/    Sign up×
Community /Pin to ProfileBookmark

How do they do it? remotely create new mysql user and database.

Copy linkTweet thisAlerts:
Oct 07.2008

Wasn’t sure what to call this thread but I hope its clear.

I was playing with simplescripts.com.

So I give them my ftp details and they install a script for me which is nice. But how the heck do they create the mysql user and mysql database ? I don’t give them any mysql details!

Any ideas?

to post a comment
PHP

3 Comments(s)

Copy linkTweet thisAlerts:
@ariellOct 07.2008 — This is certainly only ONE possibility. However, depending on sql release and settings, there's a couple of scenarios where the db server accepts an ftp account with 777 rights on localhost as TRUSTED USER, thus, thru a few API calls, "the ftp user" is able to obtain enough privileges to set up an account and stuff...

Best from the south.
Copy linkTweet thisAlerts:
@stephan_gerlachauthorOct 07.2008 — oh i see. so what they probably do is simply upload a php file which created the db and db user, run it and then delete it again?
Copy linkTweet thisAlerts:
@ariellOct 07.2008 — Yes. That is quite possible. This is why many "hackers" focus on stealing ftp-access data. It is much easier to retrieve ftp stuff than "hacking" a sql server shell.

Try out this one: Create a "restricted" ftp account. Pass this data to the script guys, and I don't see how they would be able to create root based sql accounts.

Data is everything...
×

Success!

Help @stephan_gerlach spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.2,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,
)...