MySQL/MSSQL

Open-source relational DB system by Oracle:

Data stored in tables with different columns, rows, data types stored in .sql

MySQL Clients

Clients can retrieve/edit data using structured queries to DB engine
Inserting, deleting, modifying, retrieving data, is done using SQL language
Example: CMS WordPress

Suited for apps like dynamic websites, where efficient syntax/high response essential

LAMP: Linux, Apache, MySQL, PHP | LEMP: Linux NginX, MySQL, PHP

Serves as central instance where content required by PHP scripts stored
- Headers, texts, meta tags, forms, customers, usernames admins, mods
- Translates cmds internally into exec code/performs actions

Web app informs the user if an error occurs, which various SQLi can provoke

Error info confirms a web app interacts with a db in a way other than intended
Info can be data extracts from a table/records needed for processing, functions, etc.
Cmds can display, mod, add, delete rows
Can also change table structure, create, delete relationships, indexes, manage users

MariaDB: Often connected with MySQL, is a fork of original code

sudo apt install mysql-server -y # install mysql server 
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d' # configs

Dangerous Settings

user # sets which user mysql will run as
password # sets password 
admin_address # IP to listen for connections on admin network int
debug # debugging settings 
sql_warnings # controls if single-row INSERT statements produce info str on warnings 
secure_file_priv # used to limit effect of data import/export ops

user, password, admin_address plain text

debug, sql_warnings provide info, which could further attack surface

sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*
| mysql-brute: 
|     root:<empty> - Valid credentials
| mysql-enum: 
|   Valid usernames: 
|     root:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.26-0ubuntu0.20.04.1
|   Salt: YTSgMfqvx\x0F\x7F\x16\&\x1EAeK>0
|_  Auth Plugin Name: caching_sha2_password

Interaction with MySQL

mysql -u root -h 10.10.10.10
mysql -u root -password -h 10.10.10.10

MySQL [(none)]> show databases;                                                             +--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.006 sec)

MySQL [(none)]> select version();
+-------------------------+
| version()               |
+-------------------------+
| 8.0.27-0ubuntu0.20.04.1 |
+-------------------------+
1 row in set (0.001 sec)

MySQL [(none)]> use mysql;
MySQL [mysql]> show tables;
+------------------------------------------------------+
| Tables_in_mysql                                      |
+------------------------------------------------------+
| columns_priv                                         |
| component                                            |
| db                                                   |
| default_roles                                        |
| engine_cost                                          |
| func                                                 |
| general_log                                          |
| user                                                 |
+------------------------------------------------------+
37 rows in set (0.002 sec)

system schema (sys), tables, info, metadata

mysql> use sys;
mysql> show tables;  
+-----------------------------------------------+
| Tables_in_sys                                 |
+-----------------------------------------------+
| host_summary                                  |
| host_summary_by_file_io                       |
| host_summary_by_file_io_type                  |
| host_summary_by_stages                        |
| host_summary_by_statement_latency             |
| host_summary_by_statement_type                |
| innodb_buffer_stats_by_schema                 |
| innodb_buffer_stats_by_table                  |
| innodb_lock_waits                             |
| io_by_thread_by_latency                       |
...SNIP...
| x$waits_global_by_latency                     |
+-----------------------------------------------+
mysql> select host, unique_users from host_summary;
+-------------+--------------+                   
| host        | unique_users |                   
+-------------+--------------+                   
| 10.129.14.1 |            1 |                   
| localhost   |            2 |                   
+-------------+--------------+                   
2 rows in set (0,01 sec)

information schema metadata mainly retrieved from system schema db

ANSI/ISO standard is the reason both exist
System schema MS catalog for SQL servers

mysql -u user -ppassword -h IP # connect to mysql server | no space bet -p and pass
show databases; 
use database; # select a database
show tables; 
show columns from tablee; # show all columns in selected database
select * from table; # show everything in table
select * from table where column = "string"; # search for string in desired table

MSSQL

MS's SQL-based relational db mgmt system:

Closed source/initially written to run on Win MSSQL Clients

SMMS: SQL Server Management Studio: Feature that can be installed with MSSQL

We could come across a vuln sys with SSMS with saved creds that allow access

master # tracks all sys info for a SQL server instance
model # template: structure for every new db: any changes flected in new db's 
msdb # sql server agent uses this db to schedule jobs & alerts
tempdb # temp objects
resource # read-only db: system objects included with sql server

Many clients can be used to access a db running MSSQL:

locate mssqlclient # find if/where client is on host
/usr/bin/impacket-mssqlclient
/usr/share/doc/python3-impacket/examples/mssqlclient.py

When an admin installs/configs MSSQL to be network accessible, service runs as:

NT SERVICE\MSSQLSERVER:Connecting from client-side possible through Win Auth

Default: Encryption not enforced
Win will process login request/use local SAM db/AD DC before allowing connectivity to dbms
Using AD can be ideal for auditing activity/controlling access

If an acct is compromised, it could lead to privesc/lateral movement

# dangerous settings 
-- clients not using encryption to connect
-- self-signed certs when encryption is used (spoofing)
-- use of named pipes
-- weak/default sa creds