Surendra Sharma

Surendra Sharma

Search This Blog

Saturday, October 8, 2016

Sitecore database lesson 4 – Hack Sitecore from Database




If you don’t know the Sitecore credentials and have access of Sitecore database, there is one hacker’s way to login into any Sitecore user account. For this you must have access of CORE database of Sitecore environment.

Sitecore stores all user profile data in “aspnet_Users” table and all user’s passwords in “aspnet_Membership” table.
You can use below query in CORE database to get all these details

SELECT au.UserId, au.UserName, am.Password, am.PasswordSalt FROM [dbo].[aspnet_Users] au INNER JOIN [dbo].[aspnet_Membership] am ON au.UserId = am.UserId

When I run this query in my test environment, I received below result.

Get Sitecore Passwords
Get Sitecore Passwords
If you know the password of any one user (at least your own), you can set the same password to any other user and can login into their account. Once you finish your work, you can again set their original password as it is. 

You can fire below query to set any account password with known password. Here I know admin password and now setting user “sitecore\editor1” password to admin password. 

Update [dbo].[aspnet_Membership] SET Password='qOvF8m8F2IcWMvfOBjJYHmfLABc=', PasswordSalt='OM5gu45RQuJ76itRvkSPFw==' WHERE UserId = 'D44D17F4-C4BD-4A41-841A-CDA3587957B5'

After updating the data I am getting below result 

Updated Password
Updated Password
 Bingoooooo now I am able to login to “sitecore\editor1” with admin password.

NOTE: - You need to update both Password and PasswordSalt fields. Only change in Password field will not work.

I hope you like this Sitecore database lesson. Stay tune for more Sitecore database related articles. 

Please leave your comments or share this article if it’s useful for you.

Sitecore database lesson 3 - Changing data from database



You can change field data directly from database. For example let’s change data of rich text editor of Home item.

I am executing below query to update description field as

Update VersionedFields set Value = 'www.sitecorelessons.com from Surendra Sharma' + Value where Id = '61C78797-DD31-41AB-976B-A6800F2E9403'

As you can check in below query that data is change in database.

Update Field Data
Update Field Data


But you can’t get this data in Sitecore as of now. Why?

Sitecore always fetched data from database and stored in different caches like prefetch, iteminfo etc. So we need to clear this cache so that Sitecore again fetched data from database.

Clear all caches from link http://sitecorelessons/sitecore/admin/cache.aspx where sitecorelessons is the name of my instance.

Now if I tried to access Home item in Sitecore, I can get updated details as


Updated data in Sitecore Field
Updated data in Sitecore Field
Note: - Sitecore not recommending changing data directly from database.



I hope you like this Sitecore database lesson. Stay tune for more Sitecore database related articles. 

Please leave your comments or share this article if it’s useful for you.