Attacking MySQL With Metasploit

Attacking MySQL With Metasploit

27JUL

MySQL is one of the most used databases that is being used by many applications in nowadays.So in a penetration testing engagement it is almost impossible not to find a system that will run a MySQL server.In this article we will see how we can attack a MySQL database with the help of Metasploit framework.

Lets say that is in the scope of our penetration test is a MySQL server.The first step is to discover the version of the database.Metasploit Framework has a module that allows us to find the version of the database.Knowing the version of the database will help us to discover additional vulnerabilities.

Metasploit Module for MySQL version enumeration

The only thing that we have to do is to insert the remote IP address and to execute it with the run command.

Discovering the version of MySQL

Now we can use the mysql_login module in combination with our wordlists in order to discover at least one valid database account that will allow us to login to the MySQL database.It is always a good practice as a penetration testers to check the database for weak credentials.

Configuring the MySQL Login Module

The scanner was successful and now as we can see from the results we have two valid accounts (guest androot) for remote connection.Both of these accounts they don’t have a password set.

Discovering valid accounts from the MySQL Database

Before we use these accounts in order to connect and interact directly with the database we can use another two metasploit modules that can help us to enumerate the database accounts and to dump the usernames and password hashes of the MySQL server.Of course this can be done manually but Metasploit helps us to automate this process.So first we will configure the module mysql_enum in order to find information about the database accouts:

Metasploit Module Configuration for MySQL Accounts Enumeration

We can see a sample of the output in the following image:

enumerating MySQL Accounts

Next its time to configure and run the mysql_hashdump module in order to dump the passwords hashes from all the database accounts:

Dumping the hashes from the MySQL Database

Now we can use any mysql client to connect to the database.Backtrack has already a client so we can use the command mysql -h IP -u username -p password.In our case our IP of the target is 172.16.212.133 and we will use as username the root that has been discovered from the mysql_login module before.We will be prompted for a password but we will leave it blank because the password for the account root is blank.

Connection to MySQL Database

Now that we are connected to the database we can use the command show databases; in order to discover the databases that are stored in the MySQL server.

Display the databases

As a next step is to choose one database and then to try to see the tables that it contains in order to start extract data.We can do that with the command use <dbname> and the command show tables;

Tables of mysql database

We can see that there is a table user.We would like to extract the data of that table as it contains the usernames and passwords of the system.We can achieve that with the command select User, Password from user;

Extract Usernames and Passwords from Table

As we can see there are 3 accounts with blank passwords.So now we have all the accounts of the MySQLdatabase.We can now discover additional tables from other databases with the command show tables from <dbname>;

Display tables from another database

The interesting table here is the credit_cards so we would like to see the contents of this table.We will change database with the command use <dbname> and we will execute the command show * from credit_cards;

Extract all the data from a table

Now we have all the credit cards details from users and all the accounts and passwords from the database.

Conclusion

In this article we saw how we can gain access to a MySQL database by taken advantage the weakcredentials.Weak credentials and forgotten default database accounts are one of the most common security problems in large organizations where it is difficult for the admins that they have to manage a variety of systems to be able to change and control the accounts regularly.Every penetration tester must check first while assessing a database system if the remote target is having default or weak accounts installed.This is the easiest way of getting access and in complex and big environments it always a good possibility that this technique will be successful.

Video