Finding database passwords in PHP code?
Hal Burgiss
hal at burgiss.net
Sat Jan 21 13:50:58 UTC 2012
On Fri, Jan 20, 2012 at 6:06 PM, Patton Echols <p.echols at comcast.net> wrote:
> Do you mean the database name? There are an awful lot of files that
> reference the server.
>
> What I ended up with after several tries was
> $ grep -r DB_PASS * | grep define
>
> That gave me a few lines that look like they contain the actual passwords.
> Late this evening I can test them using phpmyadmin from the web host's
> control panel.
>
>
If you know the database name, that would be something worth grepping on,
yes. But I really meant the database "hostname".
What you did *might* work, but is purely application specific. Not all php
applications will have that string. But any application that has a database
component will have somewhere a reference to the database server
"hostname". And of course the database name itself. For MySQL set up you
will always need: username, password, database name and host/server name.
In our organization we always name the database for the client, so there
will probably be a lot of references in the site for that.
This is one example of database server hostname from godaddy (lousy
hosting):
robertballen.db.4881064.hostedresource.com
That kind of thing should be able to be found in the hosting control panel
or the phpmyadmin set up (if its preconfigured).
Then grep for that. Its pretty unique. Some apps might define the database
stuff in multiple locations but should all have the same username and
password.
--
Hal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20120121/179107c1/attachment.html>
More information about the ubuntu-users
mailing list