Encrypt passwords with MD5

Everything related to Hesk - helpdesk software

Moderator: mkoch227

Post Reply
Triblade
Posts: 4
Joined: Thu Oct 25, 2007 12:55 pm

Encrypt passwords with MD5

Post by Triblade »

/*************************************
Title:
Version:
Author: ERRO
Demo:
Download:
Website:

Short description:
Encrypt passwords stored in the DB with MD5

*************************************/

(Here below you can write additional info, longer description and comments)

The code below is a sort-of guide to follow.
There is one DB and 2 .php files to edit for this hack to work.
With this code new users will have there passwords in MD5 in the database.

1: Note that you HAVE to be logged in as the administrator while doing these hacks.
2: After applying them, make a new user with admin rights
3: Then log in again with the second admin
4: change the pwd of the administrator (this will cause the pwd of the admin to become MD5, else administrator can't login anymore)

Code: Select all

Edit database: 
The field 'pass' in the table 'hesk_users' 

from: 
Length 20 

to: 
Length 150 

(This to be allways able to store the whole MD5 hash) 
-------------------------------------------------- 

In: 
admin.php (line 68 ) 

Line: 
/* Check password */ 
if ($pass != $_SESSION['pass']) { 

Change to: 
/* Check password */ 
if (md5($pass) != $_SESSION['pass']) { 

(This to convert your given password to MD5 to check against the MD5 in the DB) 
-------------------------------------------------- 

In: 
manage_users.php (line 373 ) 

Line: 
<p align="center"><?php printf($hesklang['user_added_success'],$myuser['user'],$myuser['pass']); ?>!</p> 

Change to: 
<p align="center"><?php printf($hesklang['user_added_success'],$myuser['user'],md5($myuser['pass'])); ?>!</p> 

(This to show the MD5 hash to the one who made the user instead of the plaintext password. I thought this was better then plain text) 

(You may leave this one out!!) 
-------------------------------------------------- 

In: 
manage_users.php (line 355 ) 

Line: 
$sql = "INSERT INTO `hesk_users` (`user`,`pass`,`isadmin`,`name`,`email`,`signature`,`categories`) 
VALUES ('$myuser[user]','$myuser[pass]','$myuser[isadmin]','$myuser[name]', 

Change to: 
$sql = "INSERT INTO `hesk_users` (`user`,`pass`,`isadmin`,`name`,`email`,`signature`,`categories`) 
VALUES ('$myuser[user]',md5('$myuser[pass]'),'$myuser[isadmin]','$myuser[name]', 

(This to store the password in MD5 in the DB when creating a new user) 
-------------------------------------------------- 

In: 
manage_users.php (line 397/398/399 ) 

Line: 
$sql = "UPDATE `hesk_users` SET `user`='$myuser[user]',`name`='$myuser[name]',`email`='$myuser[email]', 
`signature`='$myuser[signature]',`pass`='$myuser[pass]',`categories`='$myuser[categories]', 
`isadmin`='$myuser[isadmin]' WHERE `id`=$myuser[id] LIMIT 1"; 

Change to: 
$sql = "SELECT * FROM `hesk_users` WHERE `pass` <> '' LIMIT 1"; 
$result = hesk_dbQuery($sql) or hesk_error("$hesklang[cant_sql]: $sql</p><p>$hesklang[mysql_said]:<br>".mysql_error()."</p><p>$hesklang[contact_webmsater] $hesk_settings[webmaster_mail]"); 
$pwd=hesk_dbFetchAssoc($result); 

If($myuser['pass'] == $pwd['pass']){ 
$sql = "UPDATE `hesk_users` SET `user`='$myuser[user]',`name`='$myuser[name]',`email`='$myuser[email]', 
`signature`='$myuser[signature]',`pass`='$pwd[pass]',`categories`='$myuser[categories]', 
`isadmin`='$myuser[isadmin]' WHERE `id`=$myuser[id] LIMIT 1"; 
}else{ 
$sql = "UPDATE `hesk_users` SET `user`='$myuser[user]',`name`='$myuser[name]',`email`='$myuser[email]', 
`signature`='$myuser[signature]',`pass`=md5('$myuser[pass]'),`categories`='$myuser[categories]', 
`isadmin`='$myuser[isadmin]' WHERE `id`=$myuser[id] LIMIT 1"; 
} 

(Here I am checking if the filled in password is the allready existing hash (if so, fill it with that hash) and if it's not the existing hash then enter the MD5 hash of the filled in pwd in the DB)
Edit:
Forgot to edit the piece of code to change you own profile password :)

Code: Select all

In: 
profile.php (line 146/147/148 ) 

Line: 
$sql = "UPDATE `hesk_users` SET `name`='$_SESSION[name]',`email`='$_SESSION[email]',
`signature`='$_SESSION[signature]',`pass`='$_SESSION[pass]',`notify`='$_SESSION[notify]' WHERE `id`='$_SESSION[id]' LIMIT 1";
$result = hesk_dbQuery($sql) or hesk_error("$hesklang[cant_sql]: $sql</p><p>$hesklang[mysql_said]:<br>".mysql_error()."</p><p>$hesklang[contact_webmsater] $hesk_settings[webmaster_mail]");

Change to: 
$sql = "UPDATE `hesk_users` SET `name`='$_SESSION[name]',`email`='$_SESSION[email]',
`signature`='$_SESSION[signature]',`pass`=MD5('$_SESSION[pass]'),`notify`='$_SESSION[notify]' WHERE `id`='$_SESSION[id]' LIMIT 1";
$result = hesk_dbQuery($sql) or hesk_error("$hesklang[cant_sql]: $sql</p><p>$hesklang[mysql_said]:<br>".mysql_error()."</p><p>$hesklang[contact_webmsater] $hesk_settings[webmaster_mail]");

(This to convert the given pwd to MD5 and then pass it to the DB)
Edit 2: Last edit & code was wrong. Code was fine, but was supposed to be in profile.php and not admin.php. This was edited. Also the lines where updated.
Sorry for any inconveniance.
Top
ramon.cutanda
Posts: 4
Joined: Wed Jan 16, 2008 12:40 am

Post by ramon.cutanda »

THANKS!!!! :D
Top
vinman57
Posts: 65
Joined: Thu Jan 17, 2008 4:13 am

Post by vinman57 »

Hmmm, worked great the day I installed it.

The next day, didn't work, kept getting Wrong Password - although the password was correct.
Top
ashercharles
Posts: 7
Joined: Tue Feb 05, 2008 6:17 am

is it working

Post by ashercharles »

hey all the changes where made but it is not working pls help
Top
Post Reply

Return to “Hesk - helpdesk software add-ons”