Anthony Chambers

Engineer 81

Recovering Plesk Email, FTP and database passwords

By default Parallels Plesk stores passwords in plain text, so they're scarily simple to retrieve

Written by Anthony Chambers , and read 5,907 times

Parallel's Plesk is a common server management suite available for Linux and Windows servers. Logging in from a web-based control panel you can manage various aspects, such as domains, email addresses, clients and more. Plesk will interact with Apache, PHP, MySQL, Q-Mail etc in a one-way fashion, so changes that you make in Plesk are replicated in the software that it manages, but if you make changes directly in these applications the changes are not reflected in Plesk. As a result, if you use Plesk you should do everything through Plesk unless you know what you're doing.

Plesk has a central database named PSA. This database contains all domains, email addresses, usernames and passwords, amongst other things, like various quotas/limits and various configuration options. The scariest part for me though, is the accounts table. Here is the CREATE code for the Plesk PSA accounts table:

CREATE TABLE `accounts` (
    `id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
    `type` VARCHAR(32) NOT NULL DEFAULT 'plain' COLLATE 'ascii_general_ci',
    `password` TEXT NULL COLLATE 'ascii_bin',
    PRIMARY KEY (`id`)
)
COLLATE='latin1_swedish_ci'
ENGINE=InnoDB;

As you can see, this table is used to store passwords. By default these are plain-text. So, with some simple queries we can extract usernames and passwords from throughout the Plesk system that will allow you to get in to FTP, client and email accounts, to name a few. We've had genuine reasons to need to do this, and I'm hoping that you do too and that's why you're here. As a result, here is how to do it:

Retrieve FTP/SSH Login Details From Plesk

To retrieve the FTP login details from the Plesk PSA database, this is the query you will need to run, replacing domain.com with the domain that you wish to view:

USE psa;
SELECT d.name
     , su.login
     , a.password
  FROM domains d
     , hosting h
     , sys_users su
     , accounts a
 WHERE d.name = 'domain.com'
   AND h.dom_id = d.id
   AND su.id = h.sys_user_id
   AND a.id = su.account_id;

Run that query and you will be presented with the domain (which you already know, to be fair), the FTP login username and the FTP password. If shell access is enabled for this user than you can also use the same details to SSH to the server in most cases.

Retrieve Email Login Details From Plesk

To retrieve the email login details from the Plesk PSA database, this is the query you will need to run, replacing domain.com with the domain that you wish to view:

USE psa;
SELECT concat_ws("@", m.mail_name, d.name) email_address
     , a.password
  FROM domains d
     , mail m
     , accounts a
 WHERE d.name = 'domain.com'
   AND m.dom_id = d.id
   AND a.id = m.account_id;

Depending on your email setup, the email username will either be the part before the @domain.com of the email address, or the full email address. The password is as displayed

Retrieve Client Login Details From Plesk

To retrieve the client login details from the Plesk PSA database, this is the query you will need to run, replacing user with the username whose details you wish to view:

USE psa;
SELECT c.type
     , c.pname
     , c.login
     , a.password
  FROM clients c
     , accounts a
 WHERE c.login = 'user'
   AND c.account_id = a.id;

Run that and you can now log in to the Plesk control panel with any of those client accounts.

Retrieve MySQL/SQL Server Login Details From Plesk

To retrieve the database login details from the Plesk PSA database, this is the query you will need to run, replacing dbname with the database name whose details you wish to view:

USE psa;
SELECT db.name
     , dbu.login
     , a.password
  FROM data_bases db
     , db_users dbu
     , accounts a
 WHERE db.name = 'dbname'
   AND dbu.id = db.default_user_id
   AND a.id = dbu.account_id;

Run that and you now have the database username and password.

Bootnote

In no way am I trying to encourage anyone to try to hack a Plesk database. There are many legitimate reasons for needing this information, especially if you have thousands of websites (like we do at Activ) and you need to know the FTP login details for a given site. However, when I first realised that this was possible, I swore that I would steer clear of Plesk in future. As handy as it can be to be able to retrieve passwords, I would usually recommend that you just reset the password to something new instead. I would also recommend that you don't use Plesk in this configuration.