MySQL accepts any password

Question

MySQL accepts any password

Suppose I have a test server with a large group of test accounts. Test accounts have unknown passwords that are hard-coded in application reports and stored in encrypted form in the mysql.users table.

Is there any option or hack that can be used to force mysql to use any text as the "correct" password for the account? For instance:

Update mysql.user Set Password="*" where 1=1

Note. The above line will not work because it will literally set the password to "*", not a wildcard. However, I am looking for a way to create a mysql account that will accept anything as a valid password. This computer is offline and I have full access to the mysql database ...

+3

mysql passwords

George Jun 2 '10 at 15:00

source share

2 answers

, . , - , script. , , , , .

0

Xavier Combelle 02 . '10 15:09

Piskvor · Accepted Answer · 2010-06-02T15:10:14+0000

Not really.

What can you do:

change password to new ( SET PASSWORD FOR Piskvor='hunter2'; FLUSH PRIVILEGES;)
restart MySQL server with option --skip-grant-tables. This will allow any password for any connection with access to any database. Caution: this is a serious security hole - any user can change the database mysql, including users and passwords, when the server is working with this option.

(if you had full access to the database, but would not change the existing passwords and / or could not change the parameters of the server process, I would suspect that something suspicious is happening)

MySQL accepts any password

More articles: