tags:

views:

39

answers:

2
+1  Q: 

MySQL Accept Any Password

Suppose that I have a test server with a large group of test accounts. The test accounts have unknown passwords which are hard-coded into the application's reports and are stored encrypted in the mysql.users table.

Is there any option or hack which can be used to make mysql accept any text as the "correct" password for an account? For example:

Update mysql.user Set Password="*" where 1=1

Note: The above line wouldn't work because it would literally set the password to "*" and not the wildcard character. However, I am looking for a way to create a mysql account which would accept anything as a valid password. This machine is disconnected from the network and I have full access to the mysql database...

A: 

I don't think there is such a hack. However if the password is hardcoded somewhere it should be easy to extract them and generate a script. Except of course if the format where the password is stored is not readable.

Xavier Combelle  2010-06-02 15:09:07
hardcoded passwords are stored inside the binary format used to save the reports (think of a binary non-XML format like Word 2003 but proprietary)
George  2010-06-02 15:47:35
A: 

Not really.

What you can do:

  • change the password to a new one ( SET PASSWORD FOR Piskvor='hunter2'; FLUSH PRIVILEGES; )
  • restart the MySQL server with the --skip-grant-tables option. This will allow any password, for any connection, with access to any database. Caveat: this is a major security hole - any user can modify the mysql database, including the users and passwords while the server is running with this option.

(if you had full access to the database, but would not change existing passwords and/or could not modify server-process options, I'd suspect that something fishy was going on)

Piskvor  2010-06-02 15:10:14

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL