4

I have inherited a PhpBB3 installation from an uncontactable previous admin who didn't leave me the password, or any mechanism to retrieve it.

It runs on a MySQL database, which I have logged into with full privileges in order to change the admin password. Unfortunately, PhpBB3 apparently uses a complex multistage salted hashing technique that I'm not familiar with. Given full access to the DB, how do I generate a valid password hash to replace the old one with?

I tried a simple MD5 of the known password of a normal user, and it doesn't match the DB entry.

Any other way to reset the admin password via the DB is also helpful, as long as it works!

Captain Blammo
  • 213
  • 1
  • 3
  • 8

3 Answers3

6

Answer found elsewhere (credit: joshhighland.com)

run the update manually but use one of the following example hashes;

Hash: e10adc3949ba59abbe56e057f20f883e Password: 123456

Hash: $H$9Ae3Uk.ECdWW5ya13M4ErWhr4c.761/ Password: password

e.g. mysql> update phpbb_users set user_password='e10adc3949ba59abbe56e057f20f883e' where username = 'YourUserName';

...then login and change the password to one you'll remember afterwards :)

Philip Veale
  • 61
  • 1
  • 2
4

run mysql and select the relevant database then use the MD5 function to set the password on the account that you want to change.

For example if your phpbb3 database is called Yourphpbb3db and the users table is phpbb_users then

mysql -u root -p

enter your password

mysql> show databases;
mysql> use database Yourphpbb3db;
Database changed
mysql> UPDATE phpbb_users SET user_password = MD5('YourPassword') WHERE username='YourAdminName';
user9517
  • 114,104
  • 20
  • 206
  • 289
  • I already tried this, as mentioned in my question. PhpBB has moved to a more complicated multistage salted hashing technique in version 3, so this doesn't work :( – Captain Blammo Nov 24 '10 at 21:32
  • Before I posted my answer I tried it on a copy of a phpbb3 system I use for testing. Worked for me. – user9517 Nov 24 '10 at 21:36
  • Well damn, it isn't the same hash, but it doesn't complain, then sets it to another one I can't reproduce as soon as I login. Thanks! Do you want to edit your answer to mention that, or shall I edit my question to *not* mention it? I didn't insert the MD5 hash because I could tell it didn't match. – Captain Blammo Nov 24 '10 at 21:59
  • 4
    I just checked the source code. If a password is stored with the initial characters $H$ then it's in the new format and dealt with as such. If it's not in the new format then after being verified using the old methods it is silently converted to the new format. – user9517 Nov 24 '10 at 22:18
0

I'm only slightly familiar with the intricacies of phpBB3, but I would try copying the hash and salt from another user account where the password is known (a throwaway account for this purpose or somesuch). Of course, back up the current hash and salt first, or possibly the whole DB... if that doesn't work, I would try elevating another account's privileges. I'm completely unfamiliar with the privilege system in phpBB3, but you can either try to duplicate the current admin's privilege table entries for a new account or just replace the admin's user ID with a known account. I would do all of this on a test system, if possible.

hwilbanks
  • 466
  • 2
  • 4