Suppose someone sends you a Sitecore solution to review, and they forgot to send you a username and password. You could ask for one, or you could just make yourself an account with this handy trick that I call “The Shiv.” This is the entirety of the trick:
- Create a
Shiv.aspxfile somewhere under the webroot. It can be named anything.
Paste the following code in it
<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="Sitecore.Security.Authentication" %> <% AuthenticationManager.Login("sitecore\\admin", false, true); Response.Redirect("/sitecore/shell"); %>
Hit the page in a browser
- Boom, you’re an administrator
- IMPORTANT: Delete the file. For obvious reasons.
You can do a very similar thing using the “Login as administrator” option in SIM, however I often find myself in environments without SIM and this code works anywhere.
This code is also a good security reminder: if someone malicious can upload an arbitrary file somewhere in your webroot that is then executed, they can upload this shiv-file and your security is gone. It doesn’t matter if you have encrypted 64-character database passwords, they’re in. It doesn’t matter if you’ve locked down TLS and imposed SAML logins, they’re in. Game over. So secure your filesystem and be awfully wary of accepting users’ uploads anywhere on disk.