Dumping MySQL Database

During one of the recent pentests I was able to download files from a vulnerable server. The server had MySQL instance running on it and I wanted to take a look at the database.

In short how MySQL stores its databases:

So if you are able to get the files, you are in a pretty good position.

First of all I created a virtual machine with MySQL server installed. I wanted to be sure that the database is as clean as possible. Then I created another VM with the application from the server installed. In my case the application was ServiceDesk, so I received a list of .frm files under /var/lib/mysql/servicedesk/. These files stores info about tables, but don’t have data itself. For data you’ll need the following files: ib_logfile0, ib_logfile1, and ibdata1. You can find these files in /var/lib/mysql/.

Let’s assume you downloaded all the files. Then you need to stop MySQL server :

service mysql stop

Copy all files you downloaded from the vulnerable server to the corresponding directories on your server running MySQL.

Then you need only to run MySQL:

service mysql start

It should run smoothly and now you are able to connect your database and it’s supposed to contain all the data from the vulnerable server.

In some cases MySQL stores data in .myi and .myd files. The process would be the same, just the file extensions would be different.