MySQL/MSSQL

About

Open-source relational DB system by Oracle:

Data stored in tables with different columns, rows, data types stored in .sql

MySQL Clients

• Clients can retrieve/edit data using structured queries to DB engine

• Inserting, deleting, modifying, retrieving data, is done using SQL language

• Example: CMS WordPress

More Info

Suited for apps like dynamic websites, where efficient syntax/high response essential

LAMP: Linux, Apache, MySQL, PHP | LEMP: Linux NginX, MySQL, PHP

• Serves as central instance where content required by PHP scripts stored

  • Headers, texts, meta tags, forms, customers, usernames admins, mods

  • Translates cmds internally into exec code/performs actions

Web app informs the user if an error occurs, which various SQLi can provoke

• Error info confirms a web app interacts with a db in a way other than intended

• Info can be data extracts from a table/records needed for processing, functions, etc.

• Cmds can display, mod, add, delete rows

• Can also change table structure, create, delete relationships, indexes, manage users

MariaDB: Often connected with MySQL, is a fork of original code

sudo apt install mysql-server -y # install mysql server 
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d' # configs 

Dangerous Settings

user # sets which user mysql will run as
password # sets password 
admin_address # IP to listen for connections on admin network int
debug # debugging settings 
sql_warnings # controls if single-row INSERT statements produce info str on warnings 
secure_file_priv # used to limit effect of data import/export ops

user, password, admin_address plain text

debug, sql_warnings provide info, which could further attack surface

sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*
| mysql-brute: 
|     root:<empty> - Valid credentials
| mysql-enum: 
|   Valid usernames: 
|     root:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.26-0ubuntu0.20.04.1
|   Salt: YTSgMfqvx\x0F\x7F\x16\&\x1EAeK>0
|_  Auth Plugin Name: caching_sha2_password

Interaction with MySQL

mysql -u root -h 10.10.10.10
mysql -u root -password -h 10.10.10.10

MySQL [(none)]> show databases;                                                             +--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.006 sec)

MySQL [(none)]> select version();
+-------------------------+
| version()               |
+-------------------------+
| 8.0.27-0ubuntu0.20.04.1 |
+-------------------------+
1 row in set (0.001 sec)

MySQL [(none)]> use mysql;
MySQL [mysql]> show tables;
+------------------------------------------------------+
| Tables_in_mysql                                      |
+------------------------------------------------------+
| columns_priv                                         |
| component                                            |
| db                                                   |
| default_roles                                        |
| engine_cost                                          |
| func                                                 |
| general_log                                          |
| user                                                 |
+------------------------------------------------------+
37 rows in set (0.002 sec)

system schema (sys), tables, info, metadata

mysql> use sys;
mysql> show tables;  
+-----------------------------------------------+
| Tables_in_sys                                 |
+-----------------------------------------------+
| host_summary                                  |
| host_summary_by_file_io                       |
| host_summary_by_file_io_type                  |
| host_summary_by_stages                        |
| host_summary_by_statement_latency             |
| host_summary_by_statement_type                |
| innodb_buffer_stats_by_schema                 |
| innodb_buffer_stats_by_table                  |
| innodb_lock_waits                             |
| io_by_thread_by_latency                       |
...SNIP...
| x$waits_global_by_latency                     |
+-----------------------------------------------+
mysql> select host, unique_users from host_summary;
+-------------+--------------+                   
| host        | unique_users |                   
+-------------+--------------+                   
| 10.129.14.1 |            1 |                   
| localhost   |            2 |                   
+-------------+--------------+                   
2 rows in set (0,01 sec)  

information schema metadata mainly retrieved from system schema db

• ANSI/ISO standard is the reason both exist

• System schema MS catalog for SQL servers

mysql -u user -ppassword -h IP # connect to mysql server | no space bet -p and pass
show databases; 
use database; # select a database
show tables; 
show columns from tablee; # show all columns in selected database
select * from table; # show everything in table
select * from table where column = "string"; # search for string in desired table
 

MSSQL

About

MS's SQL-based relational db mgmt system:

• Closed source/initially written to run on Win MSSQL Clients

SMMS: SQL Server Management Studio: Feature that can be installed with MSSQL

• We could come across a vuln sys with SSMS with saved creds that allow access

Default DB Info

master # tracks all sys info for a SQL server instance
model # template: structure for every new db: any changes flected in new db's 
msdb # sql server agent uses this db to schedule jobs & alerts
tempdb # temp objects
resource # read-only db: system objects included with sql server

Many clients can be used to access a db running MSSQL:

• mssql-cli

• SQL Server PS

• HeidiSQL

• SQLPro

• Impacket mssqlclient.py

locate mssqlclient # find if/where client is on host
/usr/bin/impacket-mssqlclient
/usr/share/doc/python3-impacket/examples/mssqlclient.py

When an admin installs/configs MSSQL to be network accessible, service runs as:

NT SERVICE\MSSQLSERVER:Connecting from client-side possible through Win Auth

• Default: Encryption not enforced

• Win will process login request/use local SAM db/AD DC before allowing connectivity to dbms

• Using AD can be ideal for auditing activity/controlling access

If an acct is compromised, it could lead to privesc/lateral movement

# dangerous settings 
-- clients not using encryption to connect
-- self-signed certs when encryption is used (spoofing)
-- use of named pipes
-- weak/default sa creds 

More on named pipes

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
| ms-sql-ntlm-info: 
|   Target_Name: SQL-01
|   NetBIOS_Domain_Name: SQL-01
Host script results:
| ms-sql-info: 
|   Windows server name: SQL-01
|   10.129.201.248\MSSQLSERVER: 
|     Instance name: MSSQLSERVER
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|     Named pipe: \\10.129.201.248\pipe\sql\query

aux scanner with metasploit: mssql_ping

msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 10.129.201.248
msf6 auxiliary(scanner/mssql/mssql_ping) > run

Connecting with Mssqlclient.py

python3 impacket-mssqlclient.py Administrator@10.129.201.248 -windows-auth

SQL> select name from sys.databases
name  
-----------------------------------
master                                                                                      
tempdb                                                                                     
model                                                                                       
msdb                  
Transactions