+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Retreiving Wordpress Passwords (/showthread.php?tid=19721)
Pages:
1
2
Retreiving Wordpress Passwords - El Forum - 06-16-2009
[eluser]Cro_Crx[/eluser]
Hey all
I'm converting a wordpress site onto another format. I have the database and all of the files so have access to the hashed + salted passwords and also the encryption keys used.
I don't need to get the plain text passwords, i only need to emulate the way that wordpress would encrypt + hash passwords so I can implement that in my application and use the existing database entries.
If anyone can help that would be greatly appreciated, thanks.
Retreiving Wordpress Passwords - El Forum - 06-16-2009
[eluser]slowgary[/eluser]
This post really has nothing to do with Codeigniter, so you may have a hard time getting an answer here. You will probably have a lot more luck getting an answer on a wordpress forum. This is still sort of a sticky issue because for someone to know how the passwords are generated, they would also know how to decrypt them.
Good luck.
Retreiving Wordpress Passwords - El Forum - 06-16-2009
[eluser]Cro_Crx[/eluser]
Cheers slowgary
I'm fairly sure that it might be a two way hash, so someone could decrypt them so long as they had the key. I might have a look at their encrypt function when i get some spare time.
Retreiving Wordpress Passwords - El Forum - 06-17-2009
[eluser]umefarooq[/eluser]
simple solution is if you can create a new user in that application, than create new user and use its password hash and replace with admin or any user hash in database. or either use the following link to crack the password, just put you password hash you will get the password.
http://www.plain-text.info/
Retreiving Wordpress Passwords - El Forum - 06-17-2009
[eluser]Cro_Crx[/eluser]
umefarooq
I don't think you understood it correctly. I have a database with wordpress logins. My application needs to use the same username and passwords. So I need to find out how wordpress stores it's logins eg.... does it hash then salt, if so which encryption key does it use? there's a few in the config file.
The link you gave me just finds the plain text version of a md5/sha1 hash, it won't work if there is salt. Again I don't need to change the passwords to plain text (although this would solve my problem). I just need to find out how to encrypt passwords in the same way so I can implement this into my application.
Retreiving Wordpress Passwords - El Forum - 06-17-2009
[eluser]Dam1an[/eluser]
wtf :-S
I just followed the login process through the mess that is the WP code, and it seems to end up in an endless loop, and at no point could I find the password being hashed or anything :-S
Retreiving Wordpress Passwords - El Forum - 06-17-2009
[eluser]TheFuzzy0ne[/eluser]
It's staggering how WordPress has become so popular... I recently did a bit of customisation on it. The documentation structure sucks, and every minute I spent working on it, was like having my eyelids being taped open whilst being forced to stare at a picture of Amy Winehouse...
@Dam1an, you probably missed where it forked off or something. It's a nightmare...
EDIT: I just grepped through the source looking for "user_pass", which is the name of the database field WP uses to store passwords, and got no results...
Retreiving Wordpress Passwords - El Forum - 06-17-2009
[eluser]Cro_Crx[/eluser]
Yeah the structure of it seems to be all over the place. Even things like the CSS of the base themes are NUTZ, sooo many repeated unnecessary styles.
Also wordpress seems to be quite heavy. Loading a CI controller with heaps of plugins seems a lot quicker. I might have a look through the code and see if I can find where the hashing occurs
might just CTRL+F for the "AUTH_KEY" or the "SECURE_AUTH_KEY"... also why have a 3rd one? I have no idea why they need a LOGGED_IN_KEY as well!Hopefully they haven't written their own hashing function :S that would just be insane!
Retreiving Wordpress Passwords - El Forum - 06-17-2009
[eluser]Dam1an[/eluser]
I found it
In wordpress\wp-includes\pluggable.php on line 1357 you have
Code:
function wp_hash_password($password) {
global $wp_hasher;
if ( empty($wp_hasher) ) {
require_once( ABSPATH . 'wp-includes/class-phpass.php');
// By default, use the portable hash from phpass
$wp_hasher = new PasswordHash(8, TRUE);
}
return $wp_hasher->HashPassword($password);
}I'll let you fetch a copy of the PHPass class yourself from the wordpress install as it's too big to paste here, and I'm too lazy to zip and attatch it
Retreiving Wordpress Passwords - El Forum - 06-17-2009
[eluser]TheFuzzy0ne[/eluser]
I get the impression that WordPress was designed by Web Designers rather than PHP programmers.
I found the problem, I hadn't copied over any of WordPress' subdirectories. Now I have, here are the grep results:
Code:
dtc@hope:~/wordpress$ grep -r 'user_pass' ./
./xmlrpc.php: * @param string $user_pass User's password.
./xmlrpc.php: function login_pass_ok($user_login, $user_pass) {
./xmlrpc.php: if (!user_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[3];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[3];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[3];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[3];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[3];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[3];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[3];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $wpdb->escape($args[2]);
./xmlrpc.php: if ( !$this->login_pass_ok($user_login, $user_pass) )
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./xmlrpc.php: $user_pass = $args[2];
./xmlrpc.php: if (!$this->login_pass_ok($user_login, $user_pass)) {
./wp-includes/pluggable.php: if ( !wp_check_password($password, $user->user_pass, $user->ID) ) {
./wp-includes/pluggable.php: $query = $wpdb->prepare("UPDATE $wpdb->users SET user_pass = %s, user_activation_key = '' WHERE ID = %d", $hash, $user_id);
./wp-includes/registration.php: * 'user_pass' - A string that contains the plain text password for the user.
./wp-includes/registration.php: $user_pass = wp_hash_password($user_pass);
./wp-includes/registration.php: $data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name', 'user_registered' );
./wp-includes/registration.php: * It is possible to update a user's password by specifying the 'user_pass'
./wp-includes/registration.php: if ( ! empty($userdata['user_pass']) ) {
./wp-includes/registration.php: $plaintext_pass = $userdata['user_pass'];
./wp-includes/registration.php: $userdata['user_pass'] = wp_hash_password($userdata['user_pass']);
./wp-includes/registration.php: $user_pass = $password;
./wp-includes/registration.php: $userdata = compact('user_login', 'user_email', 'user_pass');
./wp-includes/user.php: * The credentials is an array that has 'user_login', 'user_password', and
./wp-includes/user.php: $credentials['user_password'] = $_POST['pwd'];
./wp-includes/user.php: if ( !empty($credentials['user_password']) )
./wp-includes/user.php: $credentials['user_password'] = trim($credentials['user_password']);
./wp-includes/user.php: do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));
./wp-includes/user.php: if ( empty($credentials['user_login']) && empty($credentials['user_password']) ) {
./wp-includes/user.php: if ( empty($credentials['user_login']) || empty($credentials['user_password']) ) {
./wp-includes/user.php: if ( empty($credentials['user_password']) )
./wp-includes/user.php: $user = wp_authenticate($credentials['user_login'], $credentials['user_password']);
./wp-includes/user.php: * @param string $user_pass User password.
./wp-includes/user.php: function user_pass_ok($user_login, $user_pass) {
./wp-includes/user.php: $user = wp_authenticate($user_login, $user_pass);
./wp-includes/user.php: * @global string $user_pass_md5 MD5 of the user's password
./wp-includes/user.php: global $user_login, $userdata, $user_level, $user_ID, $user_email, $user_url, $user_pass_md5, $user_identity;
./wp-includes/user.php: $user_pass_md5 = md5($user->user_pass);
./wp-login.php: $user_pass = wp_generate_password();
./wp-login.php: $user_id = wp_create_user( $user_login, $user_pass, $user_email );
./wp-login.php: wp_new_user_notification($user_id, $user_pass);
./wp-login.php: <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" tabindex="20" /></label>
./wp-login.php: d = document.getElementById('user_pass');
./wp-admin/import/greymatter.php: $user_info = array("user_login"=>"$user_login", "user_pass"=>"$passHope this helps.