How to Create a MySQL Server BruteForce Tool with Python

Feb 5, 2016 09:14 PM
635901738133600632.jpg

Hello aspiring hackers, It's been a while since I wrote a tutorial, so I figured I might just share one of the tools that I have created to help the community grow.

Scenario

Let's say, that we have done all the recon(both passive and active) and we have scanned the web server for any vulnerabilities, and unfortunately we haven't got any server-side vulnerabilities but just a few client-side vulnerabilites and we all know how that isn't much help sometimes. So you scan for open ports and find that we have a 3306 port open(default port for mysql server). That's really good, if we can get access to it, cos we can upload shells and add more users to the database and other cool stuff. So let's begin...

Step 1: Import Modules and Settings for Arguments

So python, has a module that we gonna use for the tool. You will just have to install the module for your OS. And for the socks module as well, I'm sorry i don't have a link, but if you google it, you should find it easily. And that's what we will be using for anonymity.(We will be bruteforcing through the TOR network, so it will be slow). But you can just comment that line of code out if you want better speed or something...

635902744893271549.jpg

Step 2: Threading and Dictionary

Since we gonna be bruteforcing, it is obvious that speeds is very important, so I included threading, so that we can be bruteforcing about 10 passwords at once. That will be really loud, but I think it's worth it. And also, we on TOR, so I guess we kinda safe.

635902746633241073.jpg

Step 3: The Real Deal

So our mysql_brute function is where the magic happens, so what happens is, when we try to connect to the target server with the username and password and it fails, then we know that's not it. (I know right, that simple), but if we are successful, they our code variable changes and we know we got a hit.

And for the threader, it just gets the value of the password from the queue to try and passes it to the function.

635902747334708702.jpg

Conclusion

Thanks for taking the time to read this. Well, if you have any questions, just ask and I will get to you as soon as i can. Happy hacking.

God bless you.

Wuzi out.

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!