# MySQL (Port 3306) ## Nmap ``` nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306 nmap -sV -Pn -vv -script=mysql* $ip -p 3306 ``` ## Local Access if you gain access to target box and see mysql running , you can try to connect with it from target locally ``` mysql -u root # Connect to root without password mysql -u root -p # A password will be asked # Always test root:root credential ``` ## Remote Access ``` mysql -h -u root mysql -h -u root@localhost ``` ## If running as root If Mysql is running as root and you have acces, you can run commands: ``` mysql> select do_system('id'); mysql> \! sh ``` ## Getting all the information from inside the database ``` mysqldump -u admin -p admin --all-databases --skip-lock-tables ``` ## Post Enumeration Here are list of some files to check after shell on target system to get some credentials or some juicy information that help to get root easily ### MySQL server configuration file * Unix ``` my.cnf /etc/mysql /etc/my.cnf /etc/mysql/my.cnf /var/lib/mysql/my.cnf ~/.my.cnf /etc/my.cnf ``` * Windows ``` config.ini my.ini windows\my.ini winnt\my.ini /mysql/data/ ``` ### Command History ``` ~/.mysql.history ``` ### Log Files ``` connections.log update.log common.log ``` ### Finding passwords to MySQL * You might gain access to a shell by uploading a reverse-shell. And then you need to escalate your privilege. * Look into the database and see what users and passwords that are available. ``` /var/www/html/configuration.php ```