{"id":232,"date":"2025-01-28T00:00:00","date_gmt":"2025-01-27T23:00:00","guid":{"rendered":"https:\/\/kosokoking.com\/?p=232"},"modified":"2025-01-24T21:07:33","modified_gmt":"2025-01-24T20:07:33","slug":"mysql-mssql-oracle-database-security-tactics","status":"publish","type":"post","link":"https:\/\/kosokoking.com\/index.php\/security\/mysql-mssql-oracle-database-security-tactics\/","title":{"rendered":"MySQL, MSSQL &amp; Oracle Database Security Tactics"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In the ever-evolving landscape of cybersecurity, understanding the intricacies of database exploitation is critical for both attackers and defenders. Databases are the lifeblood of modern applications, and their misconfiguration or vulnerabilities can lead to devastating breaches. This article delves into practical techniques for interacting with MySQL, MSSQL, and Oracle databases focusing on their configurations, commands, and tools that can be leveraged for penetration testing or forensic investigations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>MySQL<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Key Port and Configuration<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">MySQL servers typically operate on port&nbsp;<strong>3306<\/strong>, making it a prime target for attackers scanning networks. To install MySQL on a Linux system, use:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install mysql-server -y<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Configuration files for MySQL are usually located at\u00a0<code>\/etc\/mysql\/mysql.conf.d\/mysqld.cnf<\/code>. To view this file without comments or blank lines:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/mysql\/mysql.conf.d\/mysqld.cnf | grep -v \"#\" | sed -r '\/^\\s*$\/d'<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Connecting to MySQL<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To connect to a MySQL server remotely, use:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql -u &lt;user&gt; -p&lt;password&gt; -h &lt;IP address&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Note:\u00a0There should be no space between the\u00a0<code>-p<\/code>\u00a0flag and the password. For example:<\/em><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql -u root -pP4SSw0rd -h 10.129.14.128<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once connected, these commands are essential for database exploration:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>show databases;\u00a0\u2013 Lists all available databases.<\/li>\n\n\n\n<li>use &lt;database>;\u00a0\u2013 Switches to a specific database.<\/li>\n\n\n\n<li>show tables;\u00a0\u2013 Displays all tables within the selected database.<\/li>\n\n\n\n<li>show columns from &lt;table>;\u00a0\u2013 Reveals column names in a table.<\/li>\n\n\n\n<li>select * from &lt;table>;\u00a0\u2013 Retrieves all data from a table.<\/li>\n\n\n\n<li>select * from &lt;table> where &lt;column> = &#8220;&lt;string>&#8221;;\u00a0\u2013 Searches for specific data in a column.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The&nbsp;<strong>system schema<\/strong>&nbsp;(sys) and&nbsp;<strong>information schema<\/strong>&nbsp;(information_schema) are critical databases that hold metadata about the server&#8217;s structure and operations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Scanning MySQL Servers<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">To enumerate MySQL services on a target machine, leverage Nmap with the following command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>MSSQL: Microsoft&#8217;s Enterprise Database<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Key Port and Tools<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">MSSQL operates on port&nbsp;<strong>1433<\/strong>, which is often targeted during reconnaissance. To gather information about an MSSQL server, use Nmap with specialised scripts:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell \\<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>--script-args mssql.instance-port=1433,mssql.username=sa,mssql.password= \\<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>-sV -p 1433 10.129.201.248<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">For deeper enumeration, Metasploit offers an auxiliary scanner called\u00a0<em>mssql_ping<\/em>, which can provide additional insights into MSSQL instances.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Connecting to MSSQL<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Python&#8217;s Impacket library includes a powerful tool for MSSQL interaction:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 mssqlclient.py Administrator@10.129.201.248 -windows-auth<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once connected, you can list all databases with:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>select<\/strong> name <strong>from<\/strong> sys.<strong>databases<\/strong>;<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Oracle Databases: The Legacy Powerhouse<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Key Port and Configuration<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Oracle databases utilise port\u00a0<strong>1521<\/strong>\u00a0for their Transparent Network Substrate (TNS) listener service. Configuration files such as\u00a0<em>tnsnames.ora<\/em>\u00a0and\u00a0<em>listener.ora<\/em>\u00a0are typically found in the\u00a0<em>$ORACLE_HOME\/network\/admin\u00a0directory<\/em>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Oracle&#8217;s default credentials (e.g.,\u00a0<em>CHANGE_ON_INSTALL,\u00a0dbsnmp<\/em>) are infamous for being left unchanged in poorly managed environments, making them an easy opportunity during penetration tests.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Essential Commands<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">After establishing a connection via SQL*Plus or tools like ODAT (Oracle Database Attacking Tool), these commands prove invaluable:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>select table_name from all_tables;\u00a0\u2013 Lists all tables accessible by the user.<\/li>\n\n\n\n<li>select * from user_role_privs;\u00a0\u2013 Displays roles assigned to the user.<\/li>\n\n\n\n<li>select name, password from sys.user$;\u00a0\u2013 Accesses user credentials (requires elevated privileges).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Setting Up Oracle Tools<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For penetration testers working with Oracle databases, setting up ODAT is straightforward:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt-get install libaio1 python3-dev alien -y<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>git clone https:\/\/github.com\/quentinhardy\/odat.git<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cd odat\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>git submodule init &amp;&amp; git submodule update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/download.oracle.com\/...\/instantclient-basic-linux.x64.zip<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>unzip instantclient-basic-linux.x64.zip<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>export PATH=$LD_LIBRARY_PATH:$PATH<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>pip3 install cx_Oracle<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">To test if ODAT is functioning correctly:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/odat.py -h<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Exploiting File Upload Vulnerabilities<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">One notable Oracle vulnerability involves uploading files to the server using UTL_FILE functionality:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"Oracle File Upload Test\" &gt; testing.txt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\\\inetpub\\\\wwwroot testing.txt .\/testing.txt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -X GET http:\/\/10.129.204.235\/testing.txt<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion: The Stakes of Database Security<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Databases like MySQL, MSSQL, and Oracle form the backbone of countless applications worldwide, but they also represent significant attack surfaces when mis-configured or left unpatched. As demonstrated above, understanding how these systems function at a granular level is crucial for both offensive and defensive security professionals.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Whether you&#8217;re scanning networks with Nmap or diving deep into schema structures with SQL commands, always remember knowledge is power, but with great power comes great responsibility. Misuse of these techniques could lead to severe legal consequences, so ensure your activities are authorised and ethical.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By securing these critical systems today, we can prevent tomorrow&#8217;s breaches because in cybersecurity, it&#8217;s not&nbsp;<em>if<\/em>&nbsp;you&#8217;ll be targeted but&nbsp;<em>when<\/em>.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Navigate critical database testing strategies for MySQL, MSSQL, and Oracle. Discover pitfalls, best practices, and advanced security measures. Protect data now.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[51,191,194,146,189,188,193,190,162,192],"class_list":["post-232","post","type-post","status-publish","format-standard","hentry","category-security","tag-cybersecurity","tag-database-hardening","tag-database-security","tag-ethical-hacking","tag-mssql-attacks","tag-mysql-exploits","tag-network-scanning","tag-oracle-vulnerabilities","tag-penetration-testing","tag-sql-injection"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/comments?post=232"}],"version-history":[{"count":1,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/232\/revisions"}],"predecessor-version":[{"id":233,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/232\/revisions\/233"}],"wp:attachment":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/media?parent=232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/categories?post=232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/tags?post=232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}