Today, I will talk about how import a shell through a MySQL syntax.
MySQL is an open-source relational database management system (RDBMS). Its name is a combination of “My”, the name of co-founder Michael Widenius’s daughter, and “SQL”, the abbreviation for Structured Query Language.
So MySQL is a database service, like mariaDB (fork from MSQL) or SQL Server.
In the context, I was exploiting a vulnerable VM, Stapler 1 from vulnhub. I had access to the mySQL service and I was wondering how import a shell file on the server, in order to later be connected on.
Therefore I have access on the mysql service remotely using password “plbkac”:
Then I list the databases available:
A lot DBs are stored on the server. I will upload a shell on the server. First I generate the payload using msfvenom , don’t forget to place as LHOST the computer the server will connect back (the attack machine).
Msfvenom is the combination of payload generation and encoding. It replaced msfpayload and msfencode on June 8th 2015.
To have a look at the file:
To resume: msfvenom has created a reverse TCP shell in PHP and encoded in base64. Once executed, the shell’s host will initiates a TCP connection toward the IP 192.168.0.5 on the port 4444.
Now I will upload the shell to the server using a SQL syntax:
To be sure the request operates, I check the website:
Remote reverse TCP shell well upload through this PHP file !
Now I will use the multi handler. The multi handler just starts the payload receiver and waits for a connection or connects out.
I specify my IP and the port : 192.168.0.5:4444. These are the information I have set when configuring the original payload.
I will request the infected web page using -k making the connection as “insecure” by default, no certificate verification. I request…
… and I got a remote shell on the server :
The statement “SELECT … INTO OUTFILE” should be block by default for non-privilege database users.
This is a way to gain a remote access to a server using a MySQL statement.
The msfvenom and multi/handler are just a way to get the reverse TCP shell.