3306 - MySQL/MariaDB

101

MariaDB is a fork of MySQL which uses the same port and syntax.

Usage

SELECT version();

Schemas & DBs

MySQL default system schemas:

Schema
Description

mysql

System database containing tables that store information required by the MySQL server

information_schema

Provides access to database metadata

performance_schema

A feature for monitoring MySQL Server execution at a low level

sys

A set of objects that helps DBAs and developers interpret data collected by the performance_schema

MySQL stores information about itself in the information_schema database, which is a read-only repository of the metadata of the MySQL database server, providing insights into the structure and organization of the database environment. It contains some useful tables, such as:

Table
Description

schemata

Information about all databases

tables

Information about all tables

columns

Details about columns in the tables

We can use the following queries to enumerate the DBMS via the information_schema database:

SELECT table_schema FROM information_schema.tables GROUP BY table_schema;

CLI Tools

For an example of mysql usage see Devvortex.

Attacks

SQLi

Enumeration statements:

On the below commands, the comment at the end includes a space: -- ! The # symbol can also be used.

UNION-based payload for reading and writing files:

UDF Functions

User Defined Functions (UDFs) in MySQL enable extending database capabilities by allowing custom functions written in any programming language to be compiled into shared libraries and loaded into the database. These functions run natively like built-in ones, providing flexibility but also introducing a significant attack surface when exploited. From a red team perspective, UDFs present a powerful method to escalate privileges, especially when the MySQL server runs with elevated permissions.

If the MySQL operates as root and the latter is compromised there is the potential of leveraging UDFs for privilege escalation based on raptor's PoC.

C code

Accessing the MySQL database with root credentials allows the discovery of the plugin directory where MySQL stores UDF libraries and confirmation that the secure_file_priv setting was disabled, permitting file operations necessary for loading the malicious library.

The compiled shared library was loaded into the database by reading its binary content into a table and dumping it into the plugin directory. Subsequently, a new SQL function was created to link to this shared library.

Read & Write Files

The FILE privilege is needed to both read and write files.

In MySQL, the ability to read from or write to files requires the FILE privilege, and is further controlled by the global system variable secure_file_priv. This variable restricts file operations to a specific directory:

  • If set to a directory path, operations like LOAD_FILE and SELECT ... INTO OUTFILE are limited to that path.

  • If set to NULL, these operations are completely disabled.

  • If empty, there are no restrictions—this is insecure but allows unrestricted file I/O.

If permitted, files can be written using the SELECT ... INTO OUTFILE clause. The target directory must be writable by the OS user running MySQL. For example:

To read files:

If the server is insecurely configured (e.g., secure_file_priv is empty), sensitive files may be readable:

An attacker with FILE privileges may exploit SQLi to:

  • Read files using LOAD_FILE()

  • Write files using INTO OUTFILE

  • Query sensitive tables and variables like mysql.user or information_schema.global_variables

If the MySQL server is running in a web environment and the web root is known and writable, it may be possible to write a PHP web shell. To enumurate the webroot the LOAD_FILE clause can be used to read the server configuration.

Server
Web Root Directory

Apache

/etc/apache2/apache2.conf

Nginx

/etc/nginx/nginx.conf

ISS

$WinDir%\System32\Inetsrv\Config\ApplicationHost.config

Once written, this shell can be accessed via a browser to execute OS commands and if needed upgraded to a reverse shell.

phpMyAdmin

phpMyAdmin is a browser-based MySQL and MariaDB administration interface written in PHP. It enables database management without direct command-line interaction by allowing the execution of SQL queries, database creation or deletion, table management, and user privilege modification through a web interface.

If the admin account is compromised RCE can be achieved by either creating a webshell directly...

or by first creating an upload page:

LFI

If a server is vulnerable to LFI, check for interesting files for MySQL or MariaDB.

%WINDIR% is typically C:\WINDOWS. It can be found with echo %WINDIR%.

File Name
Purpose

%WINDIR%\my.ini, %WINDIR%\my.cnf

Global options

C:\my.ini, C:\my.cnf

Global options

BASEDIR\my.ini, BASEDIR\my.cnf

Global options

defaults-extra-file

The file specified with --defaults-extra-file, if any

%APPDATA%\MySQL\.mylogin.cnf

Login path options (clients only)

DATADIR\mysqld-auto.cnf

System variables persisted with SET PERSIST or SET PERSIST_ONLY (server only)

SYSCONFDIR by default is /etc.

File Name
Purpose

/etc/my.cnf

Global options

/etc/mysql/my.cnf

Global options

SYSCONFDIR/my.cnf

Global options

$MYSQL_HOME/my.cnf

Server-specific options (server only)

defaults-extra-file

The file specified with --defaults-extra-file, if any

~/.my.cnf

User-specific options

~/.mylogin.cnf

User-specific login path options (clients only)

DATADIR/mysqld-auto.cnf

System variables persisted with SET PERSIST or SET PERSIST_ONLY (server only)

Inline Commands

Tools like WinRM does not support interactive prompts like mysql shell normally uses. That means we must use the -e option to execute SQL statements inline:

Previous1521 - OracleNext5432 - PostgreSQL

Last updated

Was this helpful?