发表新帖
发表新帖

How to decrypt magento enterprise edition password?

后端 未结
关注
5 675
没有蜡笔的小新
没有蜡笔的小新 2021-01-02 16:02

I just noticed magento enterprise and community both edition uses different algorithms for storing password. I know community edition uses md5. Can anyone tell me which mech

5条回答
  • 一个人的身影
    一个人的身影 (楼主)
    2021-01-02 16:30

    Hashes are one way encryption. You're not supposed to be able to decrypt the password.

    Basic operations for passwords:

    1. The customer signs up for an account and enters a password. The system adds a salt, encrypts the password and stores the resulting password hash in the database.

    2. The customer logs in, enters the password. The system adds a salt, encrypts the password and compares the generated password hash with the stored password hash. When the hashes are equal, the login system knows the customer knows the password without actually knowing the password itself.

    So, if one system uses SHA1 and another uses old, expired MD5, the only way you can get the password back into the system is to have the customer reenter the password so the new hash algorithm gets invoked and the new hash gets stored.

    You have the Enterprise source code, write a module that uses the Enterprise hashing function to store and compare the passwords and you'll have CE with an updated, security enhanced method to store passwords and should be able to bring the password hashes over from the old site.

    Some additional information:

    The encryption method used is found in the Mage_Core_Model_Encryption class.

    Three functions of interest are:

    1. public function hash($data)
    2. public function getHash($password, $salt = false)
    3. public function validateHash($password, $hash)

    Function Code From 1.7.x.x

    >

    public function hash($data)
{
    return md5($data);
}

    >

    public function getHash($password, $salt = false)
{
    if (is_integer($salt)) {
        $salt = $this->_helper->getRandomString($salt);
    }
    return $salt === false ? $this->hash($password) : $this->hash($salt . $password) . ':' . $salt;
}

    >

    public function validateHash($password, $hash)
{
    $hashArr = explode(':', $hash);
    switch (count($hashArr)) {
        case 1:
            return $this->hash($password) === $hash;
        case 2:
            return $this->hash($hashArr[1] . $password) === $hashArr[0];
    }
    Mage::throwException('Invalid hash.');
}

    It appears that both CE and Enterprise use the same routines, you will have to check that out as you have the Enterprise code.

    Changing the Encryption Key in your app/etc/local.xml file to match the key in your Enterprise version and then importing the Enterprise data into the CE datapbase will allow access to encrypted data. Passwords, though are stored as hashes (see above function blocks) and non-reversible due to that. The pertinent section in local.xml where the encryption key is stored:

    
    < ![CDATA[-encryption-key-here-]]>

    0 讨论(0)
 看不清?
提交回复
热议问题