SpiraTeam database hack for user access

My test colleague uses SpiraTeam and needed some help restoring a backup. After restoring we granted access to the database from IIS (network service). But now he tells me nobody knows the Administrator password. What to do?

Solution

The SQL Server database of SpiraTeam contains the users with their (hashed) passwords. The steps below show how I gained access without knowing the origional password or the answer to the password reset question.

  • Make sure you have access to the database with something like SQL Server 2008 Management Studio Express
  • Register for an account with the link on the login screen, you will know this password spirateam.needaccount
  • Update the administrator user in the database with the password and hash from the new account. This will
    UPDATE [dbo].[tst_user]
    -- exact copy-paste from new user!
    SET [PASSWORD]         = 'SSu3dCIy8pYaCmqi9dXU+0sm9Kg='
      , [PASSWORD_SALT]    = 'jQLO/JRcWFwP0S0tvoLAEQ=='
      , [IS_LEGACY_FORMAT] = 0
    WHERE [user_id] = 1
    
  • Log in with Administrator and the password you entered when registering for the new account
  • You can now start creating new accounts and granting access, since you’re :mrgreen: now
  • [optional] Ask SpiraTeam for this process in a new feature

Background

SpiraTeam uses ASPNET SQL Membership providers with a (salted)hashed password. This encryption is one-way and there is no way (except for brute force) to recover a password. But when you have access to the database you can use the system against itself.

By registering for an account the system inserts a new record in the user table with an encrypted password. Now we have an encrypted password we do know the unencrypted value for. Update an existing user with the encrypted password and password_salt with the values for the known password and you have access to the system with that user.

About erictummers

My work as a recruited developer changes almost every month. I like challenges and sharing the solutions with others. On my blog I’ll mostly post about my work, but expect an occasional home project, productivity tip and tooling review.
This entry was posted in Security and tagged , , , , . Bookmark the permalink.

One Response to SpiraTeam database hack for user access

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s