MySQL servers have several environment variables that are used in different ways by system administrators and web developers.
This recipe shows you how to use Nmap to list environment variables in MySQL servers.
Open your terminal and enter the following Nmap command:
$ nmap -p3306 --script mysql-variables --script-args mysqluser=<root>,mysqlpass=<pass> <target>
The MySQL variables will be listed under mysql-variables
:
3306/tcp open mysql | mysql-variables: | auto_increment_increment: 1 | auto_increment_offset: 1 | automatic_sp_privileges: ON | back_log: 50 | basedir: /usr/ | binlog_cache_size: 32768 | bulk_insert_buffer_size: 8388608 | character_set_client: latin1 | character_set_connection: latin1 | character_set_database: latin1 | . | . | . | version_comment: (Debian) | version_compile_machine: powerpc | version_compile_os: debian-linux-gnu |_ wait_timeout: 28800
We used the arguments -p3306 --script mysql-variables --script-args mysqluser=<root>,mysqlpass=<pass>
to make Nmap initiate the script mysql-variables
if a MySQL server is found running on port 3306.
The script mysql-variables
was submitted by Patrik Karlsson and it uses the script arguments mysqluser
and mysqlpass
as authentication credentials against a MySQL server to try to enumerate system variables.
If the MySQL server is running on a different port than 3306 we may use Nmap's service detection or manually set the port with the -p
argument.
$ nmap -sV --script mysql-variables <target>$ nmap -p5555 --script mysql-variables <target>
To retrieve databases, usernames, and variables from a MySQL server with an empty root password, use the following command:
$ nmap -sV --script mysql-variables,mysql-empty-password,mysql-databases,mysql-users <target>
18.189.189.67