MySQL - My SQL
This section will cover ways to enumerate MySQL.
Table of Contents
- Overview
- Default Configuration
- Dangerous Settings
- Enumerating MySQL
- Nmap
- MySQL
Overview
MySQL is an open-source SQL relational database manage system. MySQL works according to the client-server principle and consists of a MySQL server and one or more MySQL clients. The databases are often stored with the .sql file extension. An example will be wordpress.sql.
The MySQL clients can retrieve and edit the data using SQL queries to the database engine. Some actions that can be performed by the queries are inserting, deleting, modifying, and retrieving the data. Depending on the use of the database, access is possible via an internal network or internet.
MySQL is ideally suited for applications such as dynamic websites. It is often combined with a Linux OS, PHP, and an Apache web server. This combination is also known as LAMP (Linux, Apache, MySQL, PHP), or LEMP when using Nginx. In a web hosting with MySQL database, this serves as a central instance in which content required by PHP sites are stored.
Some examples of the items stored are:
- Headers
- Customers
- Email Addresses
- Texts
- Values
- Passwords
Sensitive information such as passwords can be stored in plaintext by MySQL, but are generally encrypted beforehand by the PHP scripts using secure methods.
MySQL uses TCP port 3306 by default.
MySQL contains the following default databases:
| Database | Description |
|---|---|
| mysql | It is the system database. It contains tables that store information required by the MySQL server. |
| information_schema | It contains the database metadata. |
| performance_schema | It is a feature for monitoring MySQL Server execution at a low level. |
| sys | It is a set of objects that helps database administrators (DBAs) and developers interpret data collected by the Performance Schema. |
Default Configuration
The default configuration file can be found in /etc/mysql/mysql.conf.d/mysqld.cnf. As MariaDB is a fork of MySQL, the configuration files can be found at /etc/mysql/mariadb.cnf.
Dangerous Settings
There are many things that can be misconfigured with MySQL. The below table will list some settings and their description.
| Setting | Description |
|---|---|
| user | Sets which user the MySQL service will run as. |
| password | Sets the password for the MySQL user. |
| admin_address | The IP address to listen on for connections on the administrative network interface. |
| debug | This variable indicates the current debugging settings. |
| sql_warnings | This variable controls whether single-row INSERT statements produce an information string if warnings occur. |
| secure_file_priv | This variable is used to limit the effect of data import and export operations. |
Settings such as user, password, and admin_address are security relevant because these entries are made in plain text. The debug and sql_warnings provide verbose information output in the event of errors and can provide an attacker with information that can possibly be used in future attacks.
Enumerating MySQL
As MySQL uses TCP port 3306 by default, we can narrow the scan using tools such as Nmap. We can also use tools such as mysql to interact with the service itself.
The following tools are covered here:
- Nmap
- MySQL
Nmap
We can use the following command to scan the MySQL service:
nmap -sV -sC -p 3306 --script mysql* 10.129.249.14
Command breakdown:
-sV- Scan the version of the service.-sC- Use default NSE scripts.-p 3306- Specify the port to scan.--script mysql*- Use all MySQL NSE scripts that starts withmysql.10.129.249.14- Specify the target IP address to scan.
MySQL
Once we have identified the service and if we can login, we can start interacting with it using mysql. An example will be where we can login as root without a password.
The following command can be used to connect to the MySQL server.
mysql -u root -h 10.42.0.1
Command breakdown:
-u root- Specify to login as the root user.-h 10.42.0.1- Specify the server IP address to connect to.
If we have a password, we can use the following command:
mysql -u root -pP@ssw0rd -h 10.42.0.1
Command breakdown:
-u root- Specify to login as the root user.-pP@ssw0rd- Specify the password to use.-h 10.42.0.1- Specify the server IP address to connect to.
Once logged in, we can use commands such as use and show tables to view and enumerate the database. The most important database will be system schema (sys) and information schema (information_schema).
The below table will list some useful SQL queries.
| Queries | Description |
|---|---|
| SHOW databases; | Show all databases. |
| USE Database_Name; | Select the specified database. |
| SHOW tables; | Show all available tables in the selected database. |
| SHOW columns FROM Table_Name; | Show all columns in the selected database. |
| SELECT * FROM Table_Name; | Show everything in the specified table. |
| SELECT * FROM Table_Name WHERE Column_Name = "String_Here"; | Search for a string in the specified table. |
The below image shows an example of the above queries.
We can also craft our own SQL queries to obtain more information from the database if required.