connecting remotely
Hi,
i recently found an sql injection vulnerability on a server,
In the db, there's a table named users and inside there's the username: admin and password : *******
Is knowing this password enough to hack the server ?
Thanks
Karlwakim
Junior Poster in Training
89 posts since Dec 2011
Reputation Points: 27
Solved Threads: 2
Wether you can connect to the mysql server depends on the combination of username, password and host entry in the mysql.user table. This table is not in your production database, but in a system database named mysql. If username and password match and the server from which the intruder operates matches the pattern in the mysql.user.host column, then the intruder can establish a connection. If this is sufficient to do any harm depends on the access rights which are granted to this user in the mysql access control tables.
For a quick test try to connect to your server from the outside using this admin password and see if you can access the database named mysql.
smantscheff
Nearly a Posting Virtuoso
1,233 posts since Oct 2010
Reputation Points: 300
Solved Threads: 254
Thanks,
The users table only 1 row.
There is 2 Db, information_shema and another one
Karlwakim
Junior Poster in Training
89 posts since Dec 2011
Reputation Points: 27
Solved Threads: 2
Show the row from the user table.
smantscheff
Nearly a Posting Virtuoso
1,233 posts since Oct 2010
Reputation Points: 300
Solved Threads: 254
