MySQL is one of the most used databases that is being used by many applications in nowadays.So in a penetration testing engagement it is almost impossible not to find a system that will run a MySQL server.In this article we will see how we can attack a MySQL database with the help of Metasploit framework.

Lets say that is in the scope of our penetration test is a MySQL server.The first step is to discover the version of the database.Metasploit Framework has a module that allows us to find the version of the database.Knowing the version of the database will help us to discover additional vulnerabilities.

Metasploit Module for MySQL version enumeration

 

The only thing that we have to do is to insert the remote IP address and to execute it with the run command.

Discovering the version of MySQL

 

Now we can use the mysql_login module in combination with our wordlists in order to discover at least one valid database account that will allow us to login to the MySQL database.It is always a good practice as a penetration testers to check the database for weak credentials.

Configuring the MySQL Login Module

 

 

The scanner was successful and now as we can see from the results we have two valid accounts (guest and root) for remote connection.Both of these accounts they don’t have a password set.

Discovering valid accounts from the MySQL Database

 

Before we use these accounts in order to connect and interact directly with the database we can use another two metasploit modules that can help us to enumerate the database accounts and to dump the usernames and password hashes of the MySQL server.Of course this can be done manually but Metasploit helps us to automate this process.So first we will configure the module mysql_enum in order to find information about the database accouts:

Metasploit Module Configuration for MySQL Accounts Enumeration

 

We can see a sample of the output in the following image:

enumerating MySQL Accounts

 

Next its time to configure and run the mysql_hashdump module in order to dump the passwords hashes from all the database accounts:

Dumping the hashes from the MySQL Database

 

Now we can use any mysql client to connect to the database.Backtrack has already a client so we can use the command mysql -h IP -u username -p password.In our case our IP of the target is 172.16.212.133 and we will use as username the root that has been discovered from the mysql_login module before.We will be prompted for a password but we will leave it blank because the password for the account root is blank.

Connection to MySQL Database

 

Now that we are connected to the database we can use the command show databases; in order to discover the databases that are stored in the MySQL server.

Display the databases

 

As a next step is to choose one database and then to try to see the tables that it contains in order to start extract data.We can do that with the command use <dbname> and the command show tables;

Tables of mysql database

 

We can see that there is a table user.We would like to extract the data of that table as it contains the usernames and passwords of the system.We can achieve that with the command select User, Password from user;

Extract Usernames and Passwords from Table

 

As we can see there are 3 accounts with blank passwords.So now we have all the accounts of the MySQL database.We can now discover additional tables from other databases with the command show tables from <dbname>;

Display tables from another database

 

The interesting table here is the credit_cards so we would like to see the contents of this table.We will change database with the command use <dbname> and we will execute the command show * from credit_cards;

Extract all the data from a table

 

Now we have all the credit cards details from users and all the accounts and passwords from the database.

Conclusion

In this article we saw how we can gain access to a MySQL database by taken advantage the weak credentials.Weak credentials and forgotten default database accounts are one of the most common security problems in large organizations where it is difficult for the admins that they have to manage a variety of systems to be able to change and control the accounts regularly.Every penetration tester must check first while assessing a database system if the remote target is having default or weak accounts installed.This is the easiest way of getting access and in complex and big environments it always a good possibility that this technique will be successful.

12 Comments

  4. ERROR 1130 (HY000): Host ‘LHOST ip’ is not allowed to connect to this MySQL server… So how can i bypass this restriction?

    Reply

  6. after run mysql_enum and mysql_hashdump I got IP:3306 – Access denied.
    Scanned 1 of 1 hosts (100% complete)
    Auxiliary module execution completed

    Help?

    Reply

  7. I’m running my own Mysql Server in a Win7.(another machine)
    After mysql_enum and mysql_hashdump I always got [-] x.x.x.x:3306 – Access denied
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution complete

    any help?

    Reply

    1. These modules require authentication. You need to provide the username and the password to access the database. If credentials are not known you need to find them through Brute-Force attack etc.

      Reply

  10. I can’t leave my password blank.
    I press ENTER, and no response.
    Can you help me, please?
    Thank you.

    Reply

Leave a comment