MySQL Pentesting Notes
Protocol Overview
Basic Information
Port: TCP 3306
Protocol Type: SQL Relational Database Management System
Purpose: Efficient storage and retrieval of structured data
Security: Varies based on configuration and version
MySQL Databases
Commonly used in web applications with LAMP/LEMP stacks
Stores a wide range of data, including sensitive information like passwords
Enumeration and Access
Port Scanning
# Basic port scan
nmap -p3306 -sV <target>
# Aggressive scan with scripts
nmap -p3306 -sV -sC -A <target>
# All MySQL scripts
nmap -p3306 --script mysql-* <target>Version Detection
# Using mysql client
mysql -u root -h <target>
# Using Nmap
nmap -p3306 --script mysql-version <target>Authentication Attempts
# No password
mysql -u root -h <target>
# Known credentials
mysql -u root -pPassword123 -h <target>
# Brute force
hydra -L users.txt -P passwords.txt mysql://<target>Fingerprinting
# Querying version and system information
mysql -u root -pPassword123 -e "SELECT VERSION(), USER();" -h <target>
# Enumerating databases
mysql -u root -pPassword123 -e "SHOW DATABASES;" -h <target>
# Listing tables in a database
mysql -u root -pPassword123 -e "USE information_schema; SHOW TABLES;" -h <target>Common Vulnerabilities
Weak Authentication:
Default/guessable credentials
No password required for root user
Insecure password storage
Misconfiguration:
Listening on external interfaces
Excessive privileges granted
Unintended data exposure
Version-specific:
CVE-2016-6663 (MySQL < 5.7.12)
CVE-2012-2122 (MySQL < 5.1.63)
CVE-2015-0548 (MySQL < 5.5.45)
Post-Exploitation
Data Extraction
Dump database contents
Retrieve sensitive information
Identify high-value data
Privilege Escalation
Exploit weak permissions
Abuse excessive privileges
Pivot to other systems
Persistence
Create backdoor accounts
Install malicious UDFs
Modify startup scripts
Mitigation Recommendations
Secure Configuration:
Use strong, unique passwords
Restrict MySQL access to trusted hosts
Implement the principle of least privilege
Keep MySQL software up-to-date
Monitoring and Logging:
Enable MySQL's built-in audit logging
Monitor for suspicious activity
Review logs regularly
Network Segmentation:
Isolate MySQL servers from the internet
Use bastion hosts for remote administration
Implement firewall rules to limit access
Data Protection:
Encrypt sensitive data at rest and in transit
Implement backup and recovery strategies
Regularly test incident response and disaster recovery plans
Staff Training:
Educate developers on secure coding practices
Train administrators on best practices for MySQL security
Promote a security-conscious culture within the organization
Best Practices for Pentesting
Initial Reconnaissance:
Identify MySQL version and configuration
Test default/common credentials
Map accessible databases and tables
Check for publicly accessible MySQL instances
Enumeration and Discovery:
Gather system information (OS, software versions)
Enumerate users, roles, and privileges
Identify sensitive data stored in databases
Look for exposed backup files or configuration details
Exploitation and Post-Exploitation:
Attempt SQL injection attacks
Abuse excessive permissions and privileges
Dump database contents for further analysis
Establish persistence through backdoors or malicious functions
Documentation and Reporting:
Record all findings, vulnerabilities, and exploitation details
Categorize issues by severity and provide recommendations
Include evidence such as SQL statements, screenshots, and exported data
Suggest remediation steps to improve MySQL security posture
Ethical Considerations:
Obtain explicit permission before testing
Avoid disrupting production systems whenever possible
Limit the scope of testing to authorized targets and activities
Respect data privacy and comply with relevant regulations