Welcome back, my greenhorn hackers!
This tutorial will be the fourtenth in the Linux for hackers series and will focus on the MySQL database. Although this is not strictly a Linux tutorial, MySQL is the database of choice on most Linux distributions. In addition, it is the most widely used database behind database driven web applications. This installment is critical to understand before we progress to hacking MySQL databases and before we hack web applications that use MySQL (which there are literally thousands).
MySQL is an open source, GPL licensed database. That is probably the primary reason you will find it on nearly every Linux distribution. As you know, Linux is also open source and GPL licensed. First developed by MySQL AB of Sweden in 1995, it was purchased by Sun Microsystems in 2008 and Sun Microsystems was then purchased by Oracle in 2009.
As Oracle is the world's largest database software publisher, the open source community has significant trepidations about Oracle's commitment to keep MySQL open source. As a result, there is now a fork of the MySQL database software called Maria that IS committed to keeping this software and its subsequent versions open source.
Because it's free, MySQL has become the database of choice for many web applications. Sites and apps that use it include:
Other popular Content Management Systems(CMS) such as Joomla, Drupal, and Ruby on Rails all use MySQL. You get the idea. If you want to develop or attack web applications, you should know MySQL. So, let's get started.
Luckily, BackTrack has MySQL already installed (if you are using another distribution, you can usually download and install MySQL from the software repository) and has a graphical start and stop. Let's start our MySQL service.
When we do so, we should see a screen like that below pop up briefly and then disappear.
Now that our MySQL service is started, we can begin to use it. First, we need to authenticate ourselves by logging in.
Open a terminal and type:
- mysql -u root -p
You will be prompted for your password, which is "toor" in BackTrack. It may be different on other systems. Please note that although the username and password for MySQL is the same as the BackTrack username and password, that is not necessarily so on other distributions of Linux and MySQL. Usernames and passwords for the operating system (here is it Linux Ubuntu) and MySQL are separate and distinct.
This syntax, mysql -u <username> -p, works if we are trying to access a MySQL database on our localhost. This command defaults to using the MySQL instance on the localhost, if not given a hostname or IP address. For remote access (and that will likely be the case as a hacker), we need to provide the hostname or IP address of the system that is hosting the MySQL database, such as:
- mysql -u root -p 192.168.1.101
This will connect us to the MySQL instance at 192.168.1.101 and prompt us for a password.
This opens up the MySQL command line interface that provides us with the mysql> prompt. Like Microsoft's SQL Server, MySQL has a GUI interface both native (MySQL Workbench) and third party (Navicat and TOAD for MySQL). Let's look athe command line interface first and then will will advance to the GUI interface
As a hacker, the command line interface may be our best opportunity for exploiting the MySQL database, so we should focus on it. It's unlikely that as an unauthorized entrant to the database you will be presented with an easy to use GUI.
Please note that this screen reminds us that all commands end in " ;"or "\g" (unlike Microsoft's SQL Server) and that we can get help by typing help; or \h.
As we are now logged as the systadmin (root), we can navigate unimpeded through the database. If we had logged in as a regular user, our navigation would be limited by the permissions provided us by the system administrator for that user.
Now that we are logged in to the MySQL database as root, our next step is to find out whether there are any databases worth hacking. The command to find databases is:
- show databases;
Ah Hah! We found a database worth exploring here named "creditcardnumbers".
Once we have logged into the MySQL instance, our next step is to connect to a particular database. In MySQL, like other database management systems, we can connect to the database we are interested in by typing use <databasename>. Since we now know that the database we are interested in is named "creditcardnumbers", we simply type:
- use creditcardnumbers;
As you can see, MySQL responds with "Database changed", indicating that we are now connected to the "creditcardnumbers" database.
Of course, I hope it goes without saying, that you should use the appropriate database name in place here of "creditcardnumbers". Its unlikely that a database admin will be so kind and accommodating as to name a database with such an easily recognizable name, so you may need to do a bit of exploring to find the database of interest.
Now we are connected to the "creditcardnumbers" database and we can do a bit of exploring to see what might be in that database. We can find out what tables are in this database by typing:
- show tables;
In the screenshot above, we can see that this database has just one table in it called "cardnumbers". Generally, databases will have numerous tables in them, but we are fortunate here as we can focus our attention on this single table to extract the hackers "golden fleece"!
Since we can focus our efforts on this single table, we will need to understand the structure of that table. In subsequent tutorials--when we are hacking this database--we will see that understanding the structure is critical to a successful hack.
We can see the structure of the table by typing:
- describe cardnumbers;
MySQL responds with the critical infornation on the structure of our table of interest. We can see each of the fields and their data type (varchar or int), whether it will accept NULL's, the key, the default values and extra.
To actually see the data in the table, we can use the SELECT command. The SELECT command requires to know:
- The table we want to view
- The columns within that table we want to view
Using the format:
- SELECT <columns> FROM <table>
As a handy shortcut if we want to see data from all the columns, we can use the asterix ("*") as a wildcard instead of typing out every single column name. So, to see a dump of all the data from the cardnumbers table, we type:
- SELECT * FROM cardnumbers;
As we can see, MySQL displayed all the information from the cardnumbers table to our screen.
Now that we know where the data is, we need to export it so that we can use it. MySQL has a command called mysqldump. Generally, it is used to create a backup copy of the data. You can run it from any command prompt, but you will need:
- A username (root)
- The password for that username (toor)
- The name of the database you want data from (creditcardnumbers)
- The table within the database you want (cardnumbers)
- The directory you want to dump to (/tmp)
So, to "dump" the data from command line we simply type:
- mysql --tab = /tmp --user root -p creditcardnumbers cardnumbers;
This will send the data to the directory we designated, in this case /tmp.
As we can see below (after we changed to the /tmp directory and then listed that directory) we have created two files, cardnumbers.sql and cardnumbers.txt. The first, cardnumbers.sql, contains a script to create the table necessary to hold the data and the second, cardnumbers.txt, contains the data.
Now, we have successfully acquired the key and valuable information from this database, essentially having found the golden fleece of hacking!
Since MySQL is SO critical to web apps, we will be spending a few tutorials on understanding it, then how to find it and finally how to hack it, so keeps coming back my greenhorn hackers for more adventures in Hackerland.