Suppose that I have a test se开发者_StackOverflow社区rver with a large group of test accounts. The test accounts have unknown passwords which are hard-coded into the application's reports and are stored encrypted in the mysql.users table.
Is there any option or hack which can be used to make mysql accept any text as the "correct" password for an account? For example:
Update mysql.user Set Password="*" where 1=1
Note: The above line wouldn't work because it would literally set the password to "*" and not the wildcard character. However, I am looking for a way to create a mysql account which would accept anything as a valid password. This machine is disconnected from the network and I have full access to the mysql database...
Not really.
What you can do:
- change the password to a new one (
SET PASSWORD FOR Piskvor='hunter2'; FLUSH PRIVILEGES;
) - restart the MySQL server with the
--skip-grant-tables
option. This will allow any password, for any connection, with access to any database. Caveat: this is a major security hole - any user can modify themysql
database, including the users and passwords while the server is running with this option.
(if you had full access to the database, but would not change existing passwords and/or could not modify server-process options, I'd suspect that something fishy was going on)
I don't think there is such a hack. However if the password is hardcoded somewhere it should be easy to extract them and generate a script. Except of course if the format where the password is stored is not readable.
Very old question. But today I have foundout that it can be done with --skip-grant-tables option on startup mysql service.
https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables
--skip-grant-tables causes the server not to read the grant tables in the mysql system database, and thus to start without using the privilege system at all. This gives anyone with access to the server unrestricted access to all databases.
精彩评论