Exploiting Port 3306 – MySQL
MySQL is an open-source relational database management system. A relational database organizes data into one or more data tables in which data types may be related to each other.
There are several possibilities to explore when connecting to the MySQL service running on the Metasploitable 2 VM
Blank password
The MySQL database in Metasploitable 2 has negligible security so you can connect to it using the MySQL function of Kali by defining the username and host IP. The password will be left blank.
Once you have root access to the database access you can do anything
Brute forcing MySQL using Hydra
Brute forcing MySQL is in its essence the same as brute forcing any other applications and therefore similar tools and techniques can be used
Brute forcing MySQL using Metasploit
Use the proper auxiliary module. Note that in order to successfully use this, you'll need some wordlists for username and password combinations. Try using a single user (root) and the rockyou list for passwords:
The result is the same as before; the root account has a blank password.
Exploiting My SQL using Metasploit
Once you have credentials to connect to the MySQL server, you will want to pivot from recon mode to attack mode. This means you'll be using different exploits from MSF. Whereas the initial exploit was a scanner, the subsequent exploits will be admin exploits.
There are two different ways to exploit the MySQL server to obtain system information and database information. These are covered below.
The mysql_sql
auxiliary module can be used to connect to the remote database and execute SQL commands. As an example, execute SQL's load_file()
function to scan the contents of the /etc/passwd
file and get a list of users on the system.
Enumerating MySQL users with Metasploit
This module will enumerate all of the MySQL accounts on the system and their various privileges.
Since we already have access to the root user in MySQL, there's no need to brute force other login names. However, if there were many users in a complex database, this might yield a treasure trove of usernames with different privileges, allowing you to see different sections of the database.
Take a look at the credentials you have stored so far:
Dumping the MySQL database contents
Use the show databases SQL command to show the databases available.
Use the use databasename
SQL command to use a particular database.
Once you've selected a particular database, you can start to explore it.
Select a different database and explore it
You can use the describe command to describe the fields in each SQL table, as well as data types.
Dumping the MySQL database contents using mysqlshow
You can also use mysqlshow to easily show the contents of the database. Use the host option to use a remote database.
Dumping the MySQL database contents using mysqldump
Like the mysqlshow command, the mysqldump command accepts the host argument. To dump a table, run the command like this:
# mysqldump --host=10.0.0.27 [database] [tablename]
This will result in an SQL script that will recreate the entire database from scratch. Be careful and make sure you use mysqlshow –count
before, to avoid dumping out a 500 GB database.
DVWA
Try it with the dvwa database:
Unfortunately, the current version of mysqldump doesn’t work with the currently available version of Metasploitable 2. An older Kali version (2015) will work just fine and dumping the dvwa web app reveals some usernames and password hashes.
From this, we can see a couple of interesting things.
First, we have 5 users in this web app. The password field of the table consists of strings of 33 characters, in hex. You can use Hash-Identifier to identify the hash.
Looks like it is an MD5 hash. My advice; pay attention to the gathered info but don’t waste time trying to crack this.
OWASP10
The owasp10 database has some very good info too.
One table has plain-text passwords.
Another has credit card details
Several other tools can be used to enumerate and exploit this MySQL database but all revolve around the same basic procedures.
2 comments:
Great work! thanks for the tutorial. Where can I get the rockyou.txt file?
Just Google for "rockyou passwords" or something similar. I would use the classic file and not the 2021 version (much bigger).
Post a Comment