Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Some experience on Mysql security issues (anonymous users) (transfer)

2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Share

Shulou(Shulou.com)06/01 Report--

A little bit about Mysql security issues (anonymous users) [@ more@] two days ago, while helping a friend organize his home page space, he found a problem about MySQL that everyone might ignore: we know that after installing MySQL, it will automatically create a root user and an anonymous user whose initial password is empty. Many references remind you to set a password in time, ignoring the latter, probably because the latter is set to be used only on the local computer by default.

But if your MySQL is to be provided to the Web server for database service, it can be costly to ignore this anonymous user, because by default, this anonymous user has almost the same permissions on localhost as root. If your customer has permission to upload script files that can perform MySQL database operations (such as php that allows you to operate MySQL), your MySQL may have been changed beyond recognition:

Today, when I was helping my friend organize his home page space, I tried to write a very simple php file that executed sql statements to upload. I tried to empty the user,password in the connection word, host=localhost, and found that my sql statement could be executed. So I executed select * from MySQL.user to check the user permissions. I found that this user has very high permissions in localhost, even grant_priv. (when viewing You will find that under the root user, there are two lines of username and password empty, but each permission has y, that is, the anonymous user has local and remote permissions set)

So I tried to create a new user with this php page, and grant gave him higher permissions, and the result was a success, so that I could use this new user to connect to the MySQL server of the site through my local MySQL client, and use the administrative rights of this newly created user to manage the MySQL server of the site, and see that I can easily get in-depth database operations like this. How dare I put the sensitive information of my friend's home page into this MySQL server?

Suggestions for improvement:

1. After installing MySQL, not only change the password of root users, but also change the password of anonymous users, similar to the way of changing the password of root:

CODE: MySQL > UPDATE user set password=PASSWORD ('yournewpassword') where user=''

MySQL > FLUSH PRIVILEGES

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Database

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report