2017-09-05 21:57
浏览 124

解密PHPass Wordpress哈希没有访问原始网站

The question straight up, more explanation down below - is there a reasonably appropriate way to decrypt a somewhat recently updated Wordpress password hash, even if it may take a while to decode?

We currently have a full database backup from a while back that we have free reign to work with if need be, I'm just not sure of the starting point. We have hashcat available but I'm not sure what variables exactly should be used. We're okay to run a crack for an extended period of time if need be. I know MD5 was cracked a while back so I'm wondering if the new phpass is crackable if we have all database information available. Would greatly appreciate any insight or perhaps a pointer to the appropriate direction or resource that we can look into.

图片转代码服务由CSDN问答提供 功能建议

问题直截了当,下面有更多解释 - 是否有一种合理的解密方式 更新了Wordpress密码哈希,即使它可能需要一段时间才能解码?

我们目前有一个完整的数据库备份,我们有免费的统治使用if 需要的是,我只是不确定起点。 我们有hashcat可用,但我不确定应该使用哪些变量。 如果需要,我们可以在很长一段时间内运行破解。 我知道MD5曾经被破解了一段时间,所以我想知道如果我们拥有所有数据库信息,新的phpass是否可以破解。 非常感谢任何洞察力或者指向我们可以研究的适当方向或资源的指针。

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • douxie4583 2017-09-05 23:14

    If you have access to the database and you know it is a WordPress website, you can SAFELY create a new wordpress install, the same version as the one you are currently running, create an account with a known password, and copy those database fields into the current running DB. Then, simply, login using those hashed credentials and admin privileges and make your appropriate changes.

    WILD GUESS, but stackoverflow will not decrypt PHP's password hash for you and post it here.

    打赏 评论
  • donglie7268 2017-09-05 22:26

    I know MD5 was cracked a while back so I'm wondering if the new phpass is crackable if we have all database information available.

    This is incorrect. MD5 has not been "cracked", but it can now be processed so fast that a solution value (or duplicate) can be found relaively very quickly. This is not the same as a "crack" which is a mathematical reversal of the process used to create the cyphertext/hash.

    Because MD5 can be processed so quickly now, and because it always produces the same outcome from the same input, there are things called "rainbow tables" which store the plaintext and the md5 hash by association so make it easy to enter one, and find out the other. See more here.

    That said, to explain: We've got a very strange situation on our hands. I was recently approached by a business who assumed that web developer also meant white hat, apparently. Long story short, the only person with access to this company's website passed away in a car crash three months ago. Server access, wordpress access, the whole nine yards - he was the only one with access, and he left zero notes. The business hasn't done anything with the website since then, but apparently last week the site was exploited and is now forwarding to a porn site, which is murdering their reputation currently. We've contacted the hosts and they can't do anything because we don't currently have the deceased verification information... So we're stuck. We've contacted the hosts management and have submitted the appropriate documents but they said it could take 3-4 weeks for a response. So there's that.

    This sounds like utter rubbish.

    There are various points on here that sound extremely dubious. No server is accessible to only one person, unless it's their own PC sitting in their living room or garage, etc., a properly maintained and managed system (as this appears to be by reference to hosting companies, etc.) will have access at a root level (and probably lower levels) available to the Hosting administration. Typically there are 5-6 access levels between the website developer and the chef honcho all of whom can if needbe access most parts of an end users account.

    People die all the time. This is no reason to sink a server account just because someone passed away. Send legal documentation from a legal professional to the Hosting company explaining and showing that the account holder has expired and requesting the account be transferred.

    This may take time depending on the size of the company and if the business is willing to pay for this work to be carried out.

    If you have issues with the server hosts then you can also apply to the DNS authorities/company to have the domain name removed and redirected to another account with another host. This will be virtually seemless for the web domain visitors.

    I repeat, various aspects of this question as described sound at best dubious and at worst simply ficticious.

    打赏 评论

相关推荐 更多相似问题