MySQL (Port 3306)
Nmap
nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306
nmap -sV -Pn -vv -script=mysql* $ip -p 3306
Local Access
if you gain access to target box and see mysql running , you can try to connect with it from target locally
mysql -u root
# Connect to root without password
mysql -u root -p
# A password will be asked
# Always test root:root credential
Remote Access
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
If running as root
If Mysql is running as root and you have acces, you can run commands:
mysql> select do_system('id');
mysql> \! sh
Getting all the information from inside the database
mysqldump -u admin -p admin --all-databases --skip-lock-tables
Post Enumeration
Here are list of some files to check after shell on target system to get some credentials or some juicy information that help to get root easily
MySQL server configuration file
Unix
my.cnf /etc/mysql /etc/my.cnf /etc/mysql/my.cnf /var/lib/mysql/my.cnf ~/.my.cnf /etc/my.cnf
Windows
config.ini my.ini windows\my.ini winnt\my.ini <InstDir>/mysql/data/
Command History
~/.mysql.history
Log Files
connections.log
update.log
common.log
Finding passwords to MySQL
You might gain access to a shell by uploading a reverse-shell. And then you need to escalate your privilege.
Look into the database and see what users and passwords that are available.
/var/www/html/configuration.php
Last updated