The MySQL is an open-source SQL Relational Database Management System (RDBMS) developed and supported by Oracle. A database is simply a structured collection of data organized for easy use and retrieval. It works according to the client-server principle and consists of a MySQL server and one or more MySQL clients.
Default Port: 3306
Banner grabbing
nc -nv $IP 3306Nmap
Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.
# Default NSE
sudo nmap -sCV -p3306 $IP
 
# Enum with all NSE script 
sudo nmap -sV -p3306 --script=mysql* $IP
 
# Enum version/info/capabilities/attribute of MySQL
sudo nmap -p3306 --script=mysql-info $IP
 
# Enum empty password/anonymous login
sudo nmap -p3306 --script=mysql-empty-password $IP
 
# Enum MySQL audit with AUTHENTICATION
sudo nmap -p3306 --script=mysql-audit --script-args "mysql-audit.username='administrator',mysql-audit.password='password123',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'" $IP
 
# Enum users with AUTHENTICATION
sudo nmap -p3306 --script=mysql-users --script-args "mysqluser='administrator',mysqlpass='password123'" $IP
 
# Enum databases with AUTHENTICATION
sudo nmap -p3306 --script=mysql-databases --script-args "mysqluser='administrator',mysqlpass='password123'" $IP
 
# Enum all variables with AUTHENTICATION
sudo nmap -p3306 --script=mysql-variables --script-args "mysqluser='administrator',mysqlpass='password123'" $IP
 
# Dump hashes with AUTHENTICATION
sudo nmap -p3306 --script=mysql-dump-hashes --script-args "username='administrator',password='password123'" $IP
 
# Query database with AUTHENTICATION
sudo nmap -p3306 --script=mysql-query --script-args "query='select count(*) from books.authors;',username='administrator',password='password123'" $IPMySQL connect
mysql -u administrator -h $IP                   # Login (prompt password)
mysql -u administrator -pPassword123 -h $IP     # Login (specify password on CLI)
 
# Once connected, 
# this command can be use to enumerate manually.
    [none]> show databases;
    [none]> use <database>;
    [database]> show tables;
    [database]> show columns from <table>;
    [database]> select * from <table>;
    [database]> select * from <table> where <column> = "<string>";
    [database]> select load_file("/etc/passwd");Hydra
Hydra is a
Link to originalparallelizedlogin cracker whichsupports numerous protocolsto attack. It is very fast and flexible, and new modules are easy to add.
hydra -L /wordlists.txt/users.txt -P /wordlists/passwords.txt $IP mysqlMetasploit Framework
Metasploit Framework is an open source platform that supports vulnerability research, exploit development, and the creation of custom security tools.
Link to original
auxiliary/scanner/mysql/mysql_version           # Enum MySQL version
auxiliary/scanner/mysql/mysql_schemadump        # Dump schema information from MySQL
auxiliary/scanner/mysql/mysql_writable_dirs     # Enum writeable directories using the MySQL `SELECT INTO DUMPFILE` feature
auxiliary/scanner/mysql/mysql_file_enum         # Enum files and directories using the MySQL `load_file` feature
auxiliary/scanner/mysql/mysql_hashdump          # Dump the credentials
auxiliary/scanner/mysql/mysql_login             # Queries the instance for a specific user/pass
auxiliary/admin/mysql/mysql_enum                # Enum MySQL with valid credentials
auxiliary/admin/mysql/mysql_sql                 # Execute SQL statement with valid credentialsConfig files
# Default configuration
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'Dangerous settings
Some settings can be dangerous for the company and its infrastructure.
| Settings | Description | 
|---|---|
| user | Defines the user under which the MySQL service runs. | 
| password | Sets the password for the MySQL user. | 
| admin_address | Specifies the IP address for administrative network connections. | 
| debug | Controls the level of debugging information provided. | 
| sql_warnings | Controls whether warnings are displayed for single-row INSERT statements. | 
| secure_file_priv | Limits the directories from which files can be loaded or to which they can be exported. |