Encrypt password with md5, and salt from DB table

[Quale]

Hello,

 

I have a vBulletin forum.

 

vBulletin encrypts using salt (random ASCII) and md5 hash.

The users salt combination can be found in the database table, named: salt

 

Now, I have a C++ application that requires the user to log in with their forum username and password.

For now, this barely works. The user is only able to log in, if they know what their encrypted password is. (since my php script that talks to the DB doesn't encrypt the password)

 

Here is my PHP script that I use to talk to the database:

<?PHP
include("sql.php");

$user = $_GET['user'];
$pass= $_GET['pass'];
$id= $_GET['id'];

$check_info = @mysql_query("SELECT * FROM `user` WHERE `username` = '$user'");
$user_info = mysql_fetch_assoc($check_info);
$check_info = @mysql_query("SELECT * FROM `user` WHERE `membergroupids` = '$id'");
$user_info = mysql_fetch_assoc($check_info);

if($user == $user_info['username'] && $pass == $user_info['password'] && $id == $user_info['membergroupids'])
{
echo 'true';
}
else
{
echo 'false';
}
?>

 

 

And the attached file is how vbulletin encrypts their password.

(too long to post)

-

 

How do I encrypt the entered password the same way vBulletin does using the php script?

 

Any help is highly appreciated.

~Quale

 

[attachment deleted by admin]

[premiso]

First up, the password is not encrypted as if it was you could decrypt it It is hashed.

 

Second, I am not sure what your question is, but I am sure if your C++ application talks to the MySQL database you can find a C++ version of MD5 and use that with the salt from the DB to figure out if the password entered into the C++ application is valid or not. Another alternative is create a simple PHP script that uses vbulletin's hashing system and send the password entered into C++ into that php script, run it and get back a hashed version of the password and use that for validation.

 

Hopefully that answers your question.

 

C++ MD5 Resource: http://stackoverflow.com/questions/1892242/calculate-md5-in-c

[Quale]

Another alternative is create a simple PHP script that uses vbulletin's hashing system and send the password entered into C++ into that php script, run it and get back a hashed version of the password and use that for validation.

 

This is exactly what I need !

But I have NO idea how to make that work in the script that I have.

[premiso]

Not sure, but you will either have to make a remote webpage call or, if the application is local to the server make a call to php to run the script using PHP CLI.

 

If you want to do the remote webpage call (cause you want this to work on a system other than your server), you will probably have to take this question to either our "Other Languages" forum here or to a C++ forum. But before you do that, try google first and see how to contact a remote site.

[Quale]

Not sure, but you will either have to make a remote webpage call or, if the application is local to the server make a call to php to run the script using PHP CLI.

 

If you want to do the remote webpage call (cause you want this to work on a system other than your server), you will probably have to take this question to either our "Other Languages" forum here or to a C++ forum. But before you do that, try google first and see how to contact a remote site.

 

I have the application part ready (remote) totally finished I can log in with the hashed password and username.. hell, it even checks the forum rank

but, the php file needs to hash it using md5 and vbulletins-3-character salt. in PHP

[oni-kun]

Why does it need to in PHP? As mentioned before you can pull the SALT from the database and hash the password with C++.

[Quale]

Why does it need to in PHP? As mentioned before you can pull the SALT from the database and hash the password with C++.

 

You mean I can directly talk to the database using C++? because the salt thingy is different for every user, so I need to get it from the DB.

[oni-kun]

Why does it need to in PHP? As mentioned before you can pull the SALT from the database and hash the password with C++.

 

You mean I can directly talk to the database using C++? because the salt thingy is different for every user, so I need to get it from the DB.

 

Yeah, you can talk to your database. I'm not sure if externally but it should be simple if you have shell/SSH access.

[Quale]

Thanks a lot for your help oni-kun, but I'd really like to do it in PHP, especially since i've spent quite some time perfecting the php file to my needs so far.

[premiso]

Well you have a something to think about. In order to make a request for a hashed password or for the salt you want to encrypt that data and you also want a validation key sent with it. As anyone with a network monitor can see what is being sent across the network and to where which could potentially be used to grab all the users salts and using that to hack accounts.

 

The method of encryption will need to be able to be used on both sides and have to have the valid key passed etc. How to do that I am not sure, but I am sure you can find a common encryption method between C++ and PHP where they both can validate a public key being sent. I have never attempted to do this, but you have to be cautious as if you do not take the methods to secure it can be used to hack accounts on your site.

[Quale]

I want to thank everyone for their help on the matter, but someone @ vBulletin forums helped me out.. this is the final script:

 

<?PHP 
include("sql.php"); 

$user = addslashes($_GET['user']); 
$pass= $_GET['pass']; 
$id= is_numeric($_GET['id'])?$_GET['id']:0; 

$check_info = @mysql_query("SELECT * FROM `user` WHERE `username` = '$user'"); 
$user_info = mysql_fetch_assoc($check_info); 
$encpassword = md5(md5($pass).$user_info['salt']); 
$usergroups = explode(',',$user_info['membergroupids']); 
$usergroups[] = $user_info['usergroupid']; //checking primary group as well now, isn't rly needed.

if($encpassword == $user_info['password'] and in_array($id,$usergroups)) 
{ 
echo 'true'; 
} 
else 
{ 
echo 'false'; 
}
?>

 

 

SOLVED!

[premiso]

Just an FYI, if the C++ software does anything with user information I would look into a better way, as it would be really easy to setup a spoofed site using a local server that just echos true / false using the HOSTS file to point it to your own.

 

So if all you are doing is displaying stats, that is fine. But just know that anyone can be validated for any user with that script / logic if they know how.