Dumping MySQL Database
During one of the recent pentests I was able to download files from a vulnerable server. The server had MySQL instance running on it and I wanted to take a look at the database.
In short how MySQL stores its databases:
- they are not encrypted by design (at least if a standard configuration is the case)
- database is stored under
- tables is stored under
So if you are able to get the files, you are in a pretty good position.
First of all I created a virtual machine with MySQL server installed. I wanted to be sure that the database is as clean as possible. Then I created another VM with the application from the server installed. In my case the application was ServiceDesk, so I received a list of
.frm files under
/var/lib/mysql/servicedesk/. These files stores info about tables, but don’t have data itself. For data you’ll need the following files:
ibdata1. You can find these files in
Let’s assume you downloaded all the files. Then you need to stop MySQL server :
service mysql stop
Copy all files you downloaded from the vulnerable server to the corresponding directories on your server running MySQL.
Then you need only to run MySQL:
service mysql start
It should run smoothly and now you are able to connect your database and it’s supposed to contain all the data from the vulnerable server.
In some cases MySQL stores data in
.myd files. The process would be the same, just the file extensions would be different.