST -u USER -p'PASSWORD' -D DB -e "DESCRIBE users;"

Dump first rows:

mysql -h HOST -u USER -p'PASSWORD' -D DB -e "SELECT * FROM users LIMIT 10;"

Save output:

mysql -h HOST -u USER -p'PASSWORD' -D DB -e "SELECT * FROM users;" > users.txt

Dump a database:

mysqldump -h HOST -u USER -p'PASSWORD' DB > dump.sql

Dump one table:

mysqldump -h HOST -u USER -p'PASSWORD' DB table_name > table.sql