MySQL is one of the most used databases that is being used by many applications in nowadays.So in a penetration testing engagement it is almost impossible not to find a system that will run a MySQL server.In this article we will see how we can attack a MySQL database with the help of Metasploit framework.
Lets say that is in the scope of our penetration test is a MySQL server.The first step is to discover the version of the database.Metasploit Framework has a module that allows us to find the version of the database.Knowing the version of the database will help us to discover additional vulnerabilities.
The only thing that we have to do is to insert the remote IP address and to execute it with the run command.
Now we can use the mysql_login module in combination with our wordlists in order to discover at least one valid database account that will allow us to login to the MySQL database.It is always a good practice as a penetration testers to check the database for weak credentials.
The scanner was successful and now as we can see from the results we have two valid accounts (guest and root) for remote connection.Both of these accounts they don’t have a password set.
Before we use these accounts in order to connect and interact directly with the database we can use another two metasploit modules that can help us to enumerate the database accounts and to dump the usernames and password hashes of the MySQL server.Of course this can be done manually but Metasploit helps us to automate this process.So first we will configure the module mysql_enum in order to find information about the database accouts:
We can see a sample of the output in the following image:
Next its time to configure and run the mysql_hashdump module in order to dump the passwords hashes from all the database accounts:
Now we can use any mysql client to connect to the database.Backtrack has already a client so we can use the command mysql -h IP -u username -p password.In our case our IP of the target is 172.16.212.133 and we will use as username the root that has been discovered from the mysql_login module before.We will be prompted for a password but we will leave it blank because the password for the account root is blank.
Now that we are connected to the database we can use the command show databases; in order to discover the databases that are stored in the MySQL server.
As a next step is to choose one database and then to try to see the tables that it contains in order to start extract data.We can do that with the command use <dbname> and the command show tables;
We can see that there is a table user.We would like to extract the data of that table as it contains the usernames and passwords of the system.We can achieve that with the command select User, Password from user;
As we can see there are 3 accounts with blank passwords.So now we have all the accounts of the MySQL database.We can now discover additional tables from other databases with the command show tables from <dbname>;
The interesting table here is the credit_cards so we would like to see the contents of this table.We will change database with the command use <dbname> and we will execute the command show * from credit_cards;
Now we have all the credit cards details from users and all the accounts and passwords from the database.
In this article we saw how we can gain access to a MySQL database by taken advantage the weak credentials.Weak credentials and forgotten default database accounts are one of the most common security problems in large organizations where it is difficult for the admins that they have to manage a variety of systems to be able to change and control the accounts regularly.Every penetration tester must check first while assessing a database system if the remote target is having default or weak accounts installed.This is the easiest way of getting access and in complex and big environments it always a good possibility that this technique will be successful.
nice bro…. keep the great works 🙂
Reblogged this on Technologic and commented:
nice way to inject 🙂
Good stuff. I was lookinh for mysql exploits, landed in the right place
ERROR 1130 (HY000): Host ‘LHOST ip’ is not allowed to connect to this MySQL server… So how can i bypass this restriction?
This is great! Thanks a lot 🙂
after run mysql_enum and mysql_hashdump I got IP:3306 – Access denied.
Scanned 1 of 1 hosts (100% complete)
Auxiliary module execution completed
I’m running my own Mysql Server in a Win7.(another machine)
After mysql_enum and mysql_hashdump I always got [-] x.x.x.x:3306 – Access denied
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution complete
These modules require authentication. You need to provide the username and the password to access the database. If credentials are not known you need to find them through Brute-Force attack etc.
Got it! it worked now!…
Thank you so much! =)
Nice work. Worked perfectly
To test if exist root without password you don’t need so many steps. Is really simple to do: mysql -u root -h -P -p
I can’t leave my password blank.
I press ENTER, and no response.
Can you help me, please?