MySQL/MSSQL
Open-source relational DB system by Oracle:
Data stored in tables with different columns, rows, data types stored in .sql
MySQL Clients
Clients can retrieve/edit data using structured queries to DB engine
Inserting, deleting, modifying, retrieving data, is done using SQL language
Example: CMS WordPress
sudo apt install mysql-server -y # install mysql server
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d' # configs
Dangerous Settings
user # sets which user mysql will run as
password # sets password
admin_address # IP to listen for connections on admin network int
debug # debugging settings
sql_warnings # controls if single-row INSERT statements produce info str on warnings
secure_file_priv # used to limit effect of data import/export ops
user
, password
, admin_address
plain text
debug
, sql_warnings
provide info, which could further attack surface
sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*
| mysql-brute:
| root:<empty> - Valid credentials
| mysql-enum:
| Valid usernames:
| root:<empty> - Valid credentials
| netadmin:<empty> - Valid credentials
| mysql-info:
| Protocol: 10
| Version: 8.0.26-0ubuntu0.20.04.1
| Salt: YTSgMfqvx\x0F\x7F\x16\&\x1EAeK>0
|_ Auth Plugin Name: caching_sha2_password
Interaction with MySQL
mysql -u root -h 10.10.10.10
mysql -u root -password -h 10.10.10.10
MySQL [(none)]> show databases; +--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.006 sec)
MySQL [(none)]> select version();
+-------------------------+
| version() |
+-------------------------+
| 8.0.27-0ubuntu0.20.04.1 |
+-------------------------+
1 row in set (0.001 sec)
MySQL [(none)]> use mysql;
MySQL [mysql]> show tables;
+------------------------------------------------------+
| Tables_in_mysql |
+------------------------------------------------------+
| columns_priv |
| component |
| db |
| default_roles |
| engine_cost |
| func |
| general_log |
| user |
+------------------------------------------------------+
37 rows in set (0.002 sec)
system schema
(sys
), tables, info, metadata
mysql> use sys;
mysql> show tables;
+-----------------------------------------------+
| Tables_in_sys |
+-----------------------------------------------+
| host_summary |
| host_summary_by_file_io |
| host_summary_by_file_io_type |
| host_summary_by_stages |
| host_summary_by_statement_latency |
| host_summary_by_statement_type |
| innodb_buffer_stats_by_schema |
| innodb_buffer_stats_by_table |
| innodb_lock_waits |
| io_by_thread_by_latency |
...SNIP...
| x$waits_global_by_latency |
+-----------------------------------------------+
mysql> select host, unique_users from host_summary;
+-------------+--------------+
| host | unique_users |
+-------------+--------------+
| 10.129.14.1 | 1 |
| localhost | 2 |
+-------------+--------------+
2 rows in set (0,01 sec)
information schema
metadata mainly retrieved from system schema
db
ANSI/ISO standard is the reason both exist
System schema
MS catalog for SQL servers
mysql -u user -ppassword -h IP # connect to mysql server | no space bet -p and pass
show databases;
use database; # select a database
show tables;
show columns from tablee; # show all columns in selected database
select * from table; # show everything in table
select * from table where column = "string"; # search for string in desired table
MSSQL
MS's SQL-based relational db mgmt system:
Closed source/initially written to run on Win MSSQL Clients
SMMS: SQL Server Management Studio: Feature that can be installed with MSSQL
We could come across a vuln sys with SSMS with saved creds that allow access
Many clients can be used to access a db running MSSQL:
locate mssqlclient # find if/where client is on host
/usr/bin/impacket-mssqlclient
/usr/share/doc/python3-impacket/examples/mssqlclient.py
When an admin installs/configs MSSQL to be network accessible, service runs as:
NT SERVICE\MSSQLSERVER:
Connecting from client-side possible through Win Auth
Default: Encryption not enforced
Win will process login request/use local SAM db/AD DC before allowing connectivity to dbms
Using AD can be ideal for auditing activity/controlling access
If an acct is compromised, it could lead to privesc/lateral movement
# dangerous settings
-- clients not using encryption to connect
-- self-signed certs when encryption is used (spoofing)
-- use of named pipes
-- weak/default sa creds
More on named pipes
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
| ms-sql-ntlm-info:
| Target_Name: SQL-01
| NetBIOS_Domain_Name: SQL-01
Host script results:
| ms-sql-info:
| Windows server name: SQL-01
| 10.129.201.248\MSSQLSERVER:
| Instance name: MSSQLSERVER
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Named pipe: \\10.129.201.248\pipe\sql\query
aux scanner with metasploit: mssql_ping
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 10.129.201.248
msf6 auxiliary(scanner/mssql/mssql_ping) > run
Connecting with Mssqlclient.py
python3 impacket-mssqlclient.py [email protected] -windows-auth
SQL> select name from sys.databases
name
-----------------------------------
master
tempdb
model
msdb
Transactions
Last updated