MySQL Pentesting Notes

Protocol Overview

Basic Information

Port: TCP 3306
Protocol Type: SQL Relational Database Management System
Purpose: Efficient storage and retrieval of structured data
Security: Varies based on configuration and version

MySQL Databases

Commonly used in web applications with LAMP/LEMP stacks
Stores a wide range of data, including sensitive information like passwords

Enumeration and Access

Port Scanning

# Basic port scan
nmap -p3306 -sV <target>

# Aggressive scan with scripts
nmap -p3306 -sV -sC -A <target>

# All MySQL scripts
nmap -p3306 --script mysql-* <target>

Version Detection

# Using mysql client
mysql -u root -h <target>

# Using Nmap
nmap -p3306 --script mysql-version <target>

Authentication Attempts

# No password
mysql -u root -h <target>

# Known credentials
mysql -u root -pPassword123 -h <target>

# Brute force
hydra -L users.txt -P passwords.txt mysql://<target>

Fingerprinting

# Querying version and system information
mysql -u root -pPassword123 -e "SELECT VERSION(), USER();" -h <target>

# Enumerating databases
mysql -u root -pPassword123 -e "SHOW DATABASES;" -h <target>

# Listing tables in a database
mysql -u root -pPassword123 -e "USE information_schema; SHOW TABLES;" -h <target>

Common Vulnerabilities

Weak Authentication:
- Default/guessable credentials
- No password required for root user
- Insecure password storage
Misconfiguration:
- Listening on external interfaces
- Excessive privileges granted
- Unintended data exposure
Version-specific:
- CVE-2016-6663 (MySQL < 5.7.12)
- CVE-2012-2122 (MySQL < 5.1.63)
- CVE-2015-0548 (MySQL < 5.5.45)

Post-Exploitation

Data Extraction

Dump database contents
Retrieve sensitive information
Identify high-value data

Privilege Escalation

Exploit weak permissions
Abuse excessive privileges
Pivot to other systems

Persistence

Create backdoor accounts
Install malicious UDFs
Modify startup scripts

Mitigation Recommendations

Secure Configuration:
- Use strong, unique passwords
- Restrict MySQL access to trusted hosts
- Implement the principle of least privilege
- Keep MySQL software up-to-date
Monitoring and Logging:
- Enable MySQL's built-in audit logging
- Monitor for suspicious activity
- Review logs regularly
Network Segmentation:
- Isolate MySQL servers from the internet
- Use bastion hosts for remote administration
- Implement firewall rules to limit access
Data Protection:
- Encrypt sensitive data at rest and in transit
- Implement backup and recovery strategies
- Regularly test incident response and disaster recovery plans
Staff Training:
- Educate developers on secure coding practices
- Train administrators on best practices for MySQL security
- Promote a security-conscious culture within the organization

Best Practices for Pentesting

Initial Reconnaissance:
- Identify MySQL version and configuration
- Test default/common credentials
- Map accessible databases and tables
- Check for publicly accessible MySQL instances
Enumeration and Discovery:
- Gather system information (OS, software versions)
- Enumerate users, roles, and privileges
- Identify sensitive data stored in databases
- Look for exposed backup files or configuration details
Exploitation and Post-Exploitation:
- Attempt SQL injection attacks
- Abuse excessive permissions and privileges
- Dump database contents for further analysis
- Establish persistence through backdoors or malicious functions
Documentation and Reporting:
- Record all findings, vulnerabilities, and exploitation details
- Categorize issues by severity and provide recommendations
- Include evidence such as SQL statements, screenshots, and exported data
- Suggest remediation steps to improve MySQL security posture
Ethical Considerations:
- Obtain explicit permission before testing
- Avoid disrupting production systems whenever possible
- Limit the scope of testing to authorized targets and activities
- Respect data privacy and comply with relevant regulations

PreviousMSSQL Pentesting Notes NextSNMP Pentesting Notes

MySQL Pentesting Notes

Protocol Overview

Basic Information

Port: TCP 3306
Protocol Type: SQL Relational Database Management System
Purpose: Efficient storage and retrieval of structured data
Security: Varies based on configuration and version

MySQL Databases

Commonly used in web applications with LAMP/LEMP stacks
Stores a wide range of data, including sensitive information like passwords

Enumeration and Access

Port Scanning

# Basic port scan
nmap -p3306 -sV <target>

# Aggressive scan with scripts
nmap -p3306 -sV -sC -A <target>

# All MySQL scripts
nmap -p3306 --script mysql-* <target>

Version Detection

# Using mysql client
mysql -u root -h <target>

# Using Nmap
nmap -p3306 --script mysql-version <target>

Authentication Attempts

# No password
mysql -u root -h <target>

# Known credentials
mysql -u root -pPassword123 -h <target>

# Brute force
hydra -L users.txt -P passwords.txt mysql://<target>

Fingerprinting

# Querying version and system information
mysql -u root -pPassword123 -e "SELECT VERSION(), USER();" -h <target>

# Enumerating databases
mysql -u root -pPassword123 -e "SHOW DATABASES;" -h <target>

# Listing tables in a database
mysql -u root -pPassword123 -e "USE information_schema; SHOW TABLES;" -h <target>

Common Vulnerabilities

Weak Authentication:
- Default/guessable credentials
- No password required for root user
- Insecure password storage
Misconfiguration:
- Listening on external interfaces
- Excessive privileges granted
- Unintended data exposure
Version-specific:
- CVE-2016-6663 (MySQL < 5.7.12)
- CVE-2012-2122 (MySQL < 5.1.63)
- CVE-2015-0548 (MySQL < 5.5.45)

Post-Exploitation

Data Extraction

Dump database contents
Retrieve sensitive information
Identify high-value data

Privilege Escalation

Exploit weak permissions
Abuse excessive privileges
Pivot to other systems

Persistence

Create backdoor accounts
Install malicious UDFs
Modify startup scripts

Mitigation Recommendations

Secure Configuration:
- Use strong, unique passwords
- Restrict MySQL access to trusted hosts
- Implement the principle of least privilege
- Keep MySQL software up-to-date
Monitoring and Logging:
- Enable MySQL's built-in audit logging
- Monitor for suspicious activity
- Review logs regularly
Network Segmentation:
- Isolate MySQL servers from the internet
- Use bastion hosts for remote administration
- Implement firewall rules to limit access
Data Protection:
- Encrypt sensitive data at rest and in transit
- Implement backup and recovery strategies
- Regularly test incident response and disaster recovery plans
Staff Training:
- Educate developers on secure coding practices
- Train administrators on best practices for MySQL security
- Promote a security-conscious culture within the organization

Best Practices for Pentesting

Initial Reconnaissance:
- Identify MySQL version and configuration
- Test default/common credentials
- Map accessible databases and tables
- Check for publicly accessible MySQL instances
Enumeration and Discovery:
- Gather system information (OS, software versions)
- Enumerate users, roles, and privileges
- Identify sensitive data stored in databases
- Look for exposed backup files or configuration details
Exploitation and Post-Exploitation:
- Attempt SQL injection attacks
- Abuse excessive permissions and privileges
- Dump database contents for further analysis
- Establish persistence through backdoors or malicious functions
Documentation and Reporting:
- Record all findings, vulnerabilities, and exploitation details
- Categorize issues by severity and provide recommendations
- Include evidence such as SQL statements, screenshots, and exported data
- Suggest remediation steps to improve MySQL security posture
Ethical Considerations:
- Obtain explicit permission before testing
- Avoid disrupting production systems whenever possible
- Limit the scope of testing to authorized targets and activities
- Respect data privacy and comply with relevant regulations

PreviousMSSQL Pentesting Notes NextSNMP Pentesting Notes