Solved

Password Encrypted MD5

Posted on 2011-09-08
25
551 Views
Last Modified: 2012-05-12
I had someone working on a database / website for me and I cannot contact him right now.  I have downloaded the database, but the password is encrypted.

I have two pages where the md5.asp is added to the admin page.  My thoughts are this:
Remove those references and upload the pages.
Upload the database (with a backup copy on my system) with a simple text password (i.e. password)
Then I should be able to sign in without any problems?  Or is there something that I missed.  I just need to get this going pretty soon

Thanks!
0
Comment
Question by:coreybryant
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 11
25 Comments
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 36504818
Hello Corey
You cannot reverse the md5.
And I strongly suggest that you do not remove it from your code.

Is the site setup to allow the creation of a new user?
If so, then create a new user, and a password for that user.
Then copy the password from that user to the admin user in the database
And then login to the system.

That is the best and safest way to do it.

Carrzkiss
0
 
LVL 29

Author Comment

by:coreybryant
ID: 36504891
I seem to have most of it done.  Unfortunately, getting to a new user was not shown / uploaded.

I had this code
MM_rsUser.Open "SELECT adminUsername, adminPassword FROM config WHERE adminUsername='" & Replace(MM_valUsername,"'","''") &"' AND adminPassword='" & objMD5.HEXMD5 & "'",Database, 0, 1

Open in new window

and changed it to:
MM_rsUser.Open "SELECT adminUsername, adminPassword FROM config WHERE adminUsername='" & Replace(MM_valUsername,"'","''") &"' AND adminPassword='",Database, 0, 1

Open in new window

I get an error:
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression 'adminUsername='admin' AND adminPassword=''.
/admin/admin.asp, line 26
I think I am on the right track and I can enable MD5 again once I fix this.  Going through all the emails though, I see the user / pass that should work but does not.

Thanks!
0
 
LVL 82

Expert Comment

by:hielo
ID: 36504993
try resetting the password instead. Originally you had this:

MM_rsUser.Open "SELECT adminUsername, adminPassword FROM config WHERE adminUsername='" & Replace(MM_valUsername,"'","''") &"' AND adminPassword='" & objMD5.HEXMD5 & "'",Database, 0, 1


So, now change your code to this:

Database.Execute "UPDATE config set password='" & objMD5.HEXMD5 & "' WHERE adminUsername='" & Replace(MM_valUsername,"'","''") & "'"

MM_rsUser.Open "SELECT adminUsername, adminPassword FROM config WHERE adminUsername='" & Replace(MM_valUsername,"'","''") &"' AND adminPassword='" & objMD5.HEXMD5 & "'",Database, 0, 1

BUT as soon as you run that code once, remove the UPDATE code completely!
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 29

Author Comment

by:coreybryant
ID: 36505038
The original code also had included files (that I removed)
<!--#include file="class_md5.asp" -->

Open in new window

Should I add that back first? (And replace the DB with the orig DB?)  I made copies of all the files / databases of course if I have to revert back to the other way.
0
 
LVL 82

Expert Comment

by:hielo
ID: 36505077
>>Should I add that back first?
Of course. You'll need so that when the password is updated, it is once again md5 encrypted. Having "clear" passwords is NOT a good idea.

SO, again, on the ORIGINAL code where you got that "SELECT ..." from (most likely some login page), you need to put the UPDATE code just before it, which will allow you to reset the password to whatever you just typed in your login form.
0
 
LVL 29

Author Comment

by:coreybryant
ID: 36505449
OK thanks,  I went back, added everything to what you suggested.

When I went to the page, it wanted a username / password.  I was not certain what to enter, so I entered the default and hit submit.

This error came up:
Microsoft JET Database Engine error '80040e14'
Syntax error in UPDATE statement.
/admin/admin.asp, line 45
Line 45
Database.Execute "UPDATE config set password='" & objMD5.HEXMD5 & "' WHERE adminUsername='" & Replace(MM_valUsername,"'","''") & "'"

Open in new window

0
 
LVL 82

Expert Comment

by:hielo
ID: 36505487
What DB are you using?  How are you connecting to the db?

I'm assuming that ORIGINALLY (before you posted your question here) you were attempting to login to some page and on that page it kept telling "Invalid username or password" (or something equivalent). It is on THAT code that you were supposed to add the update statement, since based on your SELECT, it seems the variable Database IS a connection object - is it?
0
 
LVL 29

Author Comment

by:coreybryant
ID: 36506737
Using MS Access.  Yes it was telling me incorrect login.  I do know the username is admin

When I changed to the MD5, I added the md5.asp file and included into two files (admin.asp / update_pass.asp).  admin.asp is the page where I login to the control section.
Connection String:
MM_blog_STRING = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\Websites\example.com\db\blog.mdb;Persist Security Info=False"

Open in new window

0
 
LVL 82

Expert Comment

by:hielo
ID: 36506973
What is in class_md5.asp? I need to see how you create an object and assign it a value because that's what you will need to insert into the db.
0
 
LVL 82

Expert Comment

by:hielo
ID: 36506992
Going back to ID:36504993, since you said " I do know the username is admin", then you can simplify the execute to:

Database.Execute "UPDATE config set password='hello' WHERE adminUsername='admin' "

BUT that will insert a "plain" password instead of an md5 password. Your login page is actually taking a "plain" password, computes the md5, and THEN compares against the md5 you have stored in your db.  On the example above, if you were to type "admin" as your password, it will always fail because what it is actually doing is saving a plain password in the db, but your login script is first converting the user input to an md5 and then would compare the md5 against what's on the db (which in the admin example would be a plain password).  Hence my question about your class_md5.asp.
0
 
LVL 29

Author Comment

by:coreybryant
ID: 36507246
No worries, here is the attachment.  

I was trying to find the original script before we added this, but so far, no luck.   I remember we only added a couple of lines.  Thanks!
md5.txt
0
 
LVL 82

Expert Comment

by:hielo
ID: 36507358
try:
'if you change "newPassword" to the password that you want, then it should reset the password
'as soon as you attempt to login using 'admin' as the username.
'NOTE: be sure to remove the code below from your code immediately after you login.
Dim hielo
hielo=new MD5
hielo.text="newPassword"
Database.Execute "UPDATE config set password='" & hielo.HEXMD5 & "' WHERE adminUsername='admin'"
Set hielo=Nothing

MM_rsUser.Open "SELECT adminUsername, adminPassword FROM config WHERE adminUsername='" & Replace(MM_valUsername,"'","''") &"' AND adminPassword='" & objMD5.HEXMD5 & "'",Database, 0, 1

Open in new window

0
 
LVL 29

Author Comment

by:coreybryant
ID: 36507428
Sorry, just to make sure - that should go into the admin.asp with all the original code (asp files) and database?  And when I bring up the admin.asp page, will it bring up a login form?

Thanks!
0
 
LVL 82

Expert Comment

by:hielo
ID: 36507972
Based on post ID:36504891, yes, it seems that on admin.asp is where you originally had the SELECT. So the update needs to be executed before that select.
0
 
LVL 29

Author Comment

by:coreybryant
ID: 36510142
I entered that information into the admin.asp page.  The username / password boxes came up.  So I enter admin / newPassword.  

This is the error:
Microsoft VBScript runtime error '800a01b6'
Object doesn't support this property or method
/admin/admin.asp, line 48

Line 48:
hielo=new MD5

Open in new window


I included the admin.asp to maybe help some.  Thanks again!
admin.txt
0
 
LVL 82

Expert Comment

by:hielo
ID: 36511750
my apologies for the oversight. It should have been:
Set hielo=new MD5
0
 
LVL 29

Author Comment

by:coreybryant
ID: 36513313
No worries.  I was able to bring up the admin.asp page.  I am guessing that when I entered this URL into the browser (http://www.example.com/admin/admin.asp) that it changed the password to newPassword?

Now, I need to close that window, remove the code:
 'if you change "newPassword" to the password that you want, then it should reset the password
'as soon as you attempt to login using 'admin' as the username.
'NOTE: be sure to remove the code below from your code immediately after you login.
Dim hielo
hielo=new MD5
hielo.text="newPassword"
Database.Execute "UPDATE config set password='" & hielo.HEXMD5 & "' WHERE adminUsername='admin'"
Set hielo=new MD5

Open in new window

upload admin.asp page, go to the URL again and enter username admin and password newPassword - and then change the password?

Thanks again!
0
 
LVL 82

Expert Comment

by:hielo
ID: 36513649
>> I am guessing that when I entered this URL into the browser ... that it changed the password to newPassword?
No. Simply "loading" that page will not reset it. When that page loads, you should see a login form where you type your username/password.  Fill those fields (with anything for now). As soon as you submit the form then it will reset the password.  As a matter of fact, if you change:

hielo.text="newPassword"

with:
hielo.text=Request.Form("password")

whatever password you type in the password field will become your new password. THEN go back an remove the snippet of code I gave you so that the password is not reset over and over.
0
 
LVL 29

Author Comment

by:coreybryant
ID: 36516385
OK, I kept it simple and used admin / newPassword.  I did not change any part of the code (except the part your provided).

When I hit submit, an error was generate:
Microsoft JET Database Engine error '80040e14'
Syntax error in UPDATE statement.
/admin/admin.asp, line 50
Set hielo=Nothing

Open in new window


Right now, the (new) code that is in there is
 'if you change "newPassword" to the password that you want, then it should reset the password
'as soon as you attempt to login using 'admin' as the username.
'NOTE: be sure to remove the code below from your code immediately after you login.
Dim hielo
Set hielo=new MD5
hielo.text="newPassword"
Database.Execute "UPDATE config set password='" & hielo.HEXMD5 & "' WHERE adminUsername='admin'"
Set hielo=Nothing

Open in new window

Thanks!
0
 
LVL 82

Expert Comment

by:hielo
ID: 36516503
Try commenting it out:
'Set hielo=Nothing

OR get rid of that line completely.
0
 
LVL 29

Author Comment

by:coreybryant
ID: 36517002
Received the same error on Line 50
Database.Execute "UPDATE config set password='" & hielo.HEXMD5 & "' WHERE adminUsername='admin'"

Open in new window

0
 
LVL 82

Accepted Solution

by:
hielo earned 500 total points
ID: 36517805
OK, the problem is that password is a reserved word. To avoid these problems in the future, enclose your field and table names with brackets:

Database.Execute "UPDATE [config] set [password]='" & hielo.HEXMD5 & "' WHERE  [adminUsername]='admin'"

The same applies to the SELECT that follows:

      MM_rsUser.Open "SELECT [adminUsername], [adminPassword] FROM [config] WHERE [adminUsername]='" & Replace(MM_valUsername,"'","''") &"' AND [adminPassword]='" & objMD5.HEXMD5 & "'",Database, 0, 1

Which now brings me to another point. According to your SELECT statement, the field that stores the password is named "adminPassword", but on your UPDATE statement we have been trying/using "password". You need to double check the config table in your db. IF in fact the fieldname is "adminPassword", then use:

Database.Execute "UPDATE [config] set [adminPassword]='" & hielo.HEXMD5 & "' WHERE  [adminUsername]='admin'"

Since you already had that SELECT in place, my guess it that is should be "adminPassword", so below is an updated portion of your code.  Update your file accordingly.

...

If MM_valUsername <> "" Then
	MM_fldUserAuthorization=""
	MM_redirectLoginSuccess="main.asp"
	MM_redirectLoginFailed="admin.asp?lf=true"
	
	Set Database = Server.CreateObject("ADODB.connection")
	Database.Open  "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Datafile & ";"

	Set MM_rsUser = Server.CreateObject("ADODB.recordset")

	'if you change "newPassword" to the password that you want, then it should reset the password
	'as soon as you attempt to login using 'admin' as the username.
	'NOTE: be sure to remove the code below from your code immediately after you login.
	Dim hielo
	Set hielo=new MD5
	hielo.text="newPassword"
	Database.Execute "UPDATE [config] set [adminPassword]='" & hielo.HEXMD5 & "' WHERE [adminUsername]='admin'"
	Set hielo=Nothing

	MM_rsUser.Open "SELECT [adminUsername], [adminPassword] FROM [config] WHERE [adminUsername]='" & Replace(MM_valUsername,"'","''") &"' AND [adminPassword]='" & objMD5.HEXMD5 & "'",Database, 0, 1
  

	If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then 
		' username and password match - this is a valid user
		Session("MM_Username") = MM_valUsername
		If (MM_fldUserAuthorization <> "") Then
			Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
		Else
			Session("MM_UserAuthorization") = ""
		End If
		if CStr(Request.QueryString("accessdenied")) <> "" And true Then
			MM_redirectLoginSuccess = Request.QueryString("accessdenied")
		End If
		MM_rsUser.Close
		Response.Redirect(MM_redirectLoginSuccess)
	End If
	MM_rsUser.Close
	Response.Redirect(MM_redirectLoginFailed)
End If
...

Open in new window

0
 
LVL 29

Author Comment

by:coreybryant
ID: 36519548
Thanks, that worked.  Hopefully I can go back to the original code right now before changing the password.
0
 
LVL 29

Author Comment

by:coreybryant
ID: 36519582
Since the change password was on another page, that part was successful.  But when I logged out and logged back in, I received an error
Microsoft JET Database Engine error '80040e14'
Syntax error in UPDATE statement.
/admin/admin.asp, line 43
Line 43-47
 Set MM_rsUser = Server.CreateObject("ADODB.recordset")
  MM_rsUser.Open "SELECT adminUsername, adminPassword FROM config WHERE adminUsername='" & Replace(MM_valUsername,"'","''") &"' AND adminPassword='" & objMD5.HEXMD5 & "'",Database, 0, 1
Database.Execute "UPDATE config set password='" & objMD5.HEXMD5 & "' WHERE adminUsername='" & Replace(MM_valUsername,"'","''") & "'"

MM_rsUser.Open "SELECT adminUsername, adminPassword FROM config WHERE adminUsername='" & Replace(MM_valUsername,"'","''") &"' AND adminPassword='" & objMD5.HEXMD5 & "'",Database, 0, 1

Open in new window

I am pretty sure I went back to the original admin.asp code, but I am not exactly sure.  I think I have a double line code in there.

In a Config table, there is AdminUsername and AdminPassword
0
 
LVL 29

Author Comment

by:coreybryant
ID: 36519603
I forgot that I had a backup copy of this site in a zipped file.  I went back to reference that I updated the code to
 Set MM_rsUser = Server.CreateObject("ADODB.recordset")
  MM_rsUser.Open "SELECT adminUsername, adminPassword FROM config WHERE adminUsername='" & Replace(MM_valUsername,"'","''") &"' AND adminPassword='" & objMD5.HEXMD5 & "'",Database, 0, 1

  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then 
    ' username and password match - this is a valid user

Open in new window

I was able to sign in with the username / password.  

I should have implemented the MD5 after the development was done, but the developer was going along at a good speed.  Thanks for hanging in there and helping
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Help with IIS intermittent hangs on Windows 2012 5 65
MS ACCESS VBA FORMATTING 9 63
Getting the 7Z zip dll to work with MS Access 8 60
Combo box question 6 55
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
Access developers frequently have requirements to interact with Excel (import from or output to) in their applications.  You might be able to accomplish this with the TransferSpreadsheet and OutputTo methods, but in this series of articles I will di…
In Microsoft Access, when working with VBA, learn some techniques for writing readable and easily maintained code.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question