1

I have the credentials of a TARGET website database and SQLMap Claims that you can connect to the database directly Here are my Commands on SQLMap in Kali Linux

sudo sqlmap -d mysql://USER:PASSWORD@TARGET_IP:MySQL_Port/DATABASE

example

sudo sqlmap -d mysql://admin:12345@95.12.45.12:3306/information_schema

but this is the error I get every time

[CRITICAL]  SQLAchemy connection issue ('(_mysql_exceptions.OperationalError)
(1045, "Access denied for user 'admin'@'17.45.65.11' (using password: YES)")')

The IP 17.45.65.11 was my IP ofc which denied

So is there a Problem with my command?

OR anyone knows a better way to connect directly to a target database with credentials?

CatChMeIfUCan
  • 569
  • 1
  • 7
  • 26
  • Does your SQL server provide remote access? Most times default config doesn't open external access. See this thread https://stackoverflow.com/questions/8348506/grant-remote-access-of-mysql-database-from-any-ip-address – Tarun Lalwani Mar 05 '18 at 04:51
  • is not my server its a TARGET – CatChMeIfUCan Mar 05 '18 at 16:16
  • Can you paste the the output you got from sqlmap? You can mask any sensitive data before posting that log – Tarun Lalwani Mar 05 '18 at 16:27
  • @TarunLalwani already post above! `[CRITICAL] SQLAlchemy connection issue ('(_mysql_exceptions.OperationalError) (1045, "Access denied for user 'admin'@'17.45.65.11' (using password: YES)")')` this means my credentials are correct but server denied my ip... there must be a way – CatChMeIfUCan Mar 05 '18 at 16:30
  • According to [this explanation of the 1045 error](http://www.fromdual.com/mysql-error-codes-and-messages-1000-1049#error_er_dbaccess_denied_error), it may be wrong credentials (wrong user or password) or your IP (17.45.65.11) is not allowed to connect. – SergiyKolesnikov Mar 05 '18 at 22:37
  • @SergiyKolesnikovI am 100% sure that the credentials are correct because the target is using the same credentials but the problem is ip denial which causing issue tried tons of ip's Dedicated ones! need a solution to bypass that – CatChMeIfUCan Mar 06 '18 at 00:20
  • Just an idea but could it be that the database is setup with `--ssl-mode=REQUIRED` or the user has `REQUIRE SSL` or `REQUIRE X509`? – SuperShoot Mar 06 '18 at 01:44
  • @CatChMeIfUCan As I said, the same error (1045) occurs if the connecting IP was not granted access to the database. It is common practice to allow access only to localhost, when creating a database user. So, you may have the correct username and password, but you can use them only locally on the server. On the other hand, the fact that the server accepts connections from outside may indicate that some other IP's are allowed to connect. In this case, you have to find out which IP's are allowed and connect from one of those. But, this has nothing to do with sqlmap. It is a different problem. – SergiyKolesnikov Mar 06 '18 at 07:50
  • @SergiyKolesnikov finding IP's is a good idea actually and ofc has nothing to do with sqlmap BUT SQLmap Claim that you can connect to external databases there are a lot of video's and articles – CatChMeIfUCan Mar 06 '18 at 13:13
  • @georgexsh it's a vulnerability penetration! I have the same statements on my website – CatChMeIfUCan Mar 08 '18 at 06:40

3 Answers3

7

Credentials for MySQL include not only a username and a password, but also a set of allowed IP addresses. So, even if we have the correct username and password, but the connection is established from a not allowed IP, we will get the 1045 "Access denied" error from sqlmap.

To illustrate the problem, I setup a test database testdb with user admin. Here are the user's credentials:

MariaDB [testdb]> select host,user,password from mysql.user where user='admin';
+-------------+-------+-------------------------------------------+
| host        | user  | password                                  |
+-------------+-------+-------------------------------------------+
| 92.168.0.20 | admin | *00A51F3F48415C7D4E8900010101010101010101 |
+-------------+-------+-------------------------------------------+

As it is shown in the host column, the user admin is allowed to access the server only from the IP 92.168.0.20. Now, if I run sqlmap from this IP it succeeds:

$ sudo sqlmap -d 'mysql://admin:12345@92.168.0.99:3306/testdb'

...

[*] starting at 09:28:43

[09:28:43] [INFO] connection to mysql server 92.168.0.99:3306 established
[09:28:43] [INFO] testing MySQL
[09:28:43] [INFO] resumed: [[u'1']]...
[09:28:43] [INFO] confirming MySQL
[09:28:43] [INFO] resumed: [[u'1']]...
[09:28:43] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[09:28:43] [INFO] connection to mysql server 92.168.0.99:3306 closed

[*] shutting down at 09:28:43

If I run sqlmap from a different IP it fails with the 1045 "Access denied" error (exactly as in your output):

$ sudo sqlmap -d 'mysql://admin:12345@92.168.0.99:3306/testdb'

...

[*] starting at 09:32:00

[09:32:00] [CRITICAL] SQLAlchemy connection issue ('(_mysql_exceptions.OperationalError)
  (1045, "Access denied for user 'admin'@'92.168.0.55' (using password: YES)")')

[*] shutting down at 09:32:00

So, if you are sure that you have the correct username and password, the problem is highly likely in the allowed IPs. When creating a MySQL user, it is common practice to allow access only from localhost. Therefore, you may have the correct username and password, but you can use them only locally on the server. On the other hand, the fact that the server accepts connections from outside may indicate that some other IP's are allowed to connect. In this case, you have to find out which IP's are allowed and connect from one of those.

SergiyKolesnikov
  • 7,369
  • 2
  • 26
  • 47
  • thank you for your explanation! now do you have any idea how can I search for allowed ip's? I got kali Linux penetration tools also – CatChMeIfUCan Mar 06 '18 at 13:16
  • @CatChMeIfUCan Good question... I would ask it on https://security.stackexchange.com – SergiyKolesnikov Mar 06 '18 at 15:32
  • https://security.stackexchange.com/questions/181076/bypassing-ip-restriction-or-finding-accepted-ips-for-sql-database is it clear enough? – CatChMeIfUCan Mar 06 '18 at 19:42
  • `SELECT host, plugin FROM mysql.user WHERE user = 'admin';` will provide a list of the IPs / CDRs / hostnames that have been allowed for `admin`. – Rick James Mar 06 '18 at 21:01
0

Go into MySQL with sufficient privileges and check what permissions you have:

SHOW GRANTS FOR 'admin'@'17.45.65.11';
SHOW GRANTS FOR 'admin'@'%';
SELECT host, plugin FROM mysql.user WHERE user = 'admin';

The last one is a desperation to see what you might have.

If not adequate, do something like

GRANT SELECT ON *.* TO 'admin'@'17.45.65.11' IDENTIFIED BY 'some password';

I say "something like" because you may need more than just SELECT or you may want to limit it to less than all databases (*.*), or more than just that one IP address. Etc.

Note: If you already have some GRANT ... TO 'admin'@'localhost' ..., that will not suffice.

Also, note that whatever you do should be scrutinized for security issues.

Rick James
  • 135,179
  • 13
  • 127
  • 222
  • I'm aware of SQL Privileges... Please Read the Question Carefully It's a TARGET e.g _someone else trying to hack or test the vulnerabilities_ – CatChMeIfUCan Mar 05 '18 at 16:20
  • 1
    Got it now, what you meant. Let me check something and get back – Tarun Lalwani Mar 05 '18 at 16:21
  • @TarunLalwani thanks, i will appreciate if you find a way – CatChMeIfUCan Mar 05 '18 at 16:24
  • 1
    Sorry, I did not what you meant by TARGET. 1045 means bad password. So that is a line of defense. Another is to be sure to limit which IP addresses admin can come from. I was hoping to see that from the `SHOWs`. – Rick James Mar 05 '18 at 21:00
  • @RickJames well when i put a different password it gives me another error the user is using same credentials as a successful connect through his website i just copy past the credentials from his config file so pretty sure credentials are correct problem is ip denial – CatChMeIfUCan Mar 06 '18 at 00:24
-1

By default a mysql server does not allow remote access, only allows localhost (127.0.0.1). Check the user access rights on the server.

MarkH
  • 31
  • 5