0

My client forgot password to login to the backend of the website that was developed by other developer who refused to help. Therefore, I went to SQL database to see if I could retrieve the password directly from there but it seems that password is encrypted. See below

3a0606b25e75eb6c1fed61886844832e

it would be easier if I knew how the password was encrypted so that I could just encrypt new password and add to SQL but when I looked at the code (in password changing PHP gile) there is something called salt_pass that encrypts the password of this website. See below code :

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$db = new database();
$option_uw = array(
    "table" => "users",
    "fields" => "password",
    "condition" => "id='{$_POST['id']}'"
);
$query_uw = $db->select($option_uw);
$rs_uw = $db->get($query_uw);
if ($rs_uw['password'] == trim(salt_pass($_POST['oldpassword']))) {
    $value_pw = array(
        "password" => trim(salt_pass($_POST['pass']))
    );
    $query_pw = $db->update("users", $value_pw, "id='{$_POST['id']}'");

    if ($query_pw == TRUE) {
        header("location:" . $baseUrl . "/back/user");
    }
}else{
    $_SESSION[_ss . 'msg_result'] = TRUE;
    header("location:" . $baseUrl . "/back/user/changepassword");
}
mysql_close();
}

Here is the salt_pass function

function salt_pass($pass) { 
     return md5("supapongherb.com" . $pass); 
}

Does anybody know how I can regenerate or encrypt the new password according to this code?

PS. the website is developed with MVC programming and I am really capable of it. Please let me know if you would like to see more file.

Thank you in advance!

Machavity
  • 30,841
  • 27
  • 92
  • 100
scottymorg
  • 123
  • 1
  • 15
  • 2
    Look at the `insert` syntax and you should be able to figure out how the password is/was generated. It probably was hashed and you wont be able to de-hash it because hashing is not encrypting, it only goes one way. – chris85 Nov 28 '16 at 03:06
  • I just found this function I am not sure what to do next. function salt_pass($pass) { return md5("supapongherb.com" . $pass); } – scottymorg Nov 28 '16 at 03:12
  • Now you can generate a new password because you know the (outdated) hashing algorithm and the salt that was used. You don't even need to do it PHP. `update users set password = md5(concate("supapongherb.com", 'NEWPASSWORD')) where userid = ??`. something like that – chris85 Nov 28 '16 at 03:13
  • You shouldn't just be giving out users passwords unless you know for certain that it's them. Just send them a reset link. – GROVER. Nov 28 '16 at 03:18
  • You should take the time to upgrade them from MD5 to something that is actually secure as well. – Luke Joshua Park Nov 28 '16 at 03:18
  • @badjuju The OP can `just encrypt new password and add to SQL`. – chris85 Nov 28 '16 at 03:19
  • I just did encrypt the new password and changed the way it is encrypted. However, I think it is the system itself that is very old. The system does not seem to work properly but thank you trillion guys! – scottymorg Nov 28 '16 at 03:24
  • Yes, your system seems very insecure. `"id='{$_POST['id']}'` seems like it is awaiting a SQL injection. You should use parameterized queries. – chris85 Nov 28 '16 at 03:29

1 Answers1

5

Let's clear a few things up

but it seems that password is encrypted

First, your password is hashed, not encrypted. There is a difference. Namely that hashes are meant to be one-way. There's no way to look at a hash and just regenerate the password from that.

Second, they're using MD5. They're not actually salting anything, they're appending the same string to all passwords and THEN hashing it. MD5 is a terrible way to hash because it's stupid easy to break. This is the equivalent of securing your front door with a rubber band. It's not secure because you can make millions of guesses a minute. Yes it is that bad.

Third, with the function and the "salt" known, you can easy make a new password this way (via SQL because I'm not guessing what sort of screwy ORM they're using there)

UPDATE users
SET password = MD5(CONCAT('supapongherb.com', 'new_password_here'))
WHERE id = their_user_id_here

Fourth, switch to password_hash. Like now. Get rid of the rubber band and upgrade to a deadbolt, with rabid pitbulls behind it and a shotgun in your lap.

Community
  • 1
  • 1
Machavity
  • 30,841
  • 27
  • 92
  • 100