Table of Contents

  1. Introduction to MySQL
    1. Overview of MySQL
    2. Key Features
    3. Default Configuration
  2. Enumeration Techniques
    1. Service Footprinting
    2. Database Enumeration
  3. Advanced Techniques
    1. Interacting with MySQL Servers
    2. Analyzing Metadata
  4. Exploitation Scenarios
    1. Weak or Default Credentials
    2. Misconfigured Permissions
  5. Combining Tools
    1. Nmap and MySQL
    2. Automating with Scripts
  6. Glossary

Introduction to MySQL

Overview of MySQL

MySQL is an open-source relational database management system (RDBMS) developed by Oracle. It supports SQL (Structured Query Language) for managing data and is often part of the LAMP/LEMP stack for web applications.

  • Server-Client Model: MySQL consists of a central server that manages data and clients that query the data.
  • Data Storage: Organized in tables with rows and columns, stored efficiently to minimize space.

Key Features

  • Scalable: Supports multiple databases and simultaneous queries.
  • Efficient: Optimized for performance and large-scale data processing.
  • Secure: Allows encrypted storage and secure connections via TLS.

Default Configuration

The default MySQL configuration includes essential parameters for server operation.

Example Configuration:

[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock

[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
port = 3306
datadir = /var/lib/mysql
tmpdir = /tmp

Key directories:

  • datadir: /var/lib/mysql (location of database files).
  • tmpdir: /tmp (temporary files).

Enumeration Techniques

Service Footprinting

Identify open MySQL ports and running services.

Using Nmap:

nmap -sV -p3306 --script mysql* TARGET_IP

Example Output:

PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MySQL 8.0.27
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.27
|   Status: Autocommit
|   Salt: YTSgMfqvx...

Database Enumeration

Access the MySQL service to enumerate databases and tables.

Command:

mysql -u root -p -h TARGET_IP

Common Commands:

  • SHOW DATABASES;: Lists available databases.
  • USE database_name;: Selects a specific database.
  • SHOW TABLES;: Lists tables in the selected database.

Advanced Techniques

Interacting with MySQL Servers

Use the mysql client or a GUI tool to interact with databases.

Command:

mysql -u username -p password -h TARGET_IP

Example Commands:

  • List all users:

      SELECT user FROM mysql.user;

  • Show current version:

      SELECT version();

Analyzing Metadata

Inspect internal databases like information_schema and mysql.

Commands:

  • List all tables:

      SHOW TABLES FROM information_schema;

  • View column details:

      SHOW COLUMNS FROM table_name;

Exploitation Scenarios

Weak or Default Credentials

  • Problem: Default or weak credentials for the MySQL server.
  • Solution: Test common credentials (root:root, admin:admin).

Command:

mysql -u root -p -h TARGET_IP

Misconfigured Permissions

Analyze permissions for sensitive actions like creating files or executing commands.

Commands:

  • Check privileges:

      SHOW GRANTS FOR 'user'@'host';

  • Exploit secure_file_priv for file read/write:

      SELECT 'test data' INTO OUTFILE '/tmp/output.txt';

Combining Tools

Nmap and MySQL

Automated Enumeration:

nmap -p3306 --script mysql-enum,mysql-info TARGET_IP

Automating with Scripts

Bash Script Example:

#!/bin/bash
mysql -u root -p$1 -h $2 <<EOF
SHOW DATABASES;
EOF

Glossary

Term Definition
SQL Language used to query and manage relational databases.
Information Schema Metadata database storing details about tables and columns.
secure_file_priv MySQL setting to restrict file import/export locations.
Nmap Network scanner used for service enumeration.