Categories
Security

How to reset a user’s password accessing database

You may want to recover an old web page, but it turns out that the admin user you used doesn’t know their password. This article explains how to reset a user account on a website. To do this you access the database of the page. It can be done in several ways, one is this one that I explain.

You don’t remember the password

After retrieving a web page you arrive in the admin area and do not remember the user. This website was created with the Joomla content manager, for other managers the procedure is similar.

adminitrator

Accessing data

The recovery of the website we have done it locally, using Xampp,which uses  Apache,and  mysql. Now we access the initial xampp monitor from  the localhost:8080/dashboard  address and then click on  phpmyadmin. This is a database administrator.

phpmyadmin

Entering the database

Once in phpmyadmin we look for the database to which the web page points, and once inside the database we look for the table called prefix_users (prefix is a value that varies).

Once here we access the table and look for the user we used to access the website, in this case it is the damha user. It should be said that the password value is not the password that we write, in plain text, but is the result of applying a hash function,a mathematicalformula that converts a series of characters into another fixed-length character string. It is a way to protect the password because the database is not saved as we write it, but as the result of applying  a hash cryptographic function.

Now what we do is click ON EDIT and then we go to the password variable and choose  MD5. Then in the value we type the password that we want to put and click  ON.

Once this is done if we access the user table again we will see that our password has been converted using the MD5 hash function into a character string but the important thing is that if we now want to enter the admin zone we will be able to do so by putting the password that we wrote earlier.

How cybercriminals do

This possibility of entering the database and changing some variable is sometimes used by Cybercriminals. Somehow they are able to access the database. They look for that table of users, and reset the password by putting one they want. In this way they storm the bank and manage to enter the page in a legitimate way. Both the user and the password are valid.

Other non-legitimate uses of modifying the database

Just because you can access the database of a website, either because you are a webmaster yourself or because you are a cybercriminal causes that values can be changed and put whatever you want. I give a few examples but there are many:

  • Access a faculty’s database to change the grade of a subject. You can go into the university database. Go to the user table, note table, and modify a note you don’t like. Example, change of master’s notes of Cifuentes  . In this case the civil service that changed the note did not do so directly. He did so through a management tool and saved his presence because it was the one who modified the note, his user on the intranet was the one who modified it.
  • Modify a student’s hours in an online course. If you’re taking an online course, you may need to meet a minimum connection time to the course. If there are any that do not reach that minimum connection time, you might access the database to modify that time. In this way he manages to be a completed student.
  • Create dummy user to get more presence on the network. If you have a page with few visits you may want to create dummy users to show that there are many people interested in the products that your offers. You can also create fake invoices, users who shop on your Page without actually making that purchase. It is similar to gaining followers on social networks like twitter or instagram.

And do you know any other use of website database modification?

Leave a Reply