MySQL

MySQL

• MySQL Connector/Python automatically appends a semicolon at the end of your queries.

---

Operator Precedence

Highest to lowest:

1. Parentheses (): Operations inside parentheses are evaluated first.

2. Unary Operators (highest precedence):

   • + (positive)

   • - (negation)

   • ~ (bitwise NOT)

   • ! (logical NOT)

3. Multiplication, Division, Modulus: These operators are evaluated next and have the same precedence:

   • * (multiplication)

   • / (division)

   • % (modulus)

4. Addition and Subtraction: These operators have the next level of precedence:

   • + (addition)

   • - (subtraction)

5. Comparison Operators: All of these operators have the same precedence:

   • = (equal to)

   • != (not equal to)

   • > (greater than)

   • < (less than)

   • >= (greater than or equal to)

   • <= (less than or equal to)

   • LIKE (pattern matching)

6. Logical NOT:

   • ! (logical NOT)

7. Logical AND:

   • && (AND)

8. Logical OR:

   • || (OR)

---

General Commands

Connect to the database

mysql -u USER -h HOST -P PORT -p

Print available databases

show databases;

Connect to the database

use databasename;

Tables

Print tables from the database

show tables;

Print info about the table

describe table_name;

Add values to table

INSERT INTO table_name VALUES (value_1,..);

Add values to column in a table

INSERT INTO table_name(column2, ...) VALUES (column2_value, ..);

Update table values

UPDATE table_name SET column1=newvalue1, ... WHERE <condition>;

Columns

Show all columns in a table

select * from table_name;

Show columns from a table

select name,username,password from sd4fg_users;

Delete a table

DROP TABLE tablename;

Add a new column

ALTER TABLE logins ADD newColumn INT;

Rename column

ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn;

Change column datatype

ALTER TABLE logins MODIFY oldColumn DATE;

Delete column

ALTER TABLE logins DROP oldColumn;

Output

Sort By column

SELECT * FROM logins ORDER BY column_1;

Sort by column in descending order

SELECT * FROM logins ORDER BY column_1 DESC;

Sort by column in Ascending order

SELECT * FROM logins ORDER BY column_1 DESC, id ASC;

Sort by two-columns

SELECT * FROM logins LIMIT 2;

Only show first two results starting from index 2

SELECT * FROM logins LIMIT 1, 2;

List results that meet a condition

SELECT * FROM table_name WHERE <condition>;

List results where the name is similar to a given string

SELECT * FROM logins WHERE username LIKE 'admin%';

---

pymysql

• The pymysql library is a Python client for interacting with MySQL databases.

Steps to Exploit

1. Identify the Connection Script

2. Extract Database Credentials

3. Execute SQL Queries

---

• The following script dynamically executes SQL queries on a target database using credentials extracted from application settings:

#!/usr/bin/env python

import pymysql
import sys
from craft_api import settings

# Test connection to MySQL database
connection = pymysql.connect(
    host=settings.MYSQL_DATABASE_HOST,
    user=settings.MYSQL_DATABASE_USER,
    password=settings.MYSQL_DATABASE_PASSWORD,
    db=settings.MYSQL_DATABASE_DB,
    cursorclass=pymysql.cursors.DictCursor
)

try:
    with connection.cursor() as cursor:
        sql = sys.argv[1]
        cursor.execute(sql)
        result = cursor.fetchall()
        print(result)
finally:
    connection.close()

Use Cases in Exploitation

python myscript.py "SHOW TABLES"

python myscript.py "SELECT * FROM user"

python myscript.py "SHOW GRANTS FOR CURRENT_USER()"

python myscript.py "DESCRIBE user"