pwAdmin Force Password Plugin

Page 1 of 2 12 LastLast
Results 1 to 15 of 30
  1. #1
    Viva la Vida NaMeLeS is offline
    True MemberRank
    Jul 2011 Join Date
    613Posts

    pwAdmin Force Password Plugin

    pwAdmin Force Password Plugin
    Just quickly made this cause I was bored, and thought it might be of use to some people...

    Download v1

    Put it in your pwAdmin addons folder and you can use it to change a password of a persons account without the original password.

    Here is a preview of it...


    Just to make this clear:
    I did NOT write this, credits go to ronny for the original script, all I have done is modified it and turned it into an addon for pwAdmin to make it easier use to people.

    Last edited by NaMeLeS; 20-08-11 at 02:10 AM.


  2. #2
    Nerd-IO Romulan is offline
    GammaRank
    Feb 2009 Join Date
    BelgiumLocation
    3,333Posts

    Re: pwAdmin Password Force addon

    Credit to me Check this: Some little scripts for admins

  3. #3
    Viva la Vida NaMeLeS is offline
    True MemberRank
    Jul 2011 Join Date
    613Posts

    Re: pwAdmin Password Force addon

    Ahh ok sorry, all I did was took the pwAdmin "ACCOUNTS" page, modified it to get rid of all the other stuff, deleted the if old password matches, change password else error and then put it into an addons folder

  4. #4
    Nerd-IO Romulan is offline
    GammaRank
    Feb 2009 Join Date
    BelgiumLocation
    3,333Posts

    Re: pwAdmin Password Force addon

    Ah ok then ^^

  5. #5
    Viva la Vida NaMeLeS is offline
    True MemberRank
    Jul 2011 Join Date
    613Posts

    Re: pwAdmin Password Force addon

    :P
    Posted via Mobile Device

  6. #6
    Account Inactive ronny1982 is offline
    InactiveRank
    Jan 2010 Join Date
    germanyLocation
    743Posts

    Re: pwAdmin Force Password Plugin

    there is an optimization since r55 of pwTools

    pwAdmin uses the changepasswd function instead of manipulating the table entry directly...

    i recommend to look into the affected code and update your script with this new code (which still contains old password match verification):
    Code:
    if(count <= 0)
    {
    	message = "<font color=\"ee0000\">User Don't Exists</font>";
    }
    else
    {
    	password_old = pw_encode(login + password_old, MessageDigest.getInstance("MD5"));
    /*
    	// Some hard encoding problems requires a strange solution...
    	// changePasswd -> wrong encoding password destroyed...
    	// Only a temp entry in database gives us a correct encoded password for comparsion
    
    	rs = statement.executeQuery("call adduser('" + login + "_TEMP_USER', " + password_old + ", '0', '0', '0', '0', '', '0', '0', '0', '0', '0', '0', '0', '', '', " + password_old + ")");
    	rs = statement.executeQuery("SELECT passwd FROM users WHERE name='" + login + "_TEMP_USER'");
    	rs.next();
    	password_old = rs.getString("passwd");
    
    	// Delete temp entry
    	statement.executeUpdate("DELETE FROM users WHERE name='" + login + "_TEMP_USER'");
    
    	if(password_old.compareTo(password_stored) != 0)
    	{
    		message = "<font color=\"ee0000\">Old Password Mismatch</font>";
    	}
    	else
    	{
    		password_new = pw_encode(login + password_new, MessageDigest.getInstance("MD5"));
    
    		// LOCK TABLE to ensure that nobody else get the original ID of the user
    		statement.executeUpdate("LOCK TABLE users WRITE");
    		// Delete old entry
    		statement.executeUpdate("DELETE FROM users WHERE name='" + login + "'");
    		// Add new entry
    		rs = statement.executeQuery("call adduser('" + login + "', " + password_new + ", '0', '0', '0', '0', '', '0', '0', '0', '0', '0', '0', '0', '', '', " + password_new + ")");
    		// change new entry ID to original ID - necessary to keep characters of this account
    		statement.executeUpdate("UPDATE users SET ID='" + id_stored + "' WHERE name='" + login + "'");
    		// UNLOCK TABLES
    		statement.executeUpdate("UNLOCK TABLES");
    
    		message = "<font color=\"00cc00\">Password Changed</font>";
    	}
    */
    	CallableStatement cs = connection.prepareCall("{call acquireuserpasswd(?,?,?)}");
    	cs.setString(1, login);
    	cs.registerOutParameter(3, Types.VARCHAR);
    	cs.execute();
    
    	if(password_old.compareTo(cs.getString(3)) != 0)
    	{
    		message = "<font color=\"ee0000\">Old Password Mismatch</font>";
    	}
    	else
    	{
    		password_new = pw_encode(login + password_new, MessageDigest.getInstance("MD5"));
    		statement.executeQuery("CALL changePasswd('" + login + "', " + password_new + ")");
    		statement.executeQuery("CALL changePasswd2('" + login + "', " + password_new + ")");
    		message = "<font color=\"00cc00\">Password Changed</font>";
    	}
    }
    Last edited by ronny1982; 08-08-11 at 05:06 PM.

  7. #7
    Viva la Vida NaMeLeS is offline
    True MemberRank
    Jul 2011 Join Date
    613Posts

    Re: pwAdmin Force Password Plugin

    Alright, cheers ronny, I will look into and update it when I get home later.

    Thanks
    Posted via Mobile Device
    Last edited by NaMeLeS; 10-08-11 at 02:35 AM.

  8. #8
    Omega 343 is offline
    The OmegaRank
    Oct 2009 Join Date
    Ancient DGN CTYLocation
    5,400Posts

    Re: pwAdmin Force Password Plugin

    Although this original release may have been 'outdated' - even the 'update' will 'break' the email field in the database (If I'm not mistaken). See my original post about this eons ago here: http://forum.ragezone.com/f452/accou...6/#post5843875

    Then, in the future, if a user attempts to change their own password from the 'user' password change portion of the 'website' (at least on my release) it will FAIL because it has an email verification, and cannot verify it after it's 'nulled' out from a 'script' like this one!

    Here is my update to the original release of this thread (So that it does NOT 'break' the EMAIL field in DBO):

    Code:
    <%@page import="java.sql.*"%>
    <%@page import="java.util.*"%>
    <%@page import="java.security.*"%>
    <%@include file="../../WEB-INF/.pwadminconf.jsp"%>
    
    <%!
        	String pw_encode(String salt, MessageDigest alg)
    	{
    		alg.reset(); 
    		alg.update(salt.getBytes());
    		byte[] digest = alg.digest();
    		StringBuffer hashedpasswd = new StringBuffer();
    		String hx;
    		for(int i=0; i<digest.length; i++)
    		{
    			hx =  Integer.toHexString(0xFF & digest[i]);
    			//0x03 is equal to 0x3, but we need 0x03 for our md5sum
    			if(hx.length() == 1)
    			{
    				hx = "0" + hx;
    			} 
    			hashedpasswd.append(hx);
    		}
    		salt = "0x" + hashedpasswd.toString();
    
            	return salt;
       	}
    %>
    
    <%
    	boolean allowed = false;
    
    	if(request.getSession().getAttribute("ssid") == null)
    	{
    		out.println("<p align=\"right\"><font color=\"#ee0000\"><b>Login for Account administration...</b></font></p>");
    	}
    	else
    	{
    		allowed = true;
    	}
    
    	String message = "<br>";
    	if(request.getParameter("action") != null)
    	{
    			String action = new String(request.getParameter("action"));
    
    			if(action.compareTo("passwd") == 0)
    			{
    				String login = request.getParameter("login");
                    String login = login.toLowerCase();
    				String password_old = request.getParameter("password_old");
    				String password_new = request.getParameter("password_new");
    
    				if(login.length() > 0 && password_new.length() > 0)
    				{
    					if(password_new.length() < 6 || password_new.length() > 32)
    					{
    						message = "<font color=\"ee0000\">Only 6-32 Characters</font>";
    					}
    					else
    					{
    						String alphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_";
    						boolean check = true;
    						char c;
    						for(int i=0; i<password_new.length(); i++)
    						{
    							c = password_new.charAt(i);
    							if (alphabet.indexOf(c) == -1)
    							{
    								check = false;
    								break;
    							}
    						}
    
    						if(!check)
    						{
    							message = "<font color=\"ee0000\">Forbidden Characters</font>";
    						}
    						else
    						{
    							try
    							{
    								Class.forName("com.mysql.jdbc.Driver").newInstance();
    								Connection connection = DriverManager.getConnection("jdbc:mysql://" + db_host + ":" + db_port + "/" + db_database, db_user, db_password);
    								Statement statement = connection.createStatement();
    								ResultSet rs = statement.executeQuery("SELECT ID, passwd, email FROM users WHERE name='" + login + "'");
                                    String email_stored = "";
    								String password_stored = "";
    								String id_stored = "";
    								int count = 0;
    								while(rs.next())
    								{
                                        email_stored = rs.getString("email");
    									id_stored = rs.getString("ID");
    									password_stored = rs.getString("passwd");
    									count++;
    								}
    
    								if(count <= 0)
    								{
    									message = "<font color=\"ee0000\">User Doesn't Exist</font>";
    								}
    								else
    								{
    									password_old = pw_encode(login + password_old, MessageDigest.getInstance("MD5"));
    
    									// Some hard encoding problems requires a strange solution...
    									// changePasswd -> wrong encoding password destroyed...
    									// Only a temp entry in database gives us a correct encoded password for comparsion
    
    									rs = statement.executeQuery("call adduser('" + login + "_TEMP_USER', " + password_old + ", '0', '0', '0', '0', '', '0', '0', '0', '0', '0', '0', '0', '', '', " + password_old + ")");
    									rs = statement.executeQuery("SELECT passwd FROM users WHERE name='" + login + "_TEMP_USER'");
    									rs.next();
    									password_old = rs.getString("passwd");
    
    									// Delete temp entry
    									statement.executeUpdate("DELETE FROM users WHERE name='" + login + "_TEMP_USER'");
    
    									{
    										password_new = pw_encode(login + password_new, MessageDigest.getInstance("MD5"));
    
    										// LOCK TABLE to ensure that nobody else get the original ID of the user
    										statement.executeUpdate("LOCK TABLE users WRITE");
    										// Delete old entry
    										statement.executeUpdate("DELETE FROM users WHERE name='" + login + "'");
    										// Add new entry
    										rs = statement.executeQuery("call adduser('" + login + "', " + password_new + ", '0', '0', '0', '0', '" + email_stored + "', '0', '0', '0', '0', '0', '0', '0', '', '', " + password_new + ")");
    										// change new entry ID to original ID - necessary to keep characters of this account
    										statement.executeUpdate("UPDATE users SET ID='" + id_stored + "' WHERE name='" + login + "'");
    										// UNLOCK TABLES
    										statement.executeUpdate("UNLOCK TABLES");
    
    										message = "<font color=\"00cc00\">Password Changed</font>";
    									}
    								}
    
    								rs.close();
    								statement.close();
    								connection.close();
    							}
    							catch(Exception e)
    							{
    								message = "<font color=\"#ee0000\"><b>Connection to MySQL Database Failed</b></font>";
    							}
    						}
    					}
    				}
    			}
    
    			
    	}
    %>
    
    
    <head>
    	<link rel="shortcut icon" href="../../include/fav.ico">
    	<link rel="stylesheet" type="text/css" href="../../include/style.css">
    </head>
    
    <table width="800" cellpadding="0" cellspacing="0" border="0">
    
    <tr>
    	<td height="1" align="center" valign="top" colspan="3">
    		<b><% out.print(message); %></b>
    	</td>
    </tr>
    
    <tr>
    	<td height="1" align="center" valign="top" colspan="3">
    		<br>
    	</td>
    </tr>
    
    
    	<td align="center" valign="top">
    		<form action="index.jsp?page=account&action=passwd" method="post" style="margin: 0px;">
    			<table width="240" cellpadding="5" cellspacing="0" style="border:1px solid #cccccc;">
    				<tr>
    					<th align="center" colspan="2">
    						<b><font color="#ffffff">CHANGE ACCOUNT PASSWORD</font></b>
    					</th>
    				</tr>
    				<tr>
    					<td>Login Name:</td><td align="right"><input type="text" name="login" style="width: 100; text-align: center;"></td>
    				</tr>
    				<tr>
    					<td>New Password:</td><td align="right"><input type="password" name="password_new" style="width: 100; text-align: center;"></td>
    				</tr>
    				<tr>
    					<td align="center" colspan="2"><input type="image" name="submit" src="../../include/btn_change.jpg" style="border: 0px;"></td>
    				</tr>
    			</table>
    		</form>
    	</td>
    </table>
    Attached Files Attached Files
    Last edited by 343; 05-02-12 at 12:01 AM.

    ¤ My Public Releases ¤






  9. #9
    Hardcore Member kombinho is offline
    MemberRank
    Nov 2011 Join Date
    121Posts

    Re: pwAdmin Force Password Plugin

    Please someone give me a script to change password: /

  10. #10
    Account Inactive Jacknife is offline
    InactiveRank
    Nov 2011 Join Date
    1.3.6 LandLocation
    718Posts

    Re: pwAdmin Force Password Plugin

    i love love love love love this force password plugin it helps me sooo much.

  11. #11
    Viva la Vida NaMeLeS is offline
    True MemberRank
    Jul 2011 Join Date
    613Posts

    Re: pwAdmin Force Password Plugin

    Quote Originally Posted by kombinho View Post
    Please someone give me a script to change password: /
    The one in the first page is a script for changing passwords!

    If you mean one that requires the old password then look on the pwadmin accounts page!

    And thanks dolke, most of the credit goes to ronny :P

  12. #12
    Hardcore Member kombinho is offline
    MemberRank
    Nov 2011 Join Date
    121Posts

    Re: pwAdmin Force Password Plugin

    Damn I needed for my players to exchange, please someone give me a script to change password pro site?

  13. #13
    Robb rbb138 is offline
    True MemberRank
    Jan 2009 Join Date
    London, EnglandLocation
    1,241Posts

    Re: pwAdmin Force Password Plugin

    would be nice to have an option to change it back afterwards if needed.

    e.g. save original password to a variable that then gets printed inside the input box with the text "change password back", obviously needing their login name inside the login name box also.

    I already have a script that does this but one integrated into pwadmin would be much nicer.

    Also- shouldn't be we adding sqli protection to addons? I mean i know you need the pwadmin password to use it, but it might still be a good idea.

  14. #14
    PW Dev <3 Ozuru is offline
    True MemberRank
    Feb 2011 Join Date
    737Posts

    Re: pwAdmin Force Password Plugin

    A while back I remember the one add on you didn't even need to login to use. Yeah, protection needs to be added because about 90% of servers I know have an open pwAdmin...
    Posted via Mobile Device

  15. #15
    Omega 343 is offline
    The OmegaRank
    Oct 2009 Join Date
    Ancient DGN CTYLocation
    5,400Posts

    Re: pwAdmin Force Password Plugin

    Quote Originally Posted by Ozuru View Post
    A while back I remember the one add on you didn't even need to login to use. Yeah, protection needs to be added because about 90% of servers I know have an open pwAdmin...
    Posted via Mobile Device
    That's not a good idea at all! That's why my release has pwAdmin separated so that it can be kept closed to the WAN

    ¤ My Public Releases ¤








Page 1 of 2 12 LastLast

Advertisement