Decrypt any MD5 hashed value stored in Magento's DB

Submitted by deeperdata - 1 year ago

While doing a site migration yesterday, I came across an issue I had never seen before but was able to reproduce consistently. I was working on migrating a Magento CE instance. I would start the migration by doing a MySQL dump of the database to move to another hosting environment. After checking everything over to ensure there weren't any issues, I would then test credit card transactions to verify customers could checkout. Checkout would fail upon submitting order and I would get a credit card gateway failure error. I would have tried to test PayPal but noticed that the option was missing from the site. I then headed over to the System > Configuration > Payment Methods area and noticed any hashed credentials that were originally in the admin area were missing. As I was pressed for time and not certain how or why Magento was doing this, I decided to approach decrypting the credentials from the working production environment. Below is an example of how to decrypt MD5 hashed values for PayPal credentials. These values are stored in the core_config_data table, same as other payment methods. Thought I haven't tested it, you should be able to use this same method to restore admin or user passwords as well.


// Step 1. Place this script in the web root of the Magento site you wish to decrypt values for.
// Be sure you're using the same Magento instance containing your original encryption key that
// was determined at time of install or this won't work.

$hlp = Mage::helper('core');

// Step 2. Copy of the values you want to decrypt directly from Magento's DB. Mine were copied from core_config_data.
echo "paypal/wpp/api_username: " . ($hlp->decrypt("SomeCrazyHashedValuead+YVAth/B0VGDb4VeoqmsLFt8=") . "\n");
echo "paypal/wpp/api_password: " . ($hlp->decrypt("SomeCrazyHashedValuewxX362qmySqQ==") . "\n");
echo "paypal/wpp/api_signature: " . ($hlp->decrypt("SomeCrazyHashedValuey73j56CPiY3i+wMaWrwMH+0=") . "\n");

// Step 3. Drop into a shell and execute "php myscript.php" or making it publicly accessible and access it from a web browser. 
Learn PHP
comments powered by Disqus
Proudly hosted on Digital Ocean