‘Strings’ to the Rescue

Aug 29, 2009 / By Sheeri Cabral

Tags: ,

A broken VIEW was caused by the view’s definer being non-existent. In this particular system, backups are done by replicating all the machines (production, development, test, etc) to one server and doing cold physical backups off that server, which currently has 12 instances running.

So in order to find on what machine the user might still be defined, I went to the backup server. All the data directories are in one path, ie:

instance 1 has a datadir of /data/mysql/instance1
instance 2 has a datadir of /data/mysql/instance2

Now, the unix tool strings can be used against many types of files. In particular, though, you can use strings on the mysql/user.MYD file to see the username, host, and password hash. (note that strings only shows strings longer than 3 characters, so if your host or username is 3 characters or less, it will not show up in the output of strings. You can change this with the -n option to strings).

$ cd /data/mysql/
$ strings -f */mysql/user.MYD | grep username
instance5/mysql/user.MYD: username*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
instance7/mysql/user.MYD: username*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
$

While writing this tidbit up, I realized I could have easily run grep and gotten the same results:

$ grep username */mysql/user.MYD
Binary file instance5/mysql/user.MYD matches
Binary file instance7/mysql/user.MYD matches

So do not underestimate the power of basic tools such as strings and grep. They can really help you! (I often use strings mysql/user.MYD to see if a particular mysql user has been set up, especially when I cannot seem to login. This way I can know whether or not I am typing an incorrect password, or if the user just does not exist at all.)

3 Responses to “‘Strings’ to the Rescue”

  • strcmp says:

    do you get false positives with this method? is DELETE-d data overwritten by the storage engine or can you get matches on dead remnants in the table’s free space?

  • Sheeri Cabral says:

    strcp — good question. I haven’t ever run into false positives, but it’s not a technique I use very frequently (maybe once every few months). theoretically it’s possible, but at least for the mysql.user table and the mysql database in general, those tables don’t tend to get highly fragmented.

  • You’re obviously really onto something, Sheeri. See Sequoia Voting Systems hacks self in foot:

    Sequoia Voting Systems has inadvertently released the SQL (Structured Query Language) code for its voting databases. The existence of such code appears to violate Federal voting law. […]

    The Linux “strings” command was able to peel it apart. Nedit was able to digest 800meg text files. What was revealed was thousands of lines of MS-SQL source code that appears to control or at least influence the logical flow of the election…

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>