Skip to content


MySQL is an open-source SQL relational database management system developed and supported by Oracle. MySQL works according to the client-server principle and consists of a MySQL server and one or more MySQL clients.

Default Configuration

neutron@kali[/kali]$ sudo apt install mysql-server -y
neutron@kali[/kali]$ cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'

port        = 3306
socket      = /var/run/mysqld/mysqld.sock

pid-file    = /var/run/mysqld/
socket      = /var/run/mysqld/mysqld.sock
nice        = 0

user        = mysql
pid-file    = /var/run/mysqld/
socket      = /var/run/mysqld/mysqld.sock
port        = 3306
basedir     = /usr
datadir     = /var/lib/mysql
tmpdir      = /tmp
lc-messages-dir = /usr/share/mysql


!includedir /etc/mysql/conf.d/

Dangerous Settings

Settings Description
user Sets which user the MySQL service will run as.
password Sets the password for the MySQL user.
admin_address The IP address on which to listen for TCP/IP connections on the administrative network interface.
debug This variable indicates the current debugging settings
sql_warnings This variable controls whether single-row INSERT statements produce an information string if warnings occur.
secure_file_priv This variable is used to limit the effect of data import and export operations.

The settings user, password, and admin_address are security-relevant because the entries are made in plain text. Often, the rights for the configuration file of the MySQL server are not assigned correctly. If we get another way to read files or even a shell, we can see the file and the username and password for the MySQL server.

Footprinting the Service

Usually, the MySQL server runs on TCP port 3306

neutron@kali[/kali]$ sudo nmap -sV -sC -p3306 --script mysql*

Starting Nmap 7.80 ( ) at 2021-09-21 00:53 CEST
Nmap scan report for
Host is up (0.00021s latency).

3306/tcp open  nagios-nsca Nagios NSCA
| mysql-brute: 
|   Accounts: 
|     root:<empty> - Valid credentials
|_  Statistics: Performed 45010 guesses in 5 seconds, average tps: 9002.0
|_mysql-databases: ERROR: Script execution failed (use -d to debug)
|_mysql-dump-hashes: ERROR: Script execution failed (use -d to debug)
| mysql-empty-password: 
|_  root account has empty password
| mysql-enum: 
|   Valid usernames: 
|     root:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|     user:<empty> - Valid credentials
|     web:<empty> - Valid credentials
|     sysadmin:<empty> - Valid credentials
|     administrator:<empty> - Valid credentials
|     webadmin:<empty> - Valid credentials
|     admin:<empty> - Valid credentials
|     test:<empty> - Valid credentials
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.26-0ubuntu0.20.04.1
|   Thread ID: 13
|   Capabilities flags: 65535
|   Some Capabilities: SupportsLoadDataLocal, SupportsTransactions, Speaks41ProtocolOld, LongPassword, DontAllowDatabaseTableColumn, Support41Auth, IgnoreSigpipes, SwitchToSSLAfterHandshake, FoundRows, InteractiveClient, Speaks41ProtocolNew, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsCompression, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: YTSgMfqvx\x0F\x7F\x16\&\x1EAeK>0
|_  Auth Plugin Name: caching_sha2_password
|_mysql-users: ERROR: Script execution failed (use -d to debug)
|_mysql-variables: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:00:00:00:00:00 (VMware)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 11.21 seconds

As with all our scans, we must be careful with the results and manually confirm the information obtained because some of the information might turn out to be a false-positive. This scan above is an excellent example of this, as we know for a fact that the target MySQL server does not use an empty password for the user root, but a fixed password. We can test this:

neutron@kali[/kali]$ mysql -u root -h

ERROR 1045 (28000): Access denied for user 'root'@'' (using password: NO)

If we use a password that we have guessed or found through our research, we will be able to log in:

neutron@kali[/kali]$ mysql -u root -pP4SSw0rd -h

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 150165
Server version: 8.0.27-0ubuntu0.20.04.1 (Ubuntu)                                                         
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.                                     
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.                           

MySQL [(none)]> show databases;                                                                          
| Database           |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
4 rows in set (0.006 sec)

MySQL [(none)]> select version();
| version()               |
| 8.0.27-0ubuntu0.20.04.1 |
1 row in set (0.001 sec)

MySQL [(none)]> use mysql;
MySQL [mysql]> show tables;
| Tables_in_mysql                                      |
| columns_priv                                         |
| component                                            |
| db                                                   |
| default_roles                                        |
| engine_cost                                          |
| func                                                 |
| general_log                                          |
| global_grants                                        |
| gtid_executed                                        |
| help_category                                        |
| help_keyword                                         |
| help_relation                                        |
| help_topic                                           |
| innodb_index_stats                                   |
| innodb_table_stats                                   |
| password_history                                     |
| user                                                 |
37 rows in set (0.002 sec)

The most important databases for the MySQL server are the system schema (sys) and information schema (information_schema). The system schema contains tables, information, and metadata necessary for management. More about this database can be found in the reference manual of MySQL.

mysql> use sys;
mysql> show tables;  

| Tables_in_sys                                 |
| host_summary                                  |
| host_summary_by_file_io                       |
| host_summary_by_file_io_type                  |
| host_summary_by_stages                        |
| host_summary_by_statement_latency             |
| host_summary_by_statement_type                |
| innodb_buffer_stats_by_schema                 |
| innodb_buffer_stats_by_table                  |
| innodb_lock_waits                             |
| io_by_thread_by_latency                       |
| x$waits_global_by_latency                     |

mysql> select host, unique_users from host_summary;

| host        | unique_users |                   
| |            1 |                   
| localhost   |            2 |                   
2 rows in set (0,01 sec)  
Command Description
mysql -u <user> -p<password> <IP address> Connect to the MySQL server. There should not be a space between the '-p' flag, and the password.
show databases; Show all databases.
use <database>; Select one of the existing databases.
show tables; Show all available tables in the selected database.
show columns from <table>; Show all columns in the selected database.
select * from <table>; Show everything in the desired table.
select * from <table> where <column> = "<string>"; Search for needed string in the desired table.