MySQL Enumeration
Overview
MySQL is an open-source SQL relational database management system developed and supported by Oracle. A database is simply a structured collection of data organized for easy use and retrieval. The database system can quickly process large amounts of data with high performance.
Key Characteristics:
Port 3306: Default MySQL port
Protocol: MySQL native protocol over TCP
Authentication: Username/password based
Default Users: root, mysql
File Extension: .sql files (e.g., wordpress.sql)
MySQL Architecture
MySQL Clients
The MySQL clients can retrieve and edit data using structured queries to the database engine. Operations include:
Inserting: Adding new records
Deleting: Removing records
Modifying: Updating existing records
Retrieving: Querying data
MySQL Databases
MySQL is ideally suited for applications such as:
Dynamic websites: Efficient syntax and high response speed
Web applications: Content management systems like WordPress
LAMP Stack: Linux, Apache, MySQL, PHP
LEMP Stack: Linux, Nginx, MySQL, PHP
Database Content Types
MySQL databases commonly store:
Headers
Page titles, meta information
Texts
Article content, descriptions
Meta tags
SEO tags, keywords
Forms
Contact forms, registration data
Users
Customers, Usernames, Administrators, Moderators
Authentication
Email addresses, User information, Permissions, Passwords
Links
External/Internal links, Links to Files
Content
Specific contents, Values
Security Note: Sensitive data like passwords can be stored in plain-text form by MySQL, but are generally encrypted by PHP scripts using secure methods like One-Way-Encryption.
MySQL Commands
A MySQL database translates commands internally into executable code. SQL commands can:
Display, modify, add, or delete rows in tables
Change table structure
Create or delete relationships and indexes
Manage users and permissions
Default Configuration
Installation and Configuration Analysis
# Install MySQL server
sudo apt install mysql-server -y
# Analyze default configuration
cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'Default Configuration Output
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
[mysqld_safe]
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
skip-host-cache
skip-name-resolve
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
explicit_defaults_for_timestamp
symbolic-links=0
!includedir /etc/mysql/conf.d/Dangerous Settings
Security-Relevant Configuration Options
user
Sets which user the MySQL service will run as
High
password
Sets the password for the MySQL user
Critical
admin_address
IP address for TCP/IP connections on administrative network interface
High
debug
Indicates current debugging settings
Medium
sql_warnings
Controls whether single-row INSERT statements produce information strings
Medium
secure_file_priv
Limits the effect of data import and export operations
High
Security Issues
Plain-text Credentials: user, password, and admin_address entries are in plain text
File Permissions: Configuration files often have incorrect permissions
Information Disclosure: debug and sql_warnings provide verbose error output
Privilege Escalation: Verbose errors can reveal system information
Command Execution: SQL injections can potentially execute system commands
Footprinting the Service
Service Detection
# Nmap MySQL detection
sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*
# Example comprehensive output
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 00:53 CEST
Nmap scan report for 10.129.14.128
Host is up (0.00021s latency).
PORT STATE SERVICE VERSION
3306/tcp open nagios-nsca Nagios NSCA
| mysql-brute:
| Accounts:
| root:<empty> - Valid credentials
|_ Statistics: Performed 45010 guesses in 5 seconds, average tps: 9002.0
|_mysql-databases: ERROR: Script execution failed (use -d to debug)
|_mysql-dump-hashes: ERROR: Script execution failed (use -d to debug)
| mysql-empty-password:
|_ root account has empty password
| mysql-enum:
| Valid usernames:
| root:<empty> - Valid credentials
| netadmin:<empty> - Valid credentials
| guest:<empty> - Valid credentials
| user:<empty> - Valid credentials
| web:<empty> - Valid credentials
| sysadmin:<empty> - Valid credentials
| administrator:<empty> - Valid credentials
| webadmin:<empty> - Valid credentials
| admin:<empty> - Valid credentials
| test:<empty> - Valid credentials
|_ Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info:
| Protocol: 10
| Version: 8.0.26-0ubuntu0.20.04.1
| Thread ID: 13
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, SupportsTransactions, Speaks41ProtocolOld, LongPassword, DontAllowDatabaseTableColumn, Support41Auth, IgnoreSigpipes, SwitchToSSLAfterHandshake, FoundRows, InteractiveClient, Speaks41ProtocolNew, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsCompression, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: YTSgMfqvx\x0F\x7F\x16\&\x1EAeK>0
|_ Auth Plugin Name: caching_sha2_password
|_mysql-users: ERROR: Script execution failed (use -d to debug)
|_mysql-variables: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)Important Note: Scan results should be manually verified as some information might be false-positive.
Connection Testing
# Test connection without password (will fail if password required)
mysql -u root -h 10.129.14.132
# Expected error for protected server
ERROR 1045 (28000): Access denied for user 'root'@'10.129.14.1' (using password: NO)
# Connect with discovered/guessed credentials
mysql -u root -pP4SSw0rd -h 10.129.14.128SSL/TLS Connection Issues
# Common SSL/TLS error with self-signed certificates
mysql -u robin -probin -h 10.129.42.195
ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain
# Solution: Disable SSL verification
mysql -u robin -probin -h 10.129.42.195 --ssl=0
# Alternative SSL options
mysql -u robin -probin -h 10.129.42.195 --ssl-mode=DISABLED
mysql -u robin -probin -h 10.129.42.195 --ssl-mode=REQUIRED --ssl-verify-server-cert=false
mysql -u robin -probin -h 10.129.42.195 --skip-sslSSL/TLS Error Types:
ERROR 2026: TLS/SSL error with self-signed certificates
Solution: Use
--ssl=0or--ssl-mode=DISABLEDto bypass SSL verificationSecurity Note: Only disable SSL in testing environments, not production
Interaction with MySQL Server
Successful Connection Example
mysql -u root -pP4SSw0rd -h 10.129.14.128
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 150165
Server version: 8.0.27-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.006 sec)
MySQL [(none)]> select version();
+-------------------------+
| version() |
+-------------------------+
| 8.0.27-0ubuntu0.20.04.1 |
+-------------------------+
1 row in set (0.001 sec)System Schema Exploration
# Use mysql system database
MySQL [(none)]> use mysql;
# Show tables in mysql database
MySQL [mysql]> show tables;
+------------------------------------------------------+
| Tables_in_mysql |
+------------------------------------------------------+
| columns_priv |
| component |
| db |
| default_roles |
| engine_cost |
| func |
| general_log |
| global_grants |
| gtid_executed |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| innodb_index_stats |
| innodb_table_stats |
| password_history |
...SNIP...
| user |
+------------------------------------------------------+
37 rows in set (0.002 sec)System Schema (sys) Analysis
# Use sys database for metadata
mysql> use sys;
# Show sys tables
mysql> show tables;
+-----------------------------------------------+
| Tables_in_sys |
+-----------------------------------------------+
| host_summary |
| host_summary_by_file_io |
| host_summary_by_file_io_type |
| host_summary_by_stages |
| host_summary_by_statement_latency |
| host_summary_by_statement_type |
| innodb_buffer_stats_by_schema |
| innodb_buffer_stats_by_table |
| innodb_lock_waits |
| io_by_thread_by_latency |
...SNIP...
| x$waits_global_by_latency |
+-----------------------------------------------+
# Get host summary information
mysql> select host, unique_users from host_summary;
+-------------+--------------+
| host | unique_users |
+-------------+--------------+
| 10.129.14.1 | 1 |
| localhost | 2 |
+-------------+--------------+
2 rows in set (0,01 sec)Essential MySQL Commands
Connection and Basic Operations
mysql -u <user> -p<password> -h <IP address>
Connect to MySQL server (no space between -p and password)
show databases;
Show all databases
use <database>;
Select one of the existing databases
show tables;
Show all available tables in the selected database
show columns from <table>;
Show all columns in the selected table
select * from <table>;
Show everything in the desired table
select * from <table> where <column> = "<string>";
Search for needed string in the desired table
Advanced Query Examples
# Database exploration
SHOW DATABASES;
USE customers;
SHOW TABLES;
DESCRIBE customers;
# Data extraction
SELECT * FROM customers;
SELECT * FROM customers WHERE name = 'Otto Lang';
SELECT email FROM customers WHERE name = 'Otto Lang';
# User enumeration
SELECT User, Host FROM mysql.user;
SELECT * FROM mysql.user WHERE User='root';Database Schema Information
Important System Databases
information_schema: Contains metadata about all databases (ANSI/ISO standard)
mysql: Contains MySQL server system data and configurations
performance_schema: Contains performance monitoring information
sys: Contains system schema with interpreted performance data
Schema Differences:
System Schema: Microsoft system catalog (more comprehensive)
Information Schema: ANSI/ISO standard metadata (standardized)
HTB Academy Lab Questions
Question 1: Version Detection
Task: Enumerate the MySQL server and determine the version in use Format: MySQL X.X.XX
Solution:
# Step 1: Service detection
nmap -p3306 -sV target
# Step 2: Version extraction from nmap output
# Look for: mysql MySQL 8.0.27-0ubuntu0.20.04.1
# Step 3: Format the answer
# Answer: MySQL 8.0.27Question 2: Data Extraction
Task: Using credentials "robin:robin", find email address of customer "Otto Lang"
Solution:
# Step 1: Connect with provided credentials (with SSL disabled)
mysql -u robin -probin -h target --ssl=0
# Step 2: List all databases
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| customers |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.085 sec)
# Step 3: Select the customers database
MySQL [(none)]> use customers;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
# Step 4: List tables in the customers database
MySQL [customers]> show tables;
+---------------------+
| Tables_in_customers |
+---------------------+
| myTable |
+---------------------+
1 row in set (0.078 sec)
# Step 5: Examine table structure
MySQL [customers]> describe myTable;
+-----------+--------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+--------------------+------+-----+---------+----------------+
| id | mediumint unsigned | NO | PRI | NULL | auto_increment |
| name | varchar(255) | YES | | NULL | |
| email | varchar(255) | YES | | NULL | |
| country | varchar(100) | YES | | NULL | |
| postalZip | varchar(20) | YES | | NULL | |
| city | varchar(255) | YES | | NULL | |
| address | varchar(255) | YES | | NULL | |
| pan | varchar(255) | YES | | NULL | |
| cvv | varchar(255) | YES | | NULL | |
+-----------+--------------------+------+-----+---------+----------------+
9 rows in set (0.079 sec)
# Step 6: Extract Otto Lang's email address
MySQL [customers]> SELECT email FROM myTable WHERE name = "Otto Lang";
+---------------------+
| email |
+---------------------+
| ultrices@google.htb |
+---------------------+
1 row in set (0.078 sec)
# Result: ultrices@google.htbSecurity Assessment
Common Vulnerabilities
Default Credentials: Testing root with empty password
Weak Passwords: Common password patterns
Information Disclosure: Version information, database names
Excessive Privileges: Users with unnecessary permissions
Configuration Issues: Dangerous settings enabled
Network Exposure: MySQL accessible from external networks
Enumeration Checklist
MariaDB Relationship
MariaDB is a fork of MySQL created when Oracle acquired MySQL AB. Key points:
Created by original MySQL chief developer
Based on MySQL source code
Often used interchangeably with MySQL
Compatible with MySQL protocols and commands
Common in Linux distributions
Reference Documentation
MySQL Reference Manual: Comprehensive configuration options
Security Issues Section: Best practices for securing MySQL servers
HTB Academy: Practical enumeration techniques
Penetration Testing: Real-world attack scenarios
Last updated