help with downloaded script possible database problem

nigel12 · 10-09-2012, 08:25 PM

Hi,
I was torn between which forum to post this question in but here goes.
I have recently downloaded a php script from cobrascripts. It is called autohits
I have tried contacting cobrascripts but as it is a free script they are not interested in helping. So I am hoping someone here will help me. I have done as they said,
Installed script
Installed database table
and it works to some degree ie I have created a fake account and managed to login as a regular user.
The problem is I can not access the admin area with the username and password they have given me.
Is there away around this ?
When I login to phpMyAdmin there is no user listed there called admin, so I created a user called "admin" and gave it the password "test" but it still did not work. I'm not sure if that is because I have created the user inaccurately or not. As my phpMyAdmin skills are not as good as I would like.
Can anyone help me get this up and running ie point my nose in the right direction.
I think If I could create an admin account directly in my user table database it might work.

I worked on the assumption that if one can create a user account then I have installed the table correctly. So now you have it why cant I login to admin panel

tangoforce · 10-09-2012, 09:56 PM

It could be anything.

I could have a look for you via teamviewer / vnc but it would cost as its unchartered territory.

When you created a new password in your phpmyadmin did you use a hash or a plain text password?

nigel12 · 10-10-2012, 03:54 AM

I used a plain text password,

tangoforce · 10-10-2012, 11:36 AM

Most scripts don't use plain text passwords - they use a hash. This is so that no admin, hacker or anyone else can ever find the users real password aud use it to abuse a users account elsewhere.

When the password is sent to the script it will hash it (in other words convert it to a digital equivalent of a finger print). It will then compare this to the hash stored in the database. If they are the same then its a successful login. If not.. its a failed login.

Now, if you've been putting in a plain text password into your database it will never match what the script is comparing it to.

nigel12 · 10-11-2012, 06:03 PM

Thanks for getting back to me,
OK it would seem when I was looking for the admin user account that was supposed to be setup with the script. I was looking in the table under user, when it was actually listed in the table under "pass"

So the admin account is listed and there is a hash password there. Is it possible to convert the hash password in to a plain text one so I can see what it is? (because it is obviously not what I was told)
Or do I need to somehow remove the hash password that is there and replace it.
Regards Nige.

tangoforce · 10-11-2012, 06:14 PM

No you cannot decrypt a hashed password. Re-read what I said above about them. The whole point is that others can't get your original password if they gain access to the database.

You really need to consult the docs that came with your script. So far with the questions you've asked you're starting to look like a wannabe attacker so I would recommend that it you're genuine, you go back to the site you downloaded it from and check out the docs thoroughly.