ipwnzphp Posted August 26, 2009 Share Posted August 26, 2009 Retrieve the clients password in MD5 hash format. The hash uses the format "md5(salt.pw):salt" and so the salt can be obtained from the 5 characters after the colon ( for you to be able to generate your own hash to compare. I am using WHMCS 4.0 $md5this = $sd[1] . "." . "123456"; Outputs: voc)N.123456 $md5this = $sd[1] . "." . "123456"; echo md5($md5this).":".$sd[1]; Outputs: ff9c65abaa070404a3274d4aaad6224a:voc)N Now what's in the database is this: 58a9eeb60f1f6500a93a1bf494dec24c:voc)N But what I need to get is this [upw] => 4d75fa2015aabf5620c050a85321bf27 I don't fully understand the salt and stuff. but does anyone see whats going on here? Quote Link to comment Share on other sites More sharing options...
ignace Posted August 26, 2009 Share Posted August 26, 2009 $password = 'somepassword'; $salt = md5(time());//32 characters long $hash = md5($salt . $password) . $salt;//64 characters long Salt: 58a9eeb60f1f6500a93a1bf494dec24c Hash: 58a9eeb60f1f6500a93a1bf494dec24c58a9eeb60f1f6500a93a1bf494dec24c Quote Link to comment Share on other sites More sharing options...
ipwnzphp Posted August 26, 2009 Author Share Posted August 26, 2009 thanks, ok but now they are some how getting 4d75fa2015aabf5620c050a85321bf27 from md5("voc)N"."58a9eeb60f1f6500a93a1bf494dec24c"); when i login using the username test@test.com with the password 123456 i get the password hash of the 4d75fa2015aabf5620c050a85321bf27 stored in a session. Quote Link to comment Share on other sites More sharing options...
ignace Posted August 26, 2009 Share Posted August 26, 2009 Post your code. P.S. It seems PHP is pwning you more then you PHP Quote Link to comment Share on other sites More sharing options...
ipwnzphp Posted August 26, 2009 Author Share Posted August 26, 2009 Post your code. P.S. It seems PHP is pwning you more then you PHP $sds = $results["password"]; $sd = explode(":", $sds); $hash = $sd[1]; $pass = "123456"; echo md5($hash.$pass); Quote Link to comment Share on other sites More sharing options...
ignace Posted August 26, 2009 Share Posted August 26, 2009 Post your code. P.S. It seems PHP is pwning you more then you PHP $sds = $results["password"]; $sd = explode(":", $sds); $hash = $sd[1]; $pass = "123456"; echo md5($hash.$pass); In order to authenticate someone you need to take the same steps you took when he signed up so if during signup you used: md5($salt . $password) . $salt Then that is the same code you need to use during authentication Quote Link to comment Share on other sites More sharing options...
ipwnzphp Posted August 26, 2009 Author Share Posted August 26, 2009 is how it is stored in the database 58a9eeb60f1f6500a93a1bf494dec24c:voc)N So how are they getting 4d75fa2015aabf5620c050a85321bf27 for the users password when logging? Quote Link to comment Share on other sites More sharing options...
ignace Posted August 26, 2009 Share Posted August 26, 2009 is how it is stored in the database 58a9eeb60f1f6500a93a1bf494dec24c:voc)N So how are they getting 4d75fa2015aabf5620c050a85321bf27 for the users password when logging? 58a9eeb60f1f6500a93a1bf494dec24c:voc)N in the database is wrong and completly defeats the purpose of hashing. Quote Link to comment Share on other sites More sharing options...
ipwnzphp Posted August 26, 2009 Author Share Posted August 26, 2009 well i know this but WHMCS are idots. Quote Link to comment Share on other sites More sharing options...
ignace Posted August 26, 2009 Share Posted August 26, 2009 well i know this but WHMCS are idots. What is WHMCS? Quote Link to comment Share on other sites More sharing options...
ipwnzphp Posted August 26, 2009 Author Share Posted August 26, 2009 billing system Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.