6

Apparently the new (v2) OpenCart's password encryption scheme is not a simple md5 hash. I attempted to search the net for a way to reset the admin password after I changed hosts for my OpenCart installtion but could not find anything.

Thank you.

Slavic
  • 1,852
  • 2
  • 16
  • 25

6 Answers6

14

If you just need to regain access, and change your password then you can do so pretty easily. Open system/library/user.php (system/library/cart/user.php in later versions) and find the line beginning

$user_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "user WHERE username =

Before the WHERE put a # changing it to

$user_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "user #WHERE username =

and save. This allows you to log in using the first account (usually the default admin account) without any user and password. As soon as you do, reverse this and save again. You'll still be logged in and can edit the user data editing the password as you wish

Jay Gilford
  • 15,052
  • 6
  • 34
  • 55
  • This saved me hours... BUT in the version of the file i had the line you have highlighted to search for appears twice, which caused some confusion. – Ben Mar 01 '16 at 10:07
4

RESET OPENCART ADMIN PASSWORD BY EDITING MySQL DATABASE Via phpMyAdmin or MySQL command prompt

The only way to reset the administrative password is modifying the password column in oc_user via phpMyAdmin, something like hunting the silk road or either by changing the password column via MySQL command prompt. You cannot generate new Salt & Hashing with MySQL command prompt as explained at the end. Follow these below steps:

Navigate to oc_user table and look for columns with name password & salt and change the values for the desired user_id

password: d1c194daffb03fc2653027c87f76a12a4eaeac5f

salt: x3x6r693j

This combination of string or hash changes/alters the administrative password to “password” (without the quotes) for the desired user. This method might create a minor security risk as the salt will be a publicly known data, which is published here.

Click “Go”. It will change your password to password. Now, log into the OpenCart Admin (www.yourwebsitename.com/admin) Dashboard with your existing username and the new password.

Username: < Existing Username >

Password: password

By knowing your user_id, all the above steps are done from one command:

update `oc_user` set `password` = sha1( concat(`salt`, sha1( concat(`salt`, sha1('password'))))) where user_id = 1


Explaination:

The password was encrypted with the randomised salt

sha1($salt . sha1($salt . sha1($password)))

The above method is used to encrypt the password from the file admin/model/user/user.php 

SELECT SHA1( CONCAT( salt, SHA1( CONCAT( salt, SHA1(  'password' ) ) ) ) ) 
FROM oc_user
WHERE user_id =1
LIMIT 0 , 30

Results: d1c194daffb03fc2653027c87f76a12a4eaeac5f

For Salt:

$salt = substr(md5(uniqid(rand(), true)), 0, 9)

uniqid(), password_hash and password_verify are purely PHP functions. They have nothing to do with MySQL

password_hash does not use the MD5 algorithm for hashing you password. md5 and password_hash() produce two different lengths

Navigate to Tool: OpenCart 2.0+ User Password Reset Generator you can specify your New Password and Salt

Nɪsʜᴀɴᴛʜ ॐ
  • 2,126
  • 3
  • 22
  • 43
3

For login admin password 0ZReKeFZM75Y set in database > oc_user

password 0c7a864c5a737f08f001f3123849ba5e03af3d06

and salt HYSQS59P9

to admin user row.

NSukonny
  • 949
  • 9
  • 16
1

Password is stored by OpenCart (from admin/model/user/user.php) as

sha1($salt . sha1($salt . sha1($data['password'])))

Assuming you have DB access you can retrieve the salt as

SELECT salt FROM your_db.oc_user WHERE username='your_username';

Then generate the new hash, e.g. in bash ($SALT being the result of the previous command) :

echo -n $SALT$(echo -n $SALT$(echo -n "newpassword" | sha1sum|cut -d' ' -f1 )|sha1sum|cut -d' ' -f1)|sha1sum

Finally, update the DB with this new hash :

UPDATAE your_db.oc_user SET password='newhash' WHERE username='your_username';

Then log in with the new password.

Skippy le Grand Gourou
  • 4,607
  • 2
  • 38
  • 60
0

You can generate a new password using the script below:

<?php    
  $salt = 'pMiPpQ7N4';   //salt, update user.salt with this
  $password = 'test123'; //actual password

  //update user.password with this
  echo sha1($salt . sha1($salt . sha1($password))); 
?>
SherylHohman
  • 12,507
  • 16
  • 70
  • 78
web.dev.etc
  • 111
  • 1
  • 4
0

Assuming you have access to the php files, open file system/library/cart/user.php in a text editor and change line 40, the 1st line of method login(), from:

$user_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "user WHERE username = '" . $this->db->escape($username) . "' AND (password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1('" . $this->db->escape($password) . "'))))) OR password = '" . $this->db->escape(md5($password)) . "') AND status = '1'");

to:

$user_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "user WHERE username = '" . $this->db->escape($username) . "' AND status = '1'");

This removes the password check,so you will always be logged in regardless the password you entered. After you are logged in, immediately change this line back as it will allow anybody to login under any user account, then change your password under "Users - Users - Edit".

fietserwin
  • 209
  • 2
  • 10