First, I want to differentiate between hacking (seeing how something works) and cracking (doing the same thing for malicious reasons).  There can be a fuzzy line between the two.  I want to stay clearly on the good side.

As an example, I once broke into a government computer, getting root access and changing the root password.  It was by their own request – the only operator had died suddenly, and the family threw out all the documentation he had at home.  The government organization contacted the company I worked for at the time, and I got to break in, and to turn the results over to the proper authorities.  As I look back, this was almost an amplified pen test. (They failed, which was good in this case.)

That’s the good side.  Here’s a bad side (that I chose not to do): I wear a Fitbit tracking device, which counts the steps I take.  Their daily goal is ten thousand steps.  My cardiologist is happy with five thousand, which I normally achieve.  When I got the device, I started looking for ways to hack it.  I’m inquisitive, that’s what I do and how I think.  I found a video where somebody hooked their Fitbit up to a hair trimmer so the device would record two steps a second.  All interesting, until you add in that my company rewards me monetarily for achieving steps.  That turns a cute prank (“Look – a hundred thousand steps today!”) into theft.  That’s wrong.

There’s nothing wrong with giving your cat a Fitbit – just don’t use that one to get points.

With that background, here’s how to do a little white-hat hacking on mysql.

We had to make major changes to the database supporting an application.  The developer was long gone, and nobody had the password to the database.  Really didn’t want to reverse engineer the whole DB and then test to see if it works – that is the wrong way to spend a couple weeks.

(aside: my favorite search tool is Google.  Bing just doesn’t cut it, though I like their image search better – I can specify what license I want the picture to have)

Googling the question led to a long list of mis-hits, and then this winner, in a reply to a longer and more complicated method.  If you’re on the machine and have root access, the anonymous tipster says that

cat /root/.mysql_history|more

is “very informative”.  Which is an understatement – the password is up at the top of the file.

Thanks, Mr. Anonymous.  You helped save the day – and contributed a tool to my hacking toolbox.

 


Footnote: yes, the commands

more /root/.mysql_history

or even

head /root/.mysql_history

are shorter.  This isn’t a code golf contest.  The value is in knowing where to look, not how to look.

Advertisements