MySQL (Port 3306)

Nmap

nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306

nmap -sV -Pn -vv -script=mysql* $ip -p 3306

Local Access

if you gain access to target box and see mysql running , you can try to connect with it from target locally

mysql -u root 
# Connect to root without password

mysql -u root -p 
# A password will be asked

# Always test root:root credential

Remote Access

mysql -h <Hostname> -u root

mysql -h <Hostname> -u root@localhost

If running as root

If Mysql is running as root and you have acces, you can run commands:

mysql> select do_system('id');

mysql> \! sh

Getting all the information from inside the database

mysqldump -u admin -p admin --all-databases --skip-lock-tables

Post Enumeration

Here are list of some files to check after shell on target system to get some credentials or some juicy information that help to get root easily

MySQL server configuration file

Unix

my.cnf
/etc/mysql
/etc/my.cnf
/etc/mysql/my.cnf
/var/lib/mysql/my.cnf
~/.my.cnf
/etc/my.cnf

Windows

config.ini
my.ini
windows\my.ini
winnt\my.ini
<InstDir>/mysql/data/

Command History

~/.mysql.history

Log Files

connections.log
update.log
common.log

Finding passwords to MySQL

You might gain access to a shell by uploading a reverse-shell. And then you need to escalate your privilege.
Look into the database and see what users and passwords that are available.
```
/var/www/html/configuration.php
```

PreviousPOP3 (Port 110, 25*)NextOracle (Port 1521)

Last updated 4 years ago

hashtagNmap

hashtagLocal Access

hashtagRemote Access

hashtagIf running as root

hashtagGetting all the information from inside the database

hashtagPost Enumeration

hashtagMySQL server configuration file

hashtagCommand History

hashtagLog Files

hashtagFinding passwords to MySQL