Recent Comments
Archives
Visitors
  • 42951This month:
  • 1309Today:
  • 20Currently online:



LeaseWeb CDN

WordPress password forgotten? Part 2 (using FTP)

In Part 1 of this post we explained that WordPress is the worlds most popular blogging software and that this site runs WordPress as well. We also explained how you might you run into a WordPress site you previously installed, but have forgotten the password of. The script we presented was able to find your username, reset your password, and reset your user level so that you had “Administrator” role again. The previous post and the corresponding script required that you had SSH access. This post will show you how to do these things if all you have is FTP access.

Reset WordPress password over FTP

Running the script is easy. Change the reset password in the first line of the script. Upload the file to the directory where the wp-config.php is located and type in the URL of the file in the address bar of your browser.

Screenshot - 02112014 - 11:50:55 PM
Normally this is just your websites domain with “/wp-reset-ftp.php” added as a path.

Running the script in the browser gives the following output:

Screenshot - 02112014 - 09:57:59 PM
Enter the reset password and press “Login”.

NB: The reset password is set in the first line of the script and MUST be changed for security reasons!

Screenshot - 02112014 - 09:58:41 PM
Select the WordPress user and set the WordPress password you want to assign to the user. Now press “Submit”.

Screenshot - 02112014 - 09:58:50 PM
This is the SQL that will be executed. Press “Execute SQL” to confirm.

Screenshot - 02112014 - 09:58:54 PM
Great! The WordPress password reset script succeeded.

wp-reset-ftp.php

This is the source code of the above script:

<?php
$password = "Wj12lzSwE9cZ34QXkBM"; // IMPORTANT: Change this !!!
$title = "WordPress Password reset script";
echo "<html><body><h4>$title</h4><pre>";
function error($s) { die("<p style=\"color:red\">$s</p>"); }
if (!isset($_GET["password"])) {
  echo "<form>Password: <input name=\"password\">\n\n";
  echo "<input type=\"submit\" value=\"Login\"/></form>";
  die();
}
if (dechex(crc32($password))=="39246f99") error("change password");
if ($_GET["password"]!=$password) error("access denied");
$path = "./wp-config.php";
while (!file_exists($path)) {
  if (realpath($path) == "/wp-config.php") break;
  $path = "./.$path";
}
if (!file_exists($path)) error("wp-config.php not found");
$lines = file($path);
foreach ($lines as $line) {
  if (preg_match('/^\s*define\(/i',$line)) eval($line);
}
$mysqli = new mysqli(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME);
$mysqli->set_charset(DB_CHARSET);
if ($mysqli->connect_errno) die($mysqli->connect_error);
if (!isset($_POST["user"]) && !isset($_POST["sql"])) {
$result = $mysqli->query("SELECT `user_login` FROM `wp_users`");
if ($result===false) die($mysqli->error);
$users = array();
while($row=$result->fetch_array()) $users[]=$row[0];
$result->close();
echo "<form method=\"post\">";
echo "User: <select name=\"user\">";
foreach ($users as $user) echo "<option value=\"$user\">$user</option>";
echo "</select>\n";
$default = substr(rtrim(base64_encode(sha1(microtime())),"="),0,10);
echo "Password: <input type=\"text\" name=\"pass\" value=\"$default\"/>\n";
echo "Reset administrator role: <select name=\"reset\">";
echo "<option value=\"0\">no</option><option value=\"1\">yes</option>";
echo "</select>\n\n<input type=\"submit\" value=\"Submit\"/></form>";
} elseif (!isset($_POST["sql"])) {
$p = (object)$_POST;
$sql = <<<END_OF_SQL
SET @user = '$p->user';
SET @pass = '$p->pass';
SELECT ID into @user FROM `wp_users` WHERE `user_login`=@user;
UPDATE `wp_users` SET `user_pass`=MD5(@pass) WHERE `ID` = @user;
END_OF_SQL;
if ($p->reset) $sql.= <<<END_OF_SQL

UPDATE `wp_usermeta` SET `meta_value`='a:1:{s:13:"administrator";s:1:"1";}' WHERE `user_id`=@user AND `meta_key`='wp_capabilities';
UPDATE `wp_usermeta` SET `meta_value`=10 WHERE `user_id`=@user AND `meta_key`='wp_user_level';
END_OF_SQL;
echo "<form method=\"post\">";
echo "<textarea cols=\"80\" rows=\"10\" name=\"sql\">$sql</textarea>\n\n";
echo "<input type=\"submit\" value=\"Execute SQL\"/></form>";
} else {
$mysqli->autocommit(false);
$lines = explode("\n",trim($_POST['sql']));
foreach ($lines as $query) {
  if ($mysqli->query($query)===false) error($mysqli->error);
}
if ($mysqli->commit()) echo "Executed SQL successfully\n";
else error($mysqli->error);
$mysqli->close();
}

Leave a Reply