Encrypt passwords with MD5
Posted: Thu Oct 25, 2007 1:28 pm
/*************************************
Title:
Version:
Author: ERRO
Demo:
Download:
Website:
Short description:
Encrypt passwords stored in the DB with MD5
*************************************/
(Here below you can write additional info, longer description and comments)
The code below is a sort-of guide to follow.
There is one DB and 2 .php files to edit for this hack to work.
With this code new users will have there passwords in MD5 in the database.
1: Note that you HAVE to be logged in as the administrator while doing these hacks.
2: After applying them, make a new user with admin rights
3: Then log in again with the second admin
4: change the pwd of the administrator (this will cause the pwd of the admin to become MD5, else administrator can't login anymore)
Edit:
Forgot to edit the piece of code to change you own profile password
Edit 2: Last edit & code was wrong. Code was fine, but was supposed to be in profile.php and not admin.php. This was edited. Also the lines where updated.
Sorry for any inconveniance.
Title:
Version:
Author: ERRO
Demo:
Download:
Website:
Short description:
Encrypt passwords stored in the DB with MD5
*************************************/
(Here below you can write additional info, longer description and comments)
The code below is a sort-of guide to follow.
There is one DB and 2 .php files to edit for this hack to work.
With this code new users will have there passwords in MD5 in the database.
1: Note that you HAVE to be logged in as the administrator while doing these hacks.
2: After applying them, make a new user with admin rights
3: Then log in again with the second admin
4: change the pwd of the administrator (this will cause the pwd of the admin to become MD5, else administrator can't login anymore)
Code: Select all
Edit database:
The field 'pass' in the table 'hesk_users'
from:
Length 20
to:
Length 150
(This to be allways able to store the whole MD5 hash)
--------------------------------------------------
In:
admin.php (line 68 )
Line:
/* Check password */
if ($pass != $_SESSION['pass']) {
Change to:
/* Check password */
if (md5($pass) != $_SESSION['pass']) {
(This to convert your given password to MD5 to check against the MD5 in the DB)
--------------------------------------------------
In:
manage_users.php (line 373 )
Line:
<p align="center"><?php printf($hesklang['user_added_success'],$myuser['user'],$myuser['pass']); ?>!</p>
Change to:
<p align="center"><?php printf($hesklang['user_added_success'],$myuser['user'],md5($myuser['pass'])); ?>!</p>
(This to show the MD5 hash to the one who made the user instead of the plaintext password. I thought this was better then plain text)
(You may leave this one out!!)
--------------------------------------------------
In:
manage_users.php (line 355 )
Line:
$sql = "INSERT INTO `hesk_users` (`user`,`pass`,`isadmin`,`name`,`email`,`signature`,`categories`)
VALUES ('$myuser[user]','$myuser[pass]','$myuser[isadmin]','$myuser[name]',
Change to:
$sql = "INSERT INTO `hesk_users` (`user`,`pass`,`isadmin`,`name`,`email`,`signature`,`categories`)
VALUES ('$myuser[user]',md5('$myuser[pass]'),'$myuser[isadmin]','$myuser[name]',
(This to store the password in MD5 in the DB when creating a new user)
--------------------------------------------------
In:
manage_users.php (line 397/398/399 )
Line:
$sql = "UPDATE `hesk_users` SET `user`='$myuser[user]',`name`='$myuser[name]',`email`='$myuser[email]',
`signature`='$myuser[signature]',`pass`='$myuser[pass]',`categories`='$myuser[categories]',
`isadmin`='$myuser[isadmin]' WHERE `id`=$myuser[id] LIMIT 1";
Change to:
$sql = "SELECT * FROM `hesk_users` WHERE `pass` <> '' LIMIT 1";
$result = hesk_dbQuery($sql) or hesk_error("$hesklang[cant_sql]: $sql</p><p>$hesklang[mysql_said]:<br>".mysql_error()."</p><p>$hesklang[contact_webmsater] $hesk_settings[webmaster_mail]");
$pwd=hesk_dbFetchAssoc($result);
If($myuser['pass'] == $pwd['pass']){
$sql = "UPDATE `hesk_users` SET `user`='$myuser[user]',`name`='$myuser[name]',`email`='$myuser[email]',
`signature`='$myuser[signature]',`pass`='$pwd[pass]',`categories`='$myuser[categories]',
`isadmin`='$myuser[isadmin]' WHERE `id`=$myuser[id] LIMIT 1";
}else{
$sql = "UPDATE `hesk_users` SET `user`='$myuser[user]',`name`='$myuser[name]',`email`='$myuser[email]',
`signature`='$myuser[signature]',`pass`=md5('$myuser[pass]'),`categories`='$myuser[categories]',
`isadmin`='$myuser[isadmin]' WHERE `id`=$myuser[id] LIMIT 1";
}
(Here I am checking if the filled in password is the allready existing hash (if so, fill it with that hash) and if it's not the existing hash then enter the MD5 hash of the filled in pwd in the DB)
Forgot to edit the piece of code to change you own profile password
Code: Select all
In:
profile.php (line 146/147/148 )
Line:
$sql = "UPDATE `hesk_users` SET `name`='$_SESSION[name]',`email`='$_SESSION[email]',
`signature`='$_SESSION[signature]',`pass`='$_SESSION[pass]',`notify`='$_SESSION[notify]' WHERE `id`='$_SESSION[id]' LIMIT 1";
$result = hesk_dbQuery($sql) or hesk_error("$hesklang[cant_sql]: $sql</p><p>$hesklang[mysql_said]:<br>".mysql_error()."</p><p>$hesklang[contact_webmsater] $hesk_settings[webmaster_mail]");
Change to:
$sql = "UPDATE `hesk_users` SET `name`='$_SESSION[name]',`email`='$_SESSION[email]',
`signature`='$_SESSION[signature]',`pass`=MD5('$_SESSION[pass]'),`notify`='$_SESSION[notify]' WHERE `id`='$_SESSION[id]' LIMIT 1";
$result = hesk_dbQuery($sql) or hesk_error("$hesklang[cant_sql]: $sql</p><p>$hesklang[mysql_said]:<br>".mysql_error()."</p><p>$hesklang[contact_webmsater] $hesk_settings[webmaster_mail]");
(This to convert the given pwd to MD5 and then pass it to the DB)
Sorry for any inconveniance.
