MySQL Pentesting Notes

Protocol Overview

Basic Information

• Port: TCP 3306

• Protocol Type: SQL Relational Database Management System

• Purpose: Efficient storage and retrieval of structured data

• Security: Varies based on configuration and version

MySQL Databases

• Commonly used in web applications with LAMP/LEMP stacks

• Stores a wide range of data, including sensitive information like passwords

Enumeration and Access

Port Scanning

# Basic port scan
nmap -p3306 -sV <target>

# Aggressive scan with scripts
nmap -p3306 -sV -sC -A <target>

# All MySQL scripts
nmap -p3306 --script mysql-* <target>

Version Detection

Authentication Attempts

Fingerprinting

Common Vulnerabilities

1. Weak Authentication:

   • Default/guessable credentials

   • No password required for root user

   • Insecure password storage

2. Misconfiguration:

   • Listening on external interfaces

   • Excessive privileges granted

   • Unintended data exposure

3. Version-specific:

   • CVE-2016-6663 (MySQL < 5.7.12)

   • CVE-2012-2122 (MySQL < 5.1.63)

   • CVE-2015-0548 (MySQL < 5.5.45)

Post-Exploitation

Data Extraction

• Dump database contents

• Retrieve sensitive information

• Identify high-value data

Privilege Escalation

• Exploit weak permissions

• Abuse excessive privileges

• Pivot to other systems

Persistence

• Create backdoor accounts

• Install malicious UDFs

• Modify startup scripts

Mitigation Recommendations

1. Secure Configuration:

   • Use strong, unique passwords

   • Restrict MySQL access to trusted hosts

   • Implement the principle of least privilege

   • Keep MySQL software up-to-date

2. Monitoring and Logging:

   • Enable MySQL's built-in audit logging

   • Monitor for suspicious activity

   • Review logs regularly

3. Network Segmentation:

   • Isolate MySQL servers from the internet

   • Use bastion hosts for remote administration

   • Implement firewall rules to limit access

4. Data Protection:

   • Encrypt sensitive data at rest and in transit

   • Implement backup and recovery strategies

   • Regularly test incident response and disaster recovery plans

5. Staff Training:

   • Educate developers on secure coding practices

   • Train administrators on best practices for MySQL security

   • Promote a security-conscious culture within the organization

Best Practices for Pentesting

1. Initial Reconnaissance:

   • Identify MySQL version and configuration

   • Test default/common credentials

   • Map accessible databases and tables

   • Check for publicly accessible MySQL instances

2. Enumeration and Discovery:

   • Gather system information (OS, software versions)

   • Enumerate users, roles, and privileges

   • Identify sensitive data stored in databases

   • Look for exposed backup files or configuration details

3. Exploitation and Post-Exploitation:

   • Attempt SQL injection attacks

   • Abuse excessive permissions and privileges

   • Dump database contents for further analysis

   • Establish persistence through backdoors or malicious functions

4. Documentation and Reporting:

   • Record all findings, vulnerabilities, and exploitation details

   • Categorize issues by severity and provide recommendations

   • Include evidence such as SQL statements, screenshots, and exported data

   • Suggest remediation steps to improve MySQL security posture

5. Ethical Considerations:

   • Obtain explicit permission before testing

   • Avoid disrupting production systems whenever possible

   • Limit the scope of testing to authorized targets and activities

   • Respect data privacy and comply with relevant regulations