Skip to main content

Hardening Mysql

MySQL is the world's most used open source relational database management system (RDBMS) as of 2008 that runs as a server providing multi-user access to a number of databases.
MySQL is a popular choice of database for use in web applications, and is a central component of the widely used LAMP open source web application software stack (and other 'AMP' stacks). LAMP is an acronym for "Linux, Apache, MySQL, Perl/PHP/Python." Free-software-open source projects that require a full-featured database management system often use MySQL.

As you all known with great power  comes great responsibility :D...and malwares too ;-).So how can we make it difficult or impossible for any hacker to exploit our network by leveraging flaw in mysql running on our system??
Following tips will answer this question in depth:
Tip 1:Disable Remote Access
To restrict MySQL from opening a network socket, the following parameter should be added in the [mysqld] section of my.cnf or my.ini:
Another possible solution is to force MySQL to listen only to the localhost by adding the following line in the [mysqld] section of my.cnf

Tip 2:Disable Use of local infile
In addition, in certain cases, the "LOCAL INFILE" command can be used to gain access to other files on the operating system, for instance "/etc/passwd", using the following command:
 mysql> LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE table1
even simpler:
mysql> SELECT load_file("/etc/passwd")
To disable the usage of the "LOCAL INFILE" command, the following parameter should be added in the [mysqld] section of the MySQL configuration file.

Tip 3:Change Default usernames and their passwords
To rename the administrator’s username, use the rename command in the MySQL console:
 mysql> RENAME USER root TO new_user;

The MySQL "RENAME USER" command first appeared in MySQL version 5.0.2. If you use an older version of MySQL, you can use other commands to rename a user:
mysql> use mysql;
mysql> update user set user="new_user" where user="root";
mysql> flush privileges;

To change a user’s password, use the following command-line command:
mysql> SET PASSWORD FOR 'username'@'%hostname' = PASSWORD('newpass');
It is also possible to change the password using the "mysqladmin" utility:
shell> mysqladmin -u username -p password newpass

Tip 4:Remove Default database
To remove this database, use the drop command as follows:
mysql> drop database test;

use the "mysqladmin" command:
shell> mysqladmin -u username -p drop test

Tip 5:Remove Anonymous accounts
The MySQL database comes with some anonymous users with blank passwords. As a result, anyone can connect to the database To check whether this is the case, do the following:
mysql> select * from mysql.user where user="";
In a secure system, no lines should be echoed back. Another way to do the same:
mysql> SHOW GRANTS FOR ''@'localhost';
mysql> SHOW GRANTS FOR ''@'myhost';
To drop such accounts use following commands
mysql> DROP USER "";
mysql> use mysql;
mysql> DELETE FROM user WHERE user="";
mysql> flush privileges;

Tip 6:Lower System privileges
To protect your database, make sure that the file directory in which the MySQL database is actually stored is owned by the user "mysql" and the group "mysql".
shell>ls -l /var/lib/mysql
In addition, ensure that only the user "mysql" and "root" have access to the directory /var/lib/mysql. The mysql binaries, which reside under the /usr/bin/ directory, should be owned by "root" or the specific system "mysql" user. Other users should not have write access to these files.
shell>ls -l /usr/bin/my*

Tip 7:Lower Database Privileges
some user ids are used to access the data, such as the user id assigned to the web server to execute "select\update\insert\delete" queries and to execute stored procedures. In most cases, no other users are necessary; however, only you, as a system administrator can really know your application’s needs. Only administrator accounts need to be granted the SUPER / PROCESS /FILE privileges and access to the mysql database. Usually, it is a good idea to lower the administrator’s permissions for accessing the data. Review the privileges of the rest of the users and ensure that these are set appropriately. This can be done using the following steps.
mysql> use mysql; [Identify users]
mysql> select * from users; [List grants of all users]
mysql> show grants for ‘root’@’localhost’;
disable the usage of the "SHOW DATABASES" command, the following parameter should be added in the [mysqld] section of the /etc/mysql/my.cnf:

Tip 8:Enabling Logging
enable transaction logging, by adding the following line to [mysqld] section of the /etc/mysql/my.cnf file:
log =/var/log/mysql-logfile

Tip 9:Chroot Mysql
soon i ll post how to jail mysql in ubuntu.

Tip 10:Security Feature in Mysql
Cryptographic functions – AES_ENCRYPT(), AES_DESCRYPT(), DES_ENCRYPT(), DES_DECRYPT()… – Encrypting is not safe as secrets are logged by MySQL in open text: • Process list, InnoDB status, general log, error log, binary log, slow log. – Avoid doing encryption in MySQL.

Tip 11:Connection encryption

  •  Everything flows over network in open text.
  •  Needs certificates
  •  free self-signed ones are usually good too!
  •  Enabled with these options: ssl-ca, ssl-cert, ssl-key
  •  Clients have to ask for encryption!
  •  User access restrictions based on SSL


  •  GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE SSL
  •  GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE X509
  •  GRANT … FOR ‘sso’@’10.0.5.%’ … REQUIRE [ISSUER|SUBJECT] '/C=PL/L=Krakow/O=PSCE/CN=Single Sign-On Service‘

Tip 12:Remove History
To remove history of commands executed which are stored in a plain text file follow following procedure:
cat /dev/null > ~/.mysql_history


Popular posts from this blog

Animated Cursor Vulnerability

Step1: create two file on attacker side 1) default index.html and 2) cursor file to load

Now save the proof of concept in a txt file(cursor.txt). use above command to cut down the hex part from proof of concept and paste it in buffer.ani
Step2:upload the above two files in your apache webserver. 
Step3: Try to open index.html from window-xp and analyse the behavior of IE using ollydgb in order to find the offset address where EIP will get over written. Attach IE in ollydgb and put malicious url in it.

As we can see now that EIP is overwritten with 42424242 that means this place is our offset.
Now we will put the address of jump instruction in place of 42424242 which we will get from user32.dll by searching for command JUMP DWORD [EBX],now we jumped at ebx because it contain the malicious .ani file address.

Just go into view=>executable=>user32.dll , press enter.

Now try to find a jump [ebx] instruction in user32.dll by pressing ctrl+f.Now note down the address of this instruction.…

Hacking Windows 10 UWP App: DLL Injection & common Vulnerabilities

I recently started working on  widows 10 Apps( Apps not Applications) security. Before diving deep in hacking terms lets try to understand what's new in Windows 10 UWP( Universal Platform) as compared to old Apps. Lets begin with how apps actually work on windows 10(desktop/tablet). Now windows 10 comes with a container only for running apps inside the isolated environment. By default, /APPCONTAINER(Linker Flag) is off. This option modifies an executable to indicate whether the app must be run in the appcontainer process-isolation environment. Specify /APPCONTAINER for an app that must run in the appcontainer environment—for example, a Windows Store app. (The option is set automatically in Visual Studio when you create a Windows Store app from a template.) For a desktop app, specify /APPCONTAINER:NO or just omit the option. The /APPCONTAINER option was introduced in Windows 8.
Now there is no registry entry concept for these app in the System HIVE rather they install they own hiv…

Assignment 01(Enroll TO Offensive-Security Course)

Steps 1:download the page.
2:open fc4.js in your favourite editor and add following lines in it or just replace it with vode given below.
3:then open the download html file in browser and fill the form with your email and a garbage value string.
4:thats it? it will show you the real security string??
yeah but  ...theirs another challenge waiting for you ... :D

function fc4me(srvstr) {

   if(! || !document.pleazfc4me.securitystring.value) {
      alert("Please fill in all the required fields!");
      return false;
   else {
   var t=hexMD5("\x74\x72\x79\x68\x61\x72\x64\x65\x72"+srvstr)

Finally Got In :-)