OSCP Notes
Search…
MySQL

Pre Enumeration

Nmap Scanning

1
nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306
Copied!
1
nmap -sV -Pn -vv -script=mysql* $ip -p 3306
Copied!

If can access

If Mysql is running as root and you have access, you can run commands:
1
mysql> select do_system('id');
2
mysql> \! sh
Copied!

Always test root:root credential

1
mysql --host=$ip -u root -p
2
mysql -h $ip -u [email protected] -p
3
mysql -h $ip -u [email protected]
4
mysql -h $ip -u ""@localhost
5
telnet $ip 3306
Copied!

Username Enumeration

1
nmap –script=mysql-enum –script-args userdb=<username lists> $ip
Copied!

Connection

1
mysql -h $ip -P 3306
2
mysql -u <user> -p <password>
Copied!

Post Enumeration

MySQL server configuration file

    Unix
    1
    my.cnf
    2
    /etc/mysql
    3
    /etc/my.cnf
    4
    /etc/mysql/my.cnf
    5
    /var/lib/mysql/my.cnf
    6
    ~/.my.cnf
    7
    /etc/my.cnf
    Copied!
    Windows
    1
    config.ini
    2
    my.ini
    3
    windows\my.ini
    4
    winnt\my.ini
    5
    <InstDir>/mysql/data/
    Copied!

Command History

1
~/.mysql.history
Copied!

Log Files

1
connections.log
2
update.log
3
common.log
Copied!

Finding passwords to MySQL

    You might gain access to a shell by uploading a reverse-shell. And then you need to escalate your privilege.
    Look into the database and see what users and passwords that are available.
    1
    /var/www/html/configuration.php
    Copied!

Getting all the information from inside the database

1
mysqldump -u admin -p admin --all-databases --skip-lock-tables
Copied!
Last modified 1yr ago