(3306)MySQL

About

MySQL is an open-source SQL relational database management system developed and supported by Oracle. It works according to the client-server principle and consists of a MySQL server and one or more MySQL clients. The database is controlled using the SQL database language. The data is stored in tables with different columns, rows, and data types. These databases are often stored in a single file with the file extension .sql, for example, like wordpress.sql

Default Configuration

Managing SQL databases and their configurations is an extensive field. It's so comprehensive that specialized professions, such as database administrators, focus almost exclusively on databases. These systems can grow rapidly and their planning can become quite complex.

$ sudo apt install mysql-server -y
$ cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'

Dangerous Settings

Like any server configuration, anything can go wrong if server administrator oversee a vulnerable setting. The settings below are the "main" options that are security-relevant:

user

Sets which user the MySQL service will run as.

password

Sets the password for the MySQL user.

admin_address

The IP address on which to listen for TCP/IP connections on the administrative network interface.

debug

This variable indicates the current debugging settings

sql_warnings

This variable controls whether single-row INSERT statements produce an information string if warnings occur.

secure_file_priv

This variable is used to limit the effect of data import and export operations.

Footprinting

Nmap

$ sudo nmap <TARGE IP> -sV -sC -p3306 --script mysql*

Interacting With The Server

$ mysql -u <USER> -p<PASSWORD> -h 10.129.14.128

Command

Description

mysql -u <user> -p<password> -h <IP address>

Connect to the MySQL server. There should not be a space between the '-p' flag, and the password.

show databases;

Show all databases.

use <database>;

Select one of the existing databases.

show tables;

Show all available tables in the selected database.

show columns from <table>;

Show all columns in the selected database.

select * from <table>;

Show everything in the desired table.

select * from <table> where <column> = "<string>";

Search for needed string in the desired table.

Last updated