-
pwAdmin Force Password Plugin
Just quickly made this cause I was bored, and thought it might be of use to some people...
Download v1
Put it in your pwAdmin addons folder and you can use it to change a password of a persons account without the original password.
Here is a preview of it...
http://img834.imageshack.us/img834/1859/previewbk.png
Just to make this clear:
I did NOT write this, credits go to ronny for the original script, all I have done is modified it and turned it into an addon for pwAdmin to make it easier use to people.
:thumbup:
-
Re: pwAdmin Password Force addon
-
Re: pwAdmin Password Force addon
Ahh ok sorry, all I did was took the pwAdmin "ACCOUNTS" page, modified it to get rid of all the other stuff, deleted the if old password matches, change password else error and then put it into an addons folder
-
Re: pwAdmin Password Force addon
-
Re: pwAdmin Password Force addon
:P
Posted via Mobile Device
-
Re: pwAdmin Force Password Plugin
there is an optimization since r55 of pwTools
pwAdmin uses the changepasswd function instead of manipulating the table entry directly...
i recommend to look into the affected code and update your script with this new code (which still contains old password match verification):
Code:
if(count <= 0)
{
message = "<font color=\"ee0000\">User Don't Exists</font>";
}
else
{
password_old = pw_encode(login + password_old, MessageDigest.getInstance("MD5"));
/*
// Some hard encoding problems requires a strange solution...
// changePasswd -> wrong encoding password destroyed...
// Only a temp entry in database gives us a correct encoded password for comparsion
rs = statement.executeQuery("call adduser('" + login + "_TEMP_USER', " + password_old + ", '0', '0', '0', '0', '', '0', '0', '0', '0', '0', '0', '0', '', '', " + password_old + ")");
rs = statement.executeQuery("SELECT passwd FROM users WHERE name='" + login + "_TEMP_USER'");
rs.next();
password_old = rs.getString("passwd");
// Delete temp entry
statement.executeUpdate("DELETE FROM users WHERE name='" + login + "_TEMP_USER'");
if(password_old.compareTo(password_stored) != 0)
{
message = "<font color=\"ee0000\">Old Password Mismatch</font>";
}
else
{
password_new = pw_encode(login + password_new, MessageDigest.getInstance("MD5"));
// LOCK TABLE to ensure that nobody else get the original ID of the user
statement.executeUpdate("LOCK TABLE users WRITE");
// Delete old entry
statement.executeUpdate("DELETE FROM users WHERE name='" + login + "'");
// Add new entry
rs = statement.executeQuery("call adduser('" + login + "', " + password_new + ", '0', '0', '0', '0', '', '0', '0', '0', '0', '0', '0', '0', '', '', " + password_new + ")");
// change new entry ID to original ID - necessary to keep characters of this account
statement.executeUpdate("UPDATE users SET ID='" + id_stored + "' WHERE name='" + login + "'");
// UNLOCK TABLES
statement.executeUpdate("UNLOCK TABLES");
message = "<font color=\"00cc00\">Password Changed</font>";
}
*/
CallableStatement cs = connection.prepareCall("{call acquireuserpasswd(?,?,?)}");
cs.setString(1, login);
cs.registerOutParameter(3, Types.VARCHAR);
cs.execute();
if(password_old.compareTo(cs.getString(3)) != 0)
{
message = "<font color=\"ee0000\">Old Password Mismatch</font>";
}
else
{
password_new = pw_encode(login + password_new, MessageDigest.getInstance("MD5"));
statement.executeQuery("CALL changePasswd('" + login + "', " + password_new + ")");
statement.executeQuery("CALL changePasswd2('" + login + "', " + password_new + ")");
message = "<font color=\"00cc00\">Password Changed</font>";
}
}
-
Re: pwAdmin Force Password Plugin
Alright, cheers ronny, I will look into and update it when I get home later.
Thanks
Posted via Mobile Device
-
1 Attachment(s)
Re: pwAdmin Force Password Plugin
Although this original release may have been 'outdated' - even the 'update' will 'break' the email field in the database (If I'm not mistaken). See my original post about this eons ago here: http://forum.ragezone.com/f452/accou...6/#post5843875
Then, in the future, if a user attempts to change their own password from the 'user' password change portion of the 'website' (at least on my release) it will FAIL because it has an email verification, and cannot verify it after it's 'nulled' out from a 'script' like this one!
Here is my update to the original release of this thread (So that it does NOT 'break' the EMAIL field in DBO):
Code:
<%@page import="java.sql.*"%>
<%@page import="java.util.*"%>
<%@page import="java.security.*"%>
<%@include file="../../WEB-INF/.pwadminconf.jsp"%>
<%!
String pw_encode(String salt, MessageDigest alg)
{
alg.reset();
alg.update(salt.getBytes());
byte[] digest = alg.digest();
StringBuffer hashedpasswd = new StringBuffer();
String hx;
for(int i=0; i<digest.length; i++)
{
hx = Integer.toHexString(0xFF & digest[i]);
//0x03 is equal to 0x3, but we need 0x03 for our md5sum
if(hx.length() == 1)
{
hx = "0" + hx;
}
hashedpasswd.append(hx);
}
salt = "0x" + hashedpasswd.toString();
return salt;
}
%>
<%
boolean allowed = false;
if(request.getSession().getAttribute("ssid") == null)
{
out.println("<p align=\"right\"><font color=\"#ee0000\"><b>Login for Account administration...</b></font></p>");
}
else
{
allowed = true;
}
String message = "<br>";
if(request.getParameter("action") != null)
{
String action = new String(request.getParameter("action"));
if(action.compareTo("passwd") == 0)
{
String login = request.getParameter("login");
String login = login.toLowerCase();
String password_old = request.getParameter("password_old");
String password_new = request.getParameter("password_new");
if(login.length() > 0 && password_new.length() > 0)
{
if(password_new.length() < 6 || password_new.length() > 32)
{
message = "<font color=\"ee0000\">Only 6-32 Characters</font>";
}
else
{
String alphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_";
boolean check = true;
char c;
for(int i=0; i<password_new.length(); i++)
{
c = password_new.charAt(i);
if (alphabet.indexOf(c) == -1)
{
check = false;
break;
}
}
if(!check)
{
message = "<font color=\"ee0000\">Forbidden Characters</font>";
}
else
{
try
{
Class.forName("com.mysql.jdbc.Driver").newInstance();
Connection connection = DriverManager.getConnection("jdbc:mysql://" + db_host + ":" + db_port + "/" + db_database, db_user, db_password);
Statement statement = connection.createStatement();
ResultSet rs = statement.executeQuery("SELECT ID, passwd, email FROM users WHERE name='" + login + "'");
String email_stored = "";
String password_stored = "";
String id_stored = "";
int count = 0;
while(rs.next())
{
email_stored = rs.getString("email");
id_stored = rs.getString("ID");
password_stored = rs.getString("passwd");
count++;
}
if(count <= 0)
{
message = "<font color=\"ee0000\">User Doesn't Exist</font>";
}
else
{
password_old = pw_encode(login + password_old, MessageDigest.getInstance("MD5"));
// Some hard encoding problems requires a strange solution...
// changePasswd -> wrong encoding password destroyed...
// Only a temp entry in database gives us a correct encoded password for comparsion
rs = statement.executeQuery("call adduser('" + login + "_TEMP_USER', " + password_old + ", '0', '0', '0', '0', '', '0', '0', '0', '0', '0', '0', '0', '', '', " + password_old + ")");
rs = statement.executeQuery("SELECT passwd FROM users WHERE name='" + login + "_TEMP_USER'");
rs.next();
password_old = rs.getString("passwd");
// Delete temp entry
statement.executeUpdate("DELETE FROM users WHERE name='" + login + "_TEMP_USER'");
{
password_new = pw_encode(login + password_new, MessageDigest.getInstance("MD5"));
// LOCK TABLE to ensure that nobody else get the original ID of the user
statement.executeUpdate("LOCK TABLE users WRITE");
// Delete old entry
statement.executeUpdate("DELETE FROM users WHERE name='" + login + "'");
// Add new entry
rs = statement.executeQuery("call adduser('" + login + "', " + password_new + ", '0', '0', '0', '0', '" + email_stored + "', '0', '0', '0', '0', '0', '0', '0', '', '', " + password_new + ")");
// change new entry ID to original ID - necessary to keep characters of this account
statement.executeUpdate("UPDATE users SET ID='" + id_stored + "' WHERE name='" + login + "'");
// UNLOCK TABLES
statement.executeUpdate("UNLOCK TABLES");
message = "<font color=\"00cc00\">Password Changed</font>";
}
}
rs.close();
statement.close();
connection.close();
}
catch(Exception e)
{
message = "<font color=\"#ee0000\"><b>Connection to MySQL Database Failed</b></font>";
}
}
}
}
}
}
%>
<head>
<link rel="shortcut icon" href="../../include/fav.ico">
<link rel="stylesheet" type="text/css" href="../../include/style.css">
</head>
<table width="800" cellpadding="0" cellspacing="0" border="0">
<tr>
<td height="1" align="center" valign="top" colspan="3">
<b><% out.print(message); %></b>
</td>
</tr>
<tr>
<td height="1" align="center" valign="top" colspan="3">
<br>
</td>
</tr>
<td align="center" valign="top">
<form action="index.jsp?page=account&action=passwd" method="post" style="margin: 0px;">
<table width="240" cellpadding="5" cellspacing="0" style="border:1px solid #cccccc;">
<tr>
<th align="center" colspan="2">
<b><font color="#ffffff">CHANGE ACCOUNT PASSWORD</font></b>
</th>
</tr>
<tr>
<td>Login Name:</td><td align="right"><input type="text" name="login" style="width: 100; text-align: center;"></td>
</tr>
<tr>
<td>New Password:</td><td align="right"><input type="password" name="password_new" style="width: 100; text-align: center;"></td>
</tr>
<tr>
<td align="center" colspan="2"><input type="image" name="submit" src="../../include/btn_change.jpg" style="border: 0px;"></td>
</tr>
</table>
</form>
</td>
</table>
-
Re: pwAdmin Force Password Plugin
Please someone give me a script to change password: /
-
Re: pwAdmin Force Password Plugin
i love love love love love this force password plugin it helps me sooo much.
-
Re: pwAdmin Force Password Plugin
Quote:
Originally Posted by
kombinho
Please someone give me a script to change password: /
The one in the first page is a script for changing passwords!
If you mean one that requires the old password then look on the pwadmin accounts page!
And thanks dolke, most of the credit goes to ronny :P
-
Re: pwAdmin Force Password Plugin
Damn I needed for my players to exchange, please someone give me a script to change password pro site?
-
Re: pwAdmin Force Password Plugin
would be nice to have an option to change it back afterwards if needed.
e.g. save original password to a variable that then gets printed inside the input box with the text "change password back", obviously needing their login name inside the login name box also.
I already have a script that does this but one integrated into pwadmin would be much nicer.
Also- shouldn't be we adding sqli protection to addons? I mean i know you need the pwadmin password to use it, but it might still be a good idea.
-
Re: pwAdmin Force Password Plugin
A while back I remember the one add on you didn't even need to login to use. Yeah, protection needs to be added because about 90% of servers I know have an open pwAdmin...
Posted via Mobile Device
-
Re: pwAdmin Force Password Plugin
Quote:
Originally Posted by
Ozuru
A while back I remember the one add on you didn't even need to login to use. Yeah, protection needs to be added because about 90% of servers I know have an open pwAdmin...
Posted via Mobile Device
That's not a good idea at all! That's why my release has pwAdmin separated so that it can be kept closed to the WAN :thumbup:
-
Re: pwAdmin Force Password Plugin
yea nobody should have an open pwAdmin, even changing the port to 1337 like some *cough*i dunno who*cough* isn't secure.
-
Re: pwAdmin Force Password Plugin
Quote:
Originally Posted by
rbb138
yea nobody should have an open pwAdmin, even changing the port to 1337 like some *cough*i dunno who*cough* isn't secure.
:rofl:
However, how would it not be secure to utilize a port (any port) that you do not open to the WAN (as long as you have a hardware firewall between the WAN and your server)...
IE: Even if I am running a web server on port 80 but do not open (if anything explicitly block) port 80 on the WAN any inbound traffic to 80 will be denied, even though there is a 'server' running there.
-
Re: pwAdmin Force Password Plugin
Quote:
Originally Posted by
rbb138
yea nobody should have an open pwAdmin, even changing the port to 1337 like some *cough*i dunno who*cough* isn't secure.
>.> lolol
-
Re: pwAdmin Force Password Plugin
can somebody reupload this please.
-
Re: pwAdmin Force Password Plugin
Quote:
Originally Posted by
coolgirlpwns
can somebody reupload this please.
-
Re: pwAdmin Force Password Plugin
343, GET ON TEAMSPEAK! She has been banned!
-
1 Attachment(s)
Re: pwAdmin Force Password Plugin
Quote:
Originally Posted by
coolgirlpwns
can somebody reupload this please.
this is frc psswd ,, but not addon pwAdmin..
Attachment 97756 :mellow:
-
Re: pwAdmin Force Password Plugin
Quote:
Originally Posted by
TheBow
ok thanks :)
-
Re: pwAdmin Force Password Plugin
After creating a new folder in /addons and adding 343's modified plugin, i get the following error:
__________________________________________
HTTP ERROR 500
Problem accessing /pw/addons/ForcePassword/. Reason:
PWC6033: Unable to compile class for JSP
PWC6197: An error occurred at line: 30 in the jsp file: /addons/Force Password/index.jsp
PWC6199: Generated servlet error:
Duplicate local variable login
Caused by:
org.apache.jasper.JasperException: PWC6033: Unable to compile class for JSP
PWC6197: An error occurred at line: 30 in the jsp file: /addons/Force Password/index.jsp
PWC6199: Generated servlet error:
Duplicate local variable login
at org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:123)
at org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:296)
at org.apache.jasper.compiler.Compiler.generateClass(Compiler.java:376)
at org.apache.jasper.compiler.Compiler.compile(Compiler.java:437)
at org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:608)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:360)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:486)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:380)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:538)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:478)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:517)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:937)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:871)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:284)
at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:115)
at org.eclipse.jetty.servlet.DefaultServlet.doGet(DefaultServlet.java:552)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:538)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:478)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:937)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:871)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:247)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110)
at org.eclipse.jetty.server.Server.handle(Server.java:346)
at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:589)
at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1048)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:601)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:214)
at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:411)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:535)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:40)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:529)
at java.lang.Thread.run(Thread.java:679)
________________________________
Does anyone have an idea how to fix this?
Thx in advance!
-
Re: pwAdmin Force Password Plugin
OMG WTF...
When will ppl finally learn to read those fucking error messages?!
Quote:
PWC6197: An error occurred at line: 30 in the jsp file: /addons/Force Password/index.jsp
PWC6199: Generated servlet error:
Duplicate local variable login
