1

So I would like to be able to change password hashes that exist in my wordpress wp_user table in the user_pass column. I am hoping to be able to write something as followed:

# simplified version of what is desired.
UPDATE `wp_user` SET user_pass = MD5('123') WHERE user_email = 'some_dudes@someplace.com';

Basically, I want to be able to set a users password in mysql such that after I set it using a query, wordpress will continue to accept this password as valid when a user types it in through the sign-on form. I am reviewing the PHPass info regarding this as well as the contents of class-phpass.php in the wordpress source. From my research, this seems extremely complicated to do, if not unfeasible. Am I missing something or is this actually intended to be hard or potentially obfuscated? Would it be possible to replicate this functionality in MySQL? Any help would be appreciated. Thank you kindly.

EDIT REGARDING PROGRESS: It is the case that if you only need a development level of security then you can actually use the following:

UPDATE `wp_user` SET user_pass = MD5('123') WHERE id = 1342;

I should better explain why this works. Wordpress will for legacy compatibility reasons default to an MD5 Hash. Basically, when a password is passed to word press it runs the wordpress PHPass hash, this will fail for something like MD5('123') Then wordpress will try other, simpler hash algorithms, like SHA1 and finally MD5. Then if a match is found on one of these, wordpress actually updates the password column of the record in question. It updates the given password to PHPass. After this happens your still good to go. This basically works perfectly for a dev environment, but a MySQL query that matches the work of PHPass is an epic task. If I crack that, that will be my next update. Apparently wordpress is running salt appended blowfish hashes about 8000 times over to generate the final hash result.

usumoio
  • 3,500
  • 6
  • 31
  • 57
  • Well, Mr. Galt, it appears that you are trying to develop a MySQL query that will programmatically change a WordPress user's password to some new value. Is that correct? You're absolutely right that it's hard. But it's certainly not obfuscated. It isn't quite as simple as updating a column in the wp_user table. Do you want to cancel any session the user has active when you change the password? – O. Jones Mar 11 '13 at 23:38
  • 1
    As you have observed, there's a lot of stuff going on in `class-phpass.php`. Most of it relates to doing two things portably: generating a cryptographically robust random number for the hash salt, and generating a hash. If you try to replicate this with MySQL functions like RAND() and MD5() it's very possible you will create a security hole in your WordPress installation. That's because the MySQL RAND function isn't cryptographically robust. That is, MySQL random numbers are easier to guess than they should be. Use the php function, or get cracked! – O. Jones Mar 11 '13 at 23:45
  • @OllieJones I'm not too worried about the user session at the moment, this query's intended function is to swap out a auto-generated password that gets created on user signup. This is for testing purposes on a dev machine. The ultimate goal is a query that would allow an arbitrary user to be created. The password is an important piece though, which I do not yet understand how to replicate. – usumoio Mar 12 '13 at 00:02
  • @OllieJones Don't worry, I know better than to use what I'm hoping to build as part of my live installation :) – usumoio Mar 12 '13 at 00:03

1 Answers1

-3

Quite easy actually you even posted a correct sql from what I see.

<?php

$connection = mysql_connect('SERVER', 'USERNAME', 'PASSWORD');

mysql_select_db($database, $connection);

mysql_query('SQL_YOU_POSTED', $connection);

?>
Jacek Pietal
  • 1,980
  • 1
  • 18
  • 27
  • 2
    Its possible that the reason other people downvoted you was because this question asks about what the 'SQL_YOU_POSTED' needs to be in reality. What I wrote in the question is a simple example, the real query is far far more complex. – usumoio Mar 13 '13 at 19:09
  • The real query *is* far more complex, and this answer asserts that the simple SQL in the OP's post is "correct," even though the OP stated that it is inadequate in the sense that it doesn't generate an actual WordPress-compatible password hash. In fact it is **not** correct from a security standpoint because it only generates simple, unsalted hashes and is highly susceptible to attack. – Craig Tullis Jun 16 '15 at 23:54