Restoring admin access in Kirjuri

u r hackerman!

I recently got asked how to restore admin access on Kirjuri after the original administrator has left and the password for the admin account isn’t known.

As Kirjuri does not have any internet-connected features, it can’t implement a standard “we’ll email you a password reset link feature. Most Kirjuri users run their own server on Linux. This makes restoring admin access easy by using the command line. Here are the instructions on how to achieve this assuming you have access to the server running Kirjuri:

Step 1: Connect and log in to the Kirjuri server using ssh from a capable terminal emulator. Windows users can use PuTTy for this. A Kirjuri server runs a few internal servers; the web server that serves you web pages, and a database server that handles storing and reading data. We are going to connect directly to the database server and change user accesss levels to regain administrator access to Kirjuri.

Step 2: Find out your Mysql server database name, username and password. These are configured when Kirjuri is installed, and stored in a php file mysql_credentials.php in the conf/ folder. If you don’t know which folder your web server is serving content from, you can find the file with this command: find . / 2>&1 | grep mysql_credentials.php | xargs cat. Make note of your username, password and database name. These are not the same details that you use to log into Kirjuri. These are the Mysql server credentials.

Step 3: Log in to Mysql using the credentials that Kirjuri uses with this command: mysql -u yourusername -p. Replace yourusername with the username you recovered in the previous step. Mysql will prompt you for the password. Supply the password that you found on the previous step.

Step 4: After you’ve succesfully logged into Mysql, you will be presented with the command line for ordering Mysql around. Switch to your kirjuri database by typing use yourdatabasename; The yourdatabasename part is found in step 2. Remember the trailing semicolon when issuing commands to the database.

Step 5: Check your user details by typing SELECT * FROM users;

Step 6: Make a note of the id column of the user your want to elevate to administrator status. Every user has an unique id number. I’m using 3 as an example on the next step.

Step 7: Type UPDATE users SET access="0" WHERE id="3”;. Access level 0 means administrator access. If Mysql doesn’t give any errors, then you’re all set. Check that the user access level is correct by running SELECT * FROM users; again.

Step 8: Congratulations! User 3 is now a Kirjuri administrator. Quit Mysql and exit the command line.

Step 9: Log in with the newly promoted account and go to user management. Change the original administrator password. You can then log in as the administrator and change the user access level back to normal using the web interface.

Step 10: Celebrate with beer and chips. This is you now:

Hackerman!
Source: https://knowyourmeme.com/memes/hackerman

You might be interested in …

[SANS ISC] Phishing asking recipients not to report abuse, (Tue, Jun 22nd)

All posts, Sans-ISC

It can be a little disheartening to deal with well-prepared phishing attacks every day, since one can easily see how even users who are fully “security-aware” could fall for some them. The messages don’t even have to be too complex to be believable. For example, a message containing seemingly innocuous text and a link that […]

Read More

[BleepingComputer] Windows 10 KB5003637 update breaks remote event logs if missing

Microsoft says that apps may encounter issues accessing event logs on remote Windows 10 devices unless KB5003637 or later updates are installed on both systems. […] Source: Read More (BleepingComputer)

Read More

[ThreatPost] Wegmans Exposes Customer Data in Misconfigured Databases

All posts, ThreatPost

Cleanup in aisle “Oops”: The supermarket chain said that it misconfigured two cloud databases, exposing customer data to public scrutiny. Source: Read More (Threatpost)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.