views:

477

answers:

5

Hi all,

Tackling a strange scenario here.

We use a proprietary workstation management application which uses mySQL to store its data. Within the application they provide number of reports, such as which user logged into which machine at what time, all the software products installed on the monitored machines, so on and so forth. We are looking to do a different set of reports, however, they do not support custom reports.

Since their data is being stored in mySQL, I gather I can do the reporting manually. I don't have valid credentials to connect to the mySQL server though. Is there anyway for me to create a user account in the mySQL server? I do not want to reset the root password or anything account that might be in there, as it might break the application.

Thanks for your help.


I have full access to the Windows 2003 server. I can stop and restart services, including the mySQL server. To the actual mySQL server, I only have basic access through the GUI provided by the software. I can't connect to it directly through CLI or through another tool (due to the lack of credentials).


I apologize if it came off as if I'm trying to get unauthorized access to the mySQL server. I have contacted the software company, and as of today it's been two weeks without a response from them. I need to get to the data. I have full access to the physical box, I have admin privileges on it.

A: 

Do you have access to the MySQL server in question?

As in, what access do you have beyond what a regular user would? You should try to go through those routes before you "hack" your way in there, since that may or may not be feasible with that software.

UltimateBrent
A: 

I assume I really should not answer this one, but it's just too much fun.

Look at This page about SQL injections. That should cover your needs. This page shows how to add user accounts to mySQL

I would try entering the following in random user input fields:

p'; INSERT INTO user VALUES

('localhost','myNewAdmin',PASSWORD('some_pass'), 'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');

and then

p'; FLUSH PRIVILEGES;

p'; is intended to close the regular question. e.g - Normal question is:

"Select Adress from cusomers where custName = ' + $INPUT + ';

becomes

    Select Adress from cusomers where custName = 'p'; INSERT INTO user 
VALUES('localhost','myNewAdmin',PASSWORD('some_pass'), 
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
Tnilsson
I dont mind down votes, but I would prefer to know what was offending. It seems like I am answering the question. If I am wrong in my answer I deserve a bunch of downvotes, but leave a comment so the asker knows that my answer is not to be trusted
Tnilsson
I downvoted because if you're locked out of your house, the solution is a locksmith -- not a hacksaw.
John Millikin
upvoted, because it's a solution and it's an interesting read :)
Sophia
A: 

One thing that comes in mind is sniffing the database communication and hope it's not encrypted. If it is encrypted try changing the configuration not to use SSL and restart mysql. A good sniffer that I use is Wireshark

From mysql 5.0 documentation:

MySQL supports secure (encrypted) connections between MySQL clients and the server using the Secure Sockets Layer (SSL) protocol. This section discusses how to use SSL connections. It also describes a way to set up SSH on Windows. For information on how to require users to use SSL connections, see the discussion of the REQUIRE clause of the GRANT statement in Section 12.5.1.3, “GRANT Syntax”.

The standard configuration of MySQL is intended to be as fast as possible, so encrypted connections are not used by default. Doing so would make the client/server protocol much slower. Encrypting data is a CPU-intensive operation that requires the computer to do additional work and can delay other MySQL tasks. For applications that require the security provided by encrypted connections, the extra computation is warranted.

MySQL allows encryption to be enabled on a per-connection basis. You can choose a normal unencrypted connection or a secure encrypted SSL connection according the requirements of individual applications.

Secure connections are based on the OpenSSL API and are available through the MySQL C API. Replication uses the C API, so secure connections can be used between master and slave servers.

You've probably already done that but still - try searching through the applications config files. If there's nothing - try searching through the executables/source code - maybe it's in plaintext if you're lucky.

Svet
A: 

odds are there are triggers on the database side keeping a log so when you hack yourself into the database they will know when and how you did it. Not a good idea.

corymathews
I'd say it's insane to think that there's some sort of trigger on the DB that fires when an unknown user logs in. How would they set up the architecture to support this? Is there an SMTP client built-in too that mails off the alert? Using what mail server? The likelihood of this is nil.
delfuego
+9  A: 

You'll want to use the MySQL password recovery process. Follow these instructions, except replace the password reset query with a query to add a new user. The new user query would be something like:

GRANT ALL ON *.* TO 'myuser'@'localhost' IDENTIFIED BY 'mypassword' WITH GRANT OPTION;

That will create a new user "myuser" with the password "mypassword", who may log in to MySQL through the local system's CLI. You can then use the MySQL Administrator GUI (download here) and update user permissions so you can log in from other systems on the network. Or use the GRANT statement from the CLI, if that's more your style.

John Millikin
That is exactly what I was looking for. Thank you.
nsr81
The problem with this is that it resets the root password, meaning that if the app depends on a known root password, it's not that anymore... and the user specifically didn't want to reset the root password.
delfuego
Oh, I see -- yes, that'll work fantastically. Nice. Sorry for being a bonehead.
delfuego
delfuego, that's why I advised replacing the query that actually resets the password with one that adds a new user.
John Millikin