Page 1 of 1

Decrypt Password

Posted: Tue Mar 22, 2011 1:32 pm
by pwd2
Our web programmer left us high and dry and we can't get into a section of our website. I was able to get into an area with Phpadmin and saw the password was

CmJUagJsBTsDdAY2Bzc=

This is encrypted and I found an encryption script on the server

Code: Select all

<?php

/**
 * 
 *
 * This class enables you to do encryption, decryption of strings.
 * 
 *
 */

class EncryptionManager {

	private $encryption_key	= '';
	private $hash_type	= 'sha1';
	private $mcrypt_exists = FALSE;
	private $mcrypt_cipher;
	private $mcrypt_mode;
	
	/**
	 * Constructor
	 *
	 * Simply determines whether the mcrypt library exists.
	 *
	 */
	function __construct($key = '')
	{
		if (trim($key) != '')
		{
			$this->encryption_key = $key;
		}
		else
		{
			$config = ConfigManager::getInstance();
			$key = $config->item('encryption_key');

			if ($key === FALSE)
			{
				$error = ErrorManager::getInstance();
				$error->showError('In order to use the encryption class requires that you set an encryption key 

in your config file.');
			}
			$this->encryption_key = $key;
		}

		$this->mcrypt_exists =  (function_exists('mcrypt_encrypt')) ? TRUE : FALSE;
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Fetch the encryption key
	 *
	 * Returns it as MD5 in order to have an exact-length 128 bit key.
	 * Mcrypt is sensitive to keys that are not the correct length
	 *
	 * @access	public
	 * @param	string
	 * @return	string
	 */
	private function get_key()
	{
		return $this->encryption_key;
	}
		
	
	// --------------------------------------------------------------------

	/**
	 * Set the encryption key
	 *
	 * @access	public
	 * @param	string
	 * @return	void
	 */
	public function set_key($key = '')
	{
		$this->encryption_key = $key;
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Encode
	 *
	 * Encodes the message string using bitwise XOR encoding.
	 * The key is combined with a random hash, and then it
	 * too gets converted using XOR. The whole thing is then run
	 * through mcrypt (if supported) using the randomized key.
	 * The end result is a double-encrypted message string
	 * that is randomized with each call to this function,
	 * even if the supplied message and key are the same.
	 *
	 * @access	public
	 * @param	string	the string to encode
	 * @param	string	the key
	 * @return	string
	 */
	public function encode($string, $urlEncode = FALSE)
	{
		$key = $this->get_key();
		$enc = $this->_xor_encode($string, $key);
		
		if ($this->mcrypt_exists === TRUE)
		{
			$enc = $this->mcrypt_encode($enc, $key);
		}
		if ($urlEncode === TRUE)
		{
			return urlencode(base64_encode($enc));
		}
		else
		{
			return base64_encode($enc);
		}
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Decode
	 *
	 * Reverses the above process
	 *
	 * @access	public
	 * @param	string
	 * @param	string
	 * @return	string
	 */
	public function decode($string, $urlDecode = FALSE)
	{
		if ($urlDecode === TRUE)
		{
			$string = urldecode($string);
		}
		$key = $this->get_key();
		$dec = base64_decode($string);
		
		 if ($dec === FALSE)
		 {
		 	return FALSE;
		 }
		
		if ($this->mcrypt_exists === TRUE)
		{
			$dec = $this->mcrypt_decode($dec, $key);
		}
		
		return $this->_xor_decode($dec, $key);
	}
  	
	// --------------------------------------------------------------------

	/**
	 * XOR Encode
	 *
	 * Takes a plain-text string and key as input and generates an
	 * encoded bit-string using XOR
	 *
	 * @access	private
	 * @param	string
	 * @param	string
	 * @return	string
	 */	
	private function _xor_encode($string, $key)
	{
		$rand = '';
		while (strlen($rand) < 32)
		{
			$rand .= mt_rand(0, mt_getrandmax());
		}
	
		$rand = $this->hash($rand);
		
		$enc = '';
		for ($i = 0; $i < strlen($string); $i++)
		{			
			$enc .= substr($rand, ($i % strlen($rand)), 1).(substr($rand, ($i % strlen($rand)), 1) ^ substr($string, 

$i, 1));
		}
				
		return $this->_xor_merge($enc, $key);
	}
  	
	// --------------------------------------------------------------------

	/**
	 * XOR Decode
	 *
	 * Takes an encoded string and key as input and generates the
	 * plain-text original message
	 *
	 * @access	private
	 * @param	string
	 * @param	string
	 * @return	string
	 */	
	private function _xor_decode($string, $key)
	{
		$string = $this->_xor_merge($string, $key);
		
		$dec = '';
		for ($i = 0; $i < strlen($string); $i++)
		{
			$dec .= (substr($string, $i++, 1) ^ substr($string, $i, 1));
		}
	
		return $dec;
	}
  	
	// --------------------------------------------------------------------

	/**
	 * XOR key + string Combiner
	 *
	 * Takes a string and key as input and computes the difference using XOR
	 *
	 * @access	private
	 * @param	string
	 * @param	string
	 * @return	string
	 */	
	private function _xor_merge($string, $key)
	{
		$hash = $this->hash($key);
		$str = '';
		for ($i = 0; $i < strlen($string); $i++)
		{
			$str .= substr($string, $i, 1) ^ substr($hash, ($i % strlen($hash)), 1);
		}
		
		return $str;
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Encrypt using Mcrypt
	 *
	 * @access	public
	 * @param	string
	 * @param	string
	 * @return	string
	 */
	private function mcrypt_encode($data, $key)
	{	
		$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
		$init_vect = mcrypt_create_iv($init_size, MCRYPT_RAND);
		return mcrypt_encrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect);
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Decrypt using Mcrypt
	 *
	 * @access	public
	 * @param	string
	 * @param	string
	 * @return	string
	 */	
	public function mcrypt_decode($data, $key)
	{
		$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
		$init_vect = mcrypt_create_iv($init_size, MCRYPT_RAND);
		return rtrim(mcrypt_decrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), "\0");
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Set the Mcrypt Cipher
	 *
	 * @access	public
	 * @param	constant
	 * @return	string
	 */
	public function set_cipher($cipher)
	{
		$this->mcrypt_cipher = $cipher;
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Set the Mcrypt Mode
	 *
	 * @access	public
	 * @param	constant
	 * @return	string
	 */
	public function set_mode($mode)
	{
		$this->mcrypt_mode = $mode;
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Get Mcrypt cipher Value
	 *
	 * @access	private
	 * @return	string
	 */	
	private function _get_cipher()
	{
		if ($this->mcrypt_cipher == '')
		{
			$this->mcrypt_cipher = MCRYPT_RIJNDAEL_256;
		}

		return $this->mcrypt_cipher;
	}

	// --------------------------------------------------------------------

	/**
	 * Get Mcrypt MOde Value
	 *
	 * @access	private
	 * @return	string
	 */	
	private function _get_mode()
	{
		if ($this->mcrypt_mode == '')
		{
			$this->mcrypt_mode = MCRYPT_MODE_ECB;
		}
		
		return $this->mcrypt_mode;
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Set the Hash type
	 *
	 * @access	public
	 * @param	string
	 * @return	string
	 */		
	public function set_hash($type = 'sha1')
	{
		$this->hash_type = ($type != 'sha1' AND $type != 'md5') ? 'sha1' : $type;
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Hash encode a string
	 *
	 * @access	public
	 * @param	string
	 * @return	string
	 */		
	public function hash($str)
	{
		return ($this->hash_type == 'sha1') ? $this->sha1($str) : md5($str);
	}
  	
	// --------------------------------------------------------------------

	/**
	 * Generate an SHA1 Hash
	 *
	 * @access	public
	 * @param	string
	 * @return	string
	 */	
	public function sha1($str)
	{
		if ( ! function_exists('sha1'))
		{
			if ( ! function_exists('mhash'))
			{	
				require_once(LIBPATH.'Sha.php');
				$SH = new SHA;
				return $SH->generate($str);
			}
			else
			{
				return bin2hex(mhash(MHASH_SHA1, $str));
			}
		}
		else
		{
			return sha1($str);
		}	
	}
	
}

// END Encrypt class
?>
The encryption key is o2xda01

I know little to nothing of scripts/php/mysql, etc. I just need to get that password decryted so we can move forward. Any advice?

Re: Decrypt Password

Posted: Tue Mar 22, 2011 1:52 pm
by social_experiment
I don't think that password is encrypted. Passwords are (should be) preferably stored as hashed values which cannot (easily) be tampered with to return the plain text equivalent. The value you pasted is a password but it's not encrypted, it's just a very long, not-easily remembered password. Phpmyadmin generates similar passwords for any SQL user that is created. The password you are looking for is more likely to be stored inside another database table (the one your application uses), and if your programmer was smart it will be a hashed password, that is not retrieveable (or not easily retrieveable). The class below encrypts / decrypts things (as the comments point out).

Re: Decrypt Password

Posted: Tue Mar 22, 2011 2:02 pm
by pwd2
Thanks for the information. The form that is used on the html side of things is

Code: Select all

<?php
session_start();
require_once("../common.php");
require_once(LIBPATH . "encryptionManager.php");
//$encrypt = new EncryptionManager();
//print $encrypt->decode("CmJUagJsBTsDdAY2Bzc=");

if ($_POST['login'] == "login")
{
	// instantiate the encryption manager
	$encrypt = new EncryptionManager();
	//print $encrypt->decode("DGBSZgU1VjNRYQI0");
	//exit;
	/* 
	Check for validity of username.. We are checking the password validity using
	php only because our encryption algorithm gives different encrypted string for 
	encryption of same string. Therefore, we have to decode the password first and compare
	it with what user has entered.
	*/
	
	$query = $db->getWhere('admin', array("Username" => $_POST['Username']));
	if ($query->num_rows() == 0)
	{
		$errorMessage = $error->showMessage("Sorry, wrong username or password.");
	}
	else
	{
		$row = $query->row_array(0);
		$password = $encrypt->decode($row["Password"]);
		if (! (strcmp($password, $_POST['Password']) == 0))
		{
			$errorMessage = $error->showMessage("Sorry, wrong username or password.");
		}
		else
		{
			// set the admin session
			$_SESSION['session_adminID'] = $row["ID"];
			header("location: adminDesktop.php");
			exit;
		}
	}

}

require_once(ADMINVIEWPATH . "index.php");



?>
Does that help at all? I am just trying to find the password for the admin user.

Re: Decrypt Password

Posted: Tue Mar 22, 2011 2:03 pm
by Jonah Bron
@social_experiment: actually, I don't think it's a hashed. I'm pretty sure that password is base64 encoded. Looking at the code, it would appear that the password is encrypted with mcrypt (using the encryption key 02xda01 according to the OPer), and then base64 encoded.

Re: Decrypt Password

Posted: Tue Mar 22, 2011 2:04 pm
by Jonah Bron
A few minutes of playing got this:

[text]58mor07[/text]
Does that look correct? Try it. I got it by running this:

Code: Select all

$encryptionManager = new EncryptionManager('o2xda01');
echo $encryptionManager->decode('CmJUagJsBTsDdAY2Bzc=');

Re: Decrypt Password

Posted: Tue Mar 22, 2011 2:28 pm
by pwd2
Beautiful that is exactly what it is. Thanks so much, I really appreciate the help :)

Re: Decrypt Password

Posted: Tue Mar 22, 2011 2:39 pm
by Jonah Bron
Sure :)

Re: Decrypt Password

Posted: Wed Mar 23, 2011 12:09 pm
by social_experiment
Ah cool :). Good thing that developer left you :)

Re: Decrypt Password

Posted: Wed Mar 23, 2011 12:11 pm
by Jonah Bron
social_experiment wrote:Good thing that developer left you :)
Why is that?

Re: Decrypt Password

Posted: Wed Mar 23, 2011 12:17 pm
by social_experiment
Shouldn't a password be a bit harder to reverse engineer?

Re: Decrypt Password

Posted: Wed Mar 23, 2011 12:21 pm
by Jonah Bron
Oh, yeah. That. I thought about mentioning that, but it wouldn't mean anything to the OP :D

Re: Decrypt Password

Posted: Wed Mar 23, 2011 12:33 pm
by social_experiment
:) I should have added '@ OP' in there.