This is a simple walkthrough for completing the Sequel target machine in Hackthebox.com.
Question: What does the acronym SQL stand for?
Answer: Structured Query Language
Question: During our scan, which port running mysql do we find?
Question: What community-developed MySQL version is the target running?
Question: What switch do we need to use in order to specify a login username for the MySQL service?
Question: Which username allows us to log into MariaDB without providing a password?
Question: What symbol can we use to specify within the query that we want to display everything inside a table?
Question: What symbol do we need to end each query with?
The first thing we can try to do in this scenario is connect to the mysql database. To do this, make sure your host is configured with the mariadb client if you are receiving a command not found option.
sudo apt-get install mariadb-client
The simple command to run for connecting the host to a client database is shown below. The -h flag is to specify the target you trying to connect to and the -u flag is to specify the user.
mysql -h 10.129.105.235 -u root
Connecting to the client it will then show a prompt. In this prompt, you will be able to instruct the database with a series of mysql commands that are available to you. You can get a list of these available commands by typing help; in the prompt or see more commands at the end of this tutorial.
The command we are looking to use here will the SHOW DATABASES;
The command will display a series of databases we can look deeper in. To select a database, use the keyword ‘use’ followed by the database name as shown below:
We can see now that in the main prompt, the name changed from ‘none’ to our newly connected database named ‘htb’.
Inside this database, we can use the show command again to list more tables:
There are two tables that show up when running the show tables command, which include config and users. We can look inside the config table by selecting everything in the table and displaying it on the screen with one command:
SELECT * FROM config
This command is saying we want to select everything (*) from the config table.
Inside the config table, you will see the flag.
|To login (from unix shell) use -h only if needed.||[mysql dir]/bin/mysql -h hostname -u root -p|
|Create a database on the sql server.||create database [databasename];|
|List all databases on the sql server.||show databases;|
|Switch to a database.||use [db name];|
|To see all the tables in the db.||show tables;|
|To see database’s field formats.||describe [table name];|
|To delete a db.||drop database [database name];|
|To delete a table.||drop table [table name];|
|Show all data in a table.||SELECT * FROM [table name];|
|Returns the columns and column information pertaining to the designated table.||show columns from [table name];|
|Show certain selected rows with the value “whatever”.||SELECT * FROM [table name] WHERE [field name] = “whatever”;|
|Show all records containing the name “Bob” AND the phone number ‘3444444’.||SELECT * FROM [table name] WHERE name = “Bob” AND phone_number = ‘3444444’;|
|Show all records not containing the name “Bob” AND the phone number ‘3444444’ order by the phone_number field.||SELECT * FROM [table name] WHERE name != “Bob” AND phone_number = ‘3444444’ order by phone_number;|
|Show all records starting with the letters ‘bob’ AND the phone number ‘3444444’.||SELECT * FROM [table name] WHERE name like “Bob%” AND phone_number = ‘3444444’;|
|Use a regular expression to find records. Use “REGEXP BINARY” to force case-sensitivity. This finds any record beginning with a.||SELECT * FROM [table name] WHERE rec RLIKE “^a$”;|
|Show unique records.||SELECT DISTINCT [column name] FROM [table name];|
|Show selected records sorted in an ascending (asc) or descending (desc).||SELECT [col1],[col2] FROM [table name] ORDER BY [col2] DESC;|
|Count rows.||SELECT COUNT(*) FROM [table name];|
|Join tables on common columns.||select lookup.illustrationid, lookup.personid,person.birthday from lookup|
left join person on lookup.personid=person.personid=statement to join birthday in person table with primary illustration id;
|Switch to the mysql db. Create a new user.||INSERT INTO [table name] (Host,User,Password) VALUES(‘%’,’user’,PASSWORD(‘password’));|
|Change a users password.(from unix shell).||[mysql dir]/bin/mysqladmin -u root -h hostname.blah.org -p password ‘new-password’|
|Change a users password.(from MySQL prompt).||SET PASSWORD FOR ‘user’@’hostname’ = PASSWORD(‘passwordhere’);|
|Switch to mysql db.Give user privilages for a db.||INSERT INTO [table name] (Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES (‘%’,’db’,’user’,’Y’,’Y’,’Y’,’Y’,’Y’,’N’);|
|To update info already in a table.||UPDATE [table name] SET Select_priv = ‘Y’,Insert_priv = ‘Y’,Update_priv = ‘Y’ where [field name] = ‘user’;|
|Delete a row(s) from a table.||DELETE from [table name] where [field name] = ‘whatever’;|
|Update database permissions/privilages.||FLUSH PRIVILEGES;|
|Delete a column.||alter table [table name] drop column [column name];|
|Add a new column to db.||alter table [table name] add column [new column name] varchar (20);|
|Change column name.||alter table [table name] change [old column name] [new column name] varchar (50);|
|Make a unique column so you get no dupes.||alter table [table name] add unique ([column name]);|
|Make a column bigger.||alter table [table name] modify [column name] VARCHAR(3);|
|Delete unique from table.||alter table [table name] drop index [colmn name];|
|Load a CSV file into a table.||LOAD DATA INFILE ‘/tmp/filename.csv’ replace INTO TABLE [table name] FIELDS TERMINATED BY ‘,’ LINES TERMINATED BY ‘\n’ (field1,field2,field3);|
|Dump all databases for backup. Backup file is sql commands to recreate all db’s.||[mysql dir]/bin/mysqldump -u root -ppassword –opt >/tmp/alldatabases.sql|
|Dump one database for backup.||[mysql dir]/bin/mysqldump -u username -ppassword –databases databasename >/tmp/databasename.sql|
|Dump a table from a database.||[mysql dir]/bin/mysqldump -c -u username -ppassword databasename tablename > /tmp/databasename.tablename.sql|
|Restore database (or database table) from backup.||[mysql dir]/bin/mysql -u username -ppassword databasename < /tmp/databasename.sql|
|Create Table Example 1.||CREATE TABLE [table name] (firstname VARCHAR(20), middleinitial VARCHAR(3), lastname VARCHAR(35),suffix VARCHAR(3),|
officeid VARCHAR(10),userid VARCHAR(15),username VARCHAR(8),email VARCHAR(35),phone VARCHAR(25), groups
VARCHAR(15),datestamp DATE,timestamp time,pgpemail VARCHAR(255));
|Create Table Example 2.||create table [table name] (personid int(50) not null auto_increment primary key,firstname varchar(35),middlename varchar(50),lastname varchar(50) default ‘bato’);|