OSCP Notes
  • Introduction
  • Port Scanning
  • Nmap Port Scanning
  • Nmap Scripts
  • Services Enumeration
    • SMB Enumeration (Port 139, 445)
    • SNMP Enumeraion (Port 161)
    • NFS Enumeration (Port 111, 2049)
    • SMTP Enumeration (Port 25)
    • DNS Enumeration (Port 53)
    • POP3 (Port 110, 25*)
    • MySQL (Port 3306)
    • Oracle (Port 1521)
    • MsSQL (Port 1433)
  • Web / HTTP
    • Web Scanning
    • CMS
    • Directory Fuzzing
    • File Upload
      • Bypass file upload filtering
      • Bruteforcing extensions
      • WebDAV
    • Bruteforce Authentication
    • LFI and RFI
      • Interesting Files for LFI
      • Null Byte Injection
      • PHP Wrappers
    • ShellShock
    • Post Requests
  • password attacks
    • Brute-force service password
    • Cracking Password
    • Custom Worldlist
  • Exploitaion
    • Searchsploit
    • Compiling the Exploit
  • shell
    • Bind and Reverse shell
    • Upgrading shell
    • msfvenom
  • Linux Post Exploitation
    • Linux Manual Exploitation
    • Linux post exploitation scripts
    • Kernel Exploitation
  • windows post exploitation
    • General
    • Manual Exploitaion
    • Dumping the sam file
    • SUDO SU
    • Automated enumeration script
    • Windows Exploit Suggester
  • file transfer
    • General
    • Linux
    • Windows
  • cheatsheets
    • Command injection Cheatsheet
    • Find Command Cheatsheet
    • Netcat
    • SQL Injection Bypass
    • CheckList
    • XSS Payload
Powered by GitBook
On this page
  • Nmap
  • Local Access
  • Remote Access
  • If running as root
  • Getting all the information from inside the database
  • Post Enumeration
  • MySQL server configuration file
  • Command History
  • Log Files
  • Finding passwords to MySQL
  1. Services Enumeration

MySQL (Port 3306)

Nmap 

nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306

nmap -sV -Pn -vv -script=mysql* $ip -p 3306

Local Access

if you gain access to target box and see mysql running , you can try to connect with it from target locally

mysql -u root 
# Connect to root without password

mysql -u root -p 
# A password will be asked

# Always test root:root credential

Remote Access

mysql -h <Hostname> -u root

mysql -h <Hostname> -u root@localhost

If running as root

If Mysql is running as root and you have acces, you can run commands:

mysql> select do_system('id');

mysql> \! sh

Getting all the information from inside the database

mysqldump -u admin -p admin --all-databases --skip-lock-tables

Post Enumeration

Here are list of some files to check after shell on target system to get some credentials or some juicy information that help to get root easily

MySQL server configuration file

  • Unix

    my.cnf
/etc/mysql
/etc/my.cnf
/etc/mysql/my.cnf
/var/lib/mysql/my.cnf
~/.my.cnf
/etc/my.cnf

  • Windows

    config.ini
my.ini
windows\my.ini
winnt\my.ini
<InstDir>/mysql/data/

Command History

~/.mysql.history

Log Files

connections.log
update.log
common.log

Finding passwords to MySQL

  • You might gain access to a shell by uploading a reverse-shell. And then you need to escalate your privilege.

  • Look into the database and see what users and passwords that are available.

    /var/www/html/configuration.php
PreviousPOP3 (Port 110, 25*)NextOracle (Port 1521)

Last updated 3 years ago