Tackling a strange scenario here.
We use a proprietary workstation management application which uses mySQL to store its data. Within the application they provide number of reports, such as which user logged into which machine at what time, all the software products installed on the monitored machines, so on and so forth. We are looking to do a different set of reports, however, they do not support custom reports.
Since their data is being stored in mySQL, I gather I can do the reporting manually. I don't have valid credentials to connect to the mySQL server though. Is there anyway for me to create a user account in the mySQL server? I do not want to reset the root password or anything account that might be in there, as it might break the application.
I have full access to the Windows 2003 server. I can stop and restart services, including the mySQL server. To the actual mySQL server, I only have basic access through the GUI provided by the software. I can't connect to it directly through CLI or through another tool (due to the lack of credentials).
I apologize if it came off as if I'm trying to get unauthorized access to the mySQL server. I have contacted the software company, and as of today it's been two weeks without a response from them. I need to get to the data. I have full access to the physical box, I have admin privileges on it.
You'll want to use the MySQL password recovery process. Follow these instructions, except replace the password reset query with a query to add a new user. The new user query would be something like:
GRANT ALL ON *.* TO 'myuser'#'localhost' IDENTIFIED BY 'mypassword' WITH GRANT OPTION;
That will create a new user "myuser" with the password "mypassword", who may log in to MySQL through the local system's CLI. You can then use the MySQL Administrator GUI (download here) and update user permissions so you can log in from other systems on the network. Or use the GRANT statement from the CLI, if that's more your style.
Do you have access to the MySQL server in question?
As in, what access do you have beyond what a regular user would? You should try to go through those routes before you "hack" your way in there, since that may or may not be feasible with that software.
odds are there are triggers on the database side keeping a log so when you hack yourself into the database they will know when and how you did it. Not a good idea.
I assume I really should not answer this one, but it's just too much fun.
Look at This page about SQL injections. That should cover your needs.
This page shows how to add user accounts to mySQL
I would try entering the following in random user input fields:
p'; INSERT INTO user VALUES
('localhost','myNewAdmin',PASSWORD('some_pass'),
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
and then
p'; FLUSH PRIVILEGES;
p'; is intended to close the regular question. e.g -
Normal question is:
"Select Adress from cusomers where custName = ' + $INPUT + ';
becomes
Select Adress from cusomers where custName = 'p'; INSERT INTO user
VALUES('localhost','myNewAdmin',PASSWORD('some_pass'),
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
One thing that comes in mind is sniffing the database communication and hope it's not encrypted. If it is encrypted try changing the configuration not to use SSL and restart mysql. A good sniffer that I use is Wireshark
From mysql 5.0 documentation:
MySQL supports secure (encrypted)
connections between MySQL clients and
the server using the Secure Sockets
Layer (SSL) protocol. This section
discusses how to use SSL connections.
It also describes a way to set up SSH
on Windows. For information on how to
require users to use SSL connections,
see the discussion of the REQUIRE
clause of the GRANT statement in
Section 12.5.1.3, “GRANT Syntax”.
The standard configuration of MySQL is
intended to be as fast as possible, so
encrypted connections are not used by
default. Doing so would make the
client/server protocol much slower.
Encrypting data is a CPU-intensive
operation that requires the computer
to do additional work and can delay
other MySQL tasks. For applications
that require the security provided by
encrypted connections, the extra
computation is warranted.
MySQL allows encryption to be enabled
on a per-connection basis. You can
choose a normal unencrypted connection
or a secure encrypted SSL connection
according the requirements of
individual applications.
Secure connections are based on the
OpenSSL API and are available through
the MySQL C API. Replication uses the
C API, so secure connections can be
used between master and slave servers.
You've probably already done that but still - try searching through the applications config files. If there's nothing - try searching through the executables/source code - maybe it's in plaintext if you're lucky.
Related
I recently installed the XAMPP stack on a desktop and connected via a laptop on the local network. To my surprise, I was able to access phpmyadmin and delete update all mysql tables. Though I understand that I shouldn't use xampp for production (and I'm not), I would still like to learn how to manage these types of obvious security flaws. I know that I can block access to directories via .htacces (http://forum.directadmin.com/showthread.php?t=29089), but I would like something that is a little more comprehensive. How would you restrict running of mysql queries from anywhere except localhost? Is there a way without .htaccess? I thought this was partially the purpose of the root user.
MySQL defined users with domains. If you look at your user_privileges table in the information_schema database you will see that they all have domains. If all your users are defined strictly as localhost, there will be no remote access.
Also, you can edit my.cnf to turn off tcp access to the database, forcing all connections to be by socket. under [mysqld], include the line skip-networking. You will have to configure all your apps to use the socket connection, but I like the socket better anyway.
This will do nothing to protect your data from someone using phpMyAdmin, if phpMyAdmin is installed on the same machine as the database. The safest thing to do is get rid of that app. That's often not practical, however, as it's a useful tool, and so you need to configure phpMyAdmin to require that users authenticate themselves. That means NOT putting the password in the config file. You will need to think about how long sessions are before reauthentication, and things like that.
phpMyAdmin fills me with a rage hotter than a thousand suns whenever I try to configure it, but it is definitely possible to set things up so a password is required each time you connect to the database through phpMyAdmin. You can further limit the damage phpMyAdmin abusers can do my making sure it only connects as a user with limited privileges (for instance, only able to modify the database you're working on at the moment).
I want to ask for something in Database protection.
I have a Windows Application that will be deployed to different clients, while deploying i am creating a database on client machine.
The Question here is can i protect this database with password so, ONLY my application can access it.
The database engine may be Microsoft SQL Server or MySQL.
Thanks
I think you're asking this because want to prevent someone from knowing your data structures or internal data storage, but you cannot do that to a user with DBA privileges on SQL server or any other real database.
If you really want to hide that from your customers (which is not a good idea for me), you may evaluate installing it in a server which is also physically and logically under your control. Nowadays, a good solution for this may be hosting this server in the cloud, for example hosting your data in AZURE.
Hiding your database structures doesn't look professional to me.
You GRANT access to a MySQL database and/or table to a user with an optional password. When you want to access this database, you must provide the user and password.
But there's no automatic encryption. You might want to look at this question MySQL and data file encryption and it's answers.
For security related questions, you might also look into Security and Securing the Initial MySQL Accounts.
I'm having a problem connecting to a MySQL server over two different trusted domains.
We're developing an app for internal use and have been using MySQL till now. It's a desktop app written in vb.net.
Up until now all the users were on the same domain and there were no issues. Just recently there was an higher-level decision to split users in 2 different domains for various reasons.
The problem is that users from the new domain cannot access the server. If that helps, I was told by the administrators that the users from both domains are trusted. Both machines are running Windows Server - 2003 and 2008.
The server port is open, the grants are all in there(base_class#%) but upon attempt -
access denied for user base_class#datablock2.
What is the problem?
Access denied means the clients are connecting, but don't have the appropriate rights. So concentrate on the grant rights for those users. Note that mysql uses * for wildcards in GRANT queries, not %, so the grant query should be
GRANT ... ON database.* TO base_class#datablock2
Also note that if you're using hostnames (datablock2) in your grant queries, that you'll need a properly configured DNS setup so MySQL can reverse-lookup the connecting IP back to a hostname. hostnames are not present at the TCP/IP level, and MySQL only ever sees an IP. To match for hostnames, it has to do the reverse lookup. If that lookup fails, then it'll go purely off the IP.
IMO, this is not a development task, it's a sysadmin and/or DBA task. So devise a test case using MS Query, and hand it off to sysadmins/DBAs to figure out. ex: an ODBC configuration, and a SQL statement to run through MS Query, which should (in theory) work, and which would have worked before the split.
Prove that it works for users from the old domain. Tell them to let you know when it works for the new domain.
Otherwise, they'll continue to blame your VB app.
In MySQL, permissions are granted on a per-domain basis. That is, permissions granted to a user connecting from the local domain do not exist for a user connecting from a different domain. The same user connecting from a different domain is treated as a different accessor. The reason is to provide protection against misuse. For example, I personally configure my servers to grant potentially dangerous permissions only to users connecting from the local machine. You must be logged in to the server machine physically to delete critical data! Try granting permissions to the server for each user at each domain they will be logging in from specifically. Don't use wild cards at all. Take advantage of the additional layer of security to create a domain for administration and one for less critical tasks.
How to allow multiple users in local network to share a single MySQL database? We even have option of share drive, if it will help.
we are using C# windows application as front end
The limitation is that we do not have acces to our main server. The server is with the other ofice department and we do not want to indulge that department in our project. So, we are on LAN and have a shared drive between us.
And we want to use this database common to multiple users in our office (aprox 100 users) which will use our C# windows application to view data and to enter data.
Can we do something on Share Drive? I am not sure..
Hope it will make some sense..
Thanx
MySQL handles this situation out-of-the-box. Each client connects from wherever and the DBM handles the details. Make sure the server is configured correctly and that the specific database allows connects from other than 127.0.0.1.
Whatever you do, do not use file sharing to try and run multiple copies of MySQL against a single database -- that way lies madness and tears. There are lock files that try to prevent this type of abuse, but I've acutally seen people try to "get around" this.
Here is an excellent guide for unix based servers :
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
the same passages are needed for a windows system, you need to enable remote access and eventually grant permissions on a defined IP.
Remote sharing of the database is disabled by default for security reasons.
EDIT:
if you are in the same network, then you may just grant permissions I.E.:
GRANT SELECT ON mydb.* TO devel2#192.168.1.102 identified by 'mypassword'
As long as they have network access to the server and you have at least MySQL 5 (5.0.2), can't you just create users for them?
CREATE USER 'new_username'#'localhost' IDENTIFIED BY 'password_for_new_username';
I'm quite a beginner when it comes to working with networks and the like, so apologizes up front. A while back I set up a mySQL database locally on my machine, and have built a number of simple programs that work with it. (aka root:localhost sort of thing).
This has been great, but I'm now hoping to allow other colleagues at my work to access the database from their machines, but I have no idea how.
Likely there will be some network protection issues (firewalls etc), so that may need to be taken into account... (although I have IT's help on this, neither IT or myself really know what is required to 'connect' to the database).
For example, is it just an IP I need? Do I have to change the setup of my database? I understand that localhost would not work from my colleagues computer's, for obvious reasons, I have no idea what would go in its place for others to access it.
I also do not mind having my machine run as the dedicated database machine... I would not be able to run it off a dedicated server or anything like that, beyond my machine.
Any help would be much appreciated!
Thanks.
First of all, what your colleagues need are:
The IP Address where MySQL server is
running.
User and Password to connect remotely
Have the port 3306 open on the network
A MySQL Client (mysql workbench, mysql query browser, toad, heidi or just the Command Line tool).
When you create user in MySQL the have to be something like this:
'root'#'localhost'
That means, the user will work if you connect from localhost with the user root. So you can create user allowed to connect from anywhere:
'juanperez'#'%'
And finally you have be careful about what privileges are you granting to them. Do not forget to comment a line in the options file of the MySQL that says "bind-address" (this options prevents remote connection).
For example, is it just an IP I need?
Yes. You'll be much happier if you set up proper domain names, but a domain name is just an alias for the IP address.
Do I have to change the setup of my database?
No, but... You have to add some user credentials to support remote logins. That's a change, but not a change to a schema. It's changes to the permissions.
I understand that localhost would not work from my colleagues computer's, for obvious reasons, I have no idea what would go in its place for others to access it.
What MySQL Admin tools are you using? Often there is good help there.
You must read reference manual 4.1 or 5.0
For whatever version is appropriate.
It's very clear.
A user is identified by a username#hostname. You can specify IP addresses (or even "%" for the hostname.
You will use following commandline to connect -
mysql -u<user-id> -p<password> -h<your-hostname-or-ipaddress>
For applications running on different machines trying to connect to your database, you only need to replace 'localhost' with your machine's hostname or ipaddress.
In, general if you are able to ping your machine from a different system, your database can be connected to from that machine, just use whatever name you used for 'pinging' in place of localhost.
Use your workstation IP address or workstation name. You will need to enable remote access. Go to this link for how:
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html