Online since 2002. Over 3300 puzzles, 2600 worldwide members, and 270,000 messages.

TwistyPuzzles.com Forum

It is currently Sat Apr 19, 2014 1:08 pm

All times are UTC - 5 hours



Post new topic Reply to topic  [ 18 posts ] 
Author Message
 Post subject: Help! PHP, Perl, phpBB
PostPosted: Mon Nov 24, 2008 7:48 pm 
Offline
User avatar

Joined: Thu Jan 24, 2002 1:10 am
Location: Toronto, Canada
So I've worked on this problem long enough that even my stubborn ego wants to ask for help.

This site is written in Perl. phpBB, our forum software, is written in PHP. There are ways to get the two to talk together, but it seems to require adding Perl modules to the server, which my host is loathe to do since I'm on a shared server.

This is what I'm trying to do:

- users log in to the forum account from any page of the site
- forum accounts will be linked with other site features that I've written in Perl (such as the member collections, content moderation, and a bunch of new features which are yet to be released)
- to be able to do the above, I need to be able to accept username and password, and check the password against the one saved for the user's account in the phpBB forum's database.

These passwords are encoded using some variant of MD5, making them impossible to retreive and next to impossible to hack, but ostensibly easy enough to duplicate if you know the encoding algorithm. The phpBB forum password encoding libraries are freely browsable (although it took me hours to understand it fully). I'm trying to translate the applicable functions into Perl so I can do the above. I've rewritten it, but it doesn't work... yet. I don't even know for sure if it CAN work... but MD5 is a common standard, and this should be possible, regardless of the language.

Anyway, are there any Perl/PHP/phpBB gurus out there? I could be making errors with ord, the substring translations ("& 0x3f" perplexes me), the do/while loops, or any of those bitwise operators (which I've managed to avoid thus far in my carreer).

Sandy


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Mon Nov 24, 2008 7:52 pm 
Offline
User avatar

Joined: Thu Jan 24, 2002 1:10 am
Location: Toronto, Canada
Here are the phpBB functions:

Code:


/**
*
* @version Version 0.1 / $Id: functions.php,v 1.647 2007/12/10 18:35:28 kellanved Exp $
*
* Portable PHP password hashing framework.
*
* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
* the public domain.
*
* There's absolutely no warranty.
*
* The homepage URL for this framework is:
*
*   http://www.openwall.com/phpass/
*
* Please be sure to update the Version line if you edit this file in any way.
* It is suggested that you leave the main version number intact, but indicate
* your project name (after the slash) and add your own revision information.
*
* Please do not change the "private" password hashing method implemented in
* here, thereby making your hashes incompatible.  However, if you must, please
* change the hash type identifier (the "$P$") to something different.
*
* Obviously, since this code is in the public domain, the above are not
* requirements (there can be none), but merely suggestions.
*
*
* Hash the password
*/
function phpbb_hash($password)
{
   $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

   $random_state = unique_id();
   $random = '';
   $count = 6;

   if (($fh = @fopen('/dev/urandom', 'rb')))
   {
      $random = fread($fh, $count);
      fclose($fh);
   }

   if (strlen($random) < $count)
   {
      $random = '';

      for ($i = 0; $i < $count; $i += 16)
      {
         $random_state = md5(unique_id() . $random_state);
         $random .= pack('H*', md5($random_state));
      }
      $random = substr($random, 0, $count);
   }
   
   $hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

   if (strlen($hash) == 34)
   {
      return $hash;
   }

   return md5($password);
}

/**
* Check for correct password
*/
function phpbb_check_hash($password, $hash)
{
   $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
   if (strlen($hash) == 34)
   {
      return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
   }

   return (md5($password) === $hash) ? true : false;
}

/**
* Generate salt for hash generation
*/
function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
{
   if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
   {
      $iteration_count_log2 = 8;
   }

   $output = '$H$';
   $output .= $itoa64[min($iteration_count_log2 + ((PHP_VERSION >= 5) ? 5 : 3), 30)];
   $output .= _hash_encode64($input, 6, $itoa64);

   return $output;
}

/**
* Encode hash
*/
function _hash_encode64($input, $count, &$itoa64)
{
   $output = '';
   $i = 0;

   do
   {
      $value = ord($input[$i++]);
      $output .= $itoa64[$value & 0x3f];

      if ($i < $count)
      {
         $value |= ord($input[$i]) << 8;
      }

      $output .= $itoa64[($value >> 6) & 0x3f];

      if ($i++ >= $count)
      {
         break;
      }

      if ($i < $count)
      {
         $value |= ord($input[$i]) << 16;
      }

      $output .= $itoa64[($value >> 12) & 0x3f];
      
      if ($i++ >= $count)
      {
         break;
      }

      $output .= $itoa64[($value >> 18) & 0x3f];
   }
   while ($i < $count);

   return $output;
}

/**
* The crypt function/replacement
*/
function _hash_crypt_private($password, $setting, &$itoa64)
{
   $output = '*';

   // Check for correct hash
   if (substr($setting, 0, 3) != '$H$')
   {
      return $output;
   }

   $count_log2 = strpos($itoa64, $setting[3]);

   if ($count_log2 < 7 || $count_log2 > 30)
   {
      return $output;
   }

   $count = 1 << $count_log2;
   $salt = substr($setting, 4, 8);

   if (strlen($salt) != 8)
   {
      return $output;
   }

   /**
   * We're kind of forced to use MD5 here since it's the only
   * cryptographic primitive available in all versions of PHP
   * currently in use.  To implement our own low-level crypto
   * in PHP would result in much worse performance and
   * consequently in lower iteration counts and hashes that are
   * quicker to crack (by non-PHP code).
   */
   if (PHP_VERSION >= 5)
   {
      $hash = md5($salt . $password, true);
      do
      {
         $hash = md5($hash . $password, true);
      }
      while (--$count);
   }
   else
   {
      $hash = pack('H*', md5($salt . $password));
      do
      {
         $hash = pack('H*', md5($hash . $password));
      }
      while (--$count);
   }

   $output = substr($setting, 0, 12);
   $output .= _hash_encode64($hash, 16, $itoa64);

   return $output;
}


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Mon Nov 24, 2008 7:56 pm 
Offline
User avatar

Joined: Thu Jan 24, 2002 1:10 am
Location: Toronto, Canada
And here is my Perl rewrite attempt thus far:

Code:
#!/usr/bin/perl -w
use DBI;
#use PHP::Interpreter;
use Digest::MD5 qw(md5);

require "asdfasdf";
require "asdfasdfasdf";

$username = "Sandy";
$password = "testing";

check_auth($username, $password);

exit;


sub check_auth {

    my $username = $_[0];
    my $password = $_[1];

    print "User Entered Password: " . $password . "\n";

    $good_auth = 0;
   
    $dbh = DBI->connect($DatabaseURL, $DatabaseUser, $DatabasePassword) or die "Couldn't connect to database: $DBI::errstr";
   
    $SQLStatement = "SELECT user_password FROM phpbb3_users WHERE username='" . $username . "'";
    $sth = $dbh->prepare($SQLStatement);                                                 
    $sth->execute or die "SQL Error: $DBI::errstr\n";
    @row = $sth->fetchrow_array;
    $dbhash = $row[0];
    print "DB Saved Password: " . $dbhash . "\n";
   
    $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
    if (length($dbhash) == 34)
    {
        print "DBHash Length == 34\n";
        $pwhash = &HashCryptPrivate($password, $dbhash, $itoa64);
        print "Hash Crypt Private Password: " . $pwhash . "\n";
    }
    else
    {
        print "DBHash Length != 34\n";
        $pwhash = md5($password);
        print "md5 Password: " . $pwhash . "\n";
    }
   
    if ($pwhash eq $dbhash)
    {
        $good_auth = 1;
    }
   
    return $good_auth;
}


sub HashCryptPrivate
{
    $password = $_[0];
    $setting = $_[1];
    $itoa64 = $_[2];
   
    $output = '*';
   
    if (substr($setting, 0, 3) ne '$H$')
    {
        return $output;
    }
   
    $count_log2 = index($itoa64, substr($setting,3,1));
    if ($count_log2 < 7 || $count_log2 > 30)
    {
        return $output;
    }
   
    $count = 1 << $count_log2;
    $salt = substr($setting, 4, 8);
   
    if (length($salt) != 8)
    {
        return $output;
    }
   
    #For PHP Versions 5+ (TwistyPuzzles currently uses 5.2.6)
    $hash = md5($salt . $password);
    do
    {
        $hash = md5($hash . $password);
    }
    while (--$count);
   
    print "Results So Far: hash " . $hash . "\n";
   
    $output = substr($setting, 0, 12);
    $output .= HashEncode64($hash, 16, $itoa64);
   
    return $output;
}

sub HashEncode64
{
    $input = $_[0];
    $count = $_[1];
    $itoa64 = $_[2];
   
    $output = "";
    $i = 0;
   
    do
    {
        $value = ord(substr($input, $i++));
        $temp1 = $value & 0x3f;
        $output .= substr($itoa64, $value & 0x3f, 1);
       
        if ($i < $count)
        {
            $temp1 = substr($input, $i);
            $temp2 = ord(substr($input, $i)) << 8;
            $value |= ord(substr($input, $i)) << 8;
        }
       
        $temp1 = ($value >> 6) & 0x3f;
        $output .= substr($itoa64, ($value >> 6) & 0x3f, 1);
       
        if ($i++ >= $count)
        {
            return $output;
        }
       
        if ($i < $count)
        {
            $temp1 = substr($input, $i);
            $temp2 = ord(substr($input, $i) << 16);
            $value |= ord(substr($input, $i) << 16);
        }
       
        $temp1 = ($value >> 12) & 0x3f;
        $output .= substr($itoa64,($value >> 12) & 0x3f, 1);
       
        if ($i++ >= $count)
        {
            return $output;
        }
       
        $temp1 = ($value >> 18) & 0x3f;
        $output .= substr($itoa64,($value >> 18) & 0x3f, 1);
        print "Output: " . $output . "\n";
    }
    while ($i < $count);
   
    return $output;
}



Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Mon Nov 24, 2008 8:01 pm 
Offline
User avatar

Joined: Sun Oct 12, 2008 5:34 pm
Location: Green Bay, WI
Sandy wrote:
Anyway, are there any Perl/PHP/phpBB gurus out there?


It's that Perl part that disqualifies me to help with this. I know some PHP and have downloaded phpBB to mess around with, but I don't know anything about Perl, though it looks similar to PHP. Sorry, wish I could help!

Good luck,

Justin

_________________
"It is one thing to show a man that he is in an error, and another to put him in possession of the truth."
-John Locke


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Tue Nov 25, 2008 12:28 am 
Offline
User avatar

Joined: Sun Apr 06, 2008 6:43 pm
Location: right here
If you know PHP, you know Perl, They're all derivatives of C. I understand PHP, Perl and so on, but I'm not any good with encryption algs.


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Tue Nov 25, 2008 7:23 am 
Offline
User avatar

Joined: Thu Jan 24, 2002 1:10 am
Location: Toronto, Canada
Encryption knowledge is not required, I don't think. Just a solid knowledge of the functions and syntax of each language. Could I interest you in taking a crack at translating the PHP functions "_hash_encode64" and "_hash_crypt_private" (quoted above) into Perl and comparing your results to mine?!

Sandy


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Tue Nov 25, 2008 7:25 am 
Offline
User avatar

Joined: Sun Jun 13, 2004 12:45 pm
Location: Rochester, MN
Sandy wrote:
There are ways to get the two to talk together, but it seems to require adding Perl modules to the server, which my host is loathe to do since I'm on a shared server.


I've installed modules in my own private library a few times. At the top of the script you need to do something special to have that library included, but it's quite simple:

http://servers.digitaldaze.com/extensio ... dules.html
http://www.perlmonks.org/?node_id=682025

_________________
CubingUSA.com - Find other cubers, be notified of upcoming competitions, and more.


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Wed Nov 26, 2008 1:57 pm 
Offline
User avatar

Joined: Thu Jan 24, 2002 1:10 am
Location: Toronto, Canada
Back in the "olden days" of the forum, it seemed like almost everyone was a programmer!

(I'm moving this thread to the General forum for higher visibility. Yes, I realize it's off topic! I didn't want to bring back the "Help" forum just for one thread!)

Sandy


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Wed Nov 26, 2008 2:02 pm 
Offline
User avatar

Joined: Thu Jan 24, 2002 1:10 am
Location: Toronto, Canada
Thanks for the idea Bryan. It looks a little convoluted, and I would definitely prefer the method of translating a function to including the entire PHP Interpreter in a Perl script to access one function, but I'll give that a shot tonight. If I can just get it working (however gracelessly), then I can proceed with getting the puzzle database content management code running and clean up the mess later.

Sandy


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Wed Nov 26, 2008 2:44 pm 
Offline
User avatar

Joined: Sun Jul 09, 2006 2:59 am
Location: Glastonbury, CT (USA)
Sandy wrote:
These passwords are encoded using some variant of MD5, making them impossible to retreive and next to impossible to hack, but ostensibly easy enough to duplicate if you know the encoding algorithm. The phpBB forum password encoding libraries are freely browsable (although it took me hours to understand it fully). I'm trying to translate the applicable functions into Perl so I can do the above. I've rewritten it, but it doesn't work... yet. I don't even know for sure if it CAN work... but MD5 is a common standard, and this should be possible, regardless of the language.


I'm not a Perl expert, but don't forget to keep in mind the password salting. I'm fairly certain that phpBB uses some type of salt in addition do a standard md5 encryption.

_________________
Master Pentultimate Auction


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Wed Nov 26, 2008 2:47 pm 
Offline
User avatar

Joined: Sun Apr 06, 2008 6:43 pm
Location: right here
I'll take a closer look at this later tonight after work. I can't make any promises tho, I'm a hacker more than an actual programmer. :) (btw, hacker in the good sense, not a 1337 haxx0r).


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Wed Nov 26, 2008 3:39 pm 
Offline
User avatar

Joined: Sat Oct 18, 2008 9:01 am
you totally forgot to mention what operating system, and kernel your server is running. when I look at problems like this my first instinct is to use unix environment variables that are practically global to the entire server or at least within the unix shell account. you can access the environment variables from any program in any language as long as the permissions are set for everything. also, you can consider using pipes in and out of perl to the unix console or other unix programs or scripts. you can call a perl program with cammand line arguments and have it return information in the console or somewhere else. perl programs are very good at calling native unix functions for md5 hashing/encrypting/decrypting or whatever. I'm no expert but you may not have to use all these libraries that are native to php, perl etc.. also consider using C in place of perl if you dont know perl. there are alot of resources that will help you write scripts in C for unix machines. see if you can dig through your kernel source for the md5 library and mabey recompile it if you have to.

oh and if your server admin is groaning about setting up your scripts then tell him your gonna telnet in and do it yourself.

_________________
I SELL 3x3 STICKERS(thread)
click to PM ME
best hybrid speedcube using all rubik's parts


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Wed Nov 26, 2008 5:15 pm 
Offline
User avatar

Joined: Wed Nov 24, 1999 12:18 pm
Location: Palerang Shire, NSW, Australia
I really don't think that is much use. This is a shared server and the OS and kernel is fairly irrelevant here. You can't just use piping around if the server is not yours. And it's very unlikely the telnet protocol is running on this server or any server anymore.

_________________
Wayne Johnson (Developer)
http://waynejohnson.net


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Wed Nov 26, 2008 6:00 pm 
Offline
User avatar

Joined: Sun Apr 06, 2008 6:43 pm
Location: right here
Actually, I can SSH into my hosting server. But you're right. Most ISPs won't allow you to make OS calls. Besides, your programs should be written independent of the OS. Portability is important so you can move from ISP to ISP without having to rewrite your code.


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Wed Nov 26, 2008 9:15 pm 
Offline
User avatar

Joined: Sat Oct 18, 2008 9:01 am
your right. I was just looking at it from the perspective that people are on private servers or virtual private servers. I've run web servers and irc servers on old crappy computers from my home before and I never had an admin to deal with. I have also purchased unix shell accounts strictly for the purpose of testing cgi written in perl in real time. I would telnet in and use emacs or vi to edit my scripts and do real world testing. I dont see why you cant use pipes if you have a user account with permissions limiting what you can do. a good admin can set you up so there is no risk to other people. oh well I'm oldschool I guess no one uses telnet or environment variables anymore. just seems like any scripted md5 decryption cant be as efficient as a compiled one thats architecture and kernel native. I was always taught to optimize things. sorry I dont know more about it.

_________________
I SELL 3x3 STICKERS(thread)
click to PM ME
best hybrid speedcube using all rubik's parts


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Sun Nov 30, 2008 6:07 pm 
Offline
User avatar

Joined: Thu Jan 24, 2002 1:10 am
Location: Toronto, Canada
WOOO HOOO! I got it.

There are two critical errors in my HashEncode64 subroutine:

- Declaring $output as a non-local variable. This is problem throughout the code, but I got away with it for everything but $output. The calling routine, HashCryptPrivate also has a $output variable which is wiped out by the time HashEncode64 returns its results. Apparently variables are automatically scoped in PHP, and thanks to my sloppy habits of not scoping my variables in Perl, I didn't catch it! Declaring $output as "my $output" would solve this one, but I properly scoped everything as a punishment and a lesson to myself.

- The line "$value |= ord(substr($input, $i)) << 16;" is supposed to read "$value |= ord(substr($input, $i) << 16);". Ooops. If this was the only error, I would have found it much more quickly, since this bug only affects 10 out of the 34 characters in the hashed password.

I fix those two things, and it all works out great! Some forum members over at phpBB.com who have been looking for this exact same solution will be mighty pleased when I post this solution!

WOOO HOOO, I say!

(I'll move this thread to Off Topic in a day or two.)

Sandy


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Sun Nov 30, 2008 6:40 pm 
Offline
User avatar

Joined: Sun Oct 12, 2008 5:34 pm
Location: Green Bay, WI
Congratulations! I never would have caught that!

_________________
"It is one thing to show a man that he is in an error, and another to put him in possession of the truth."
-John Locke


Top
 Profile  
 
 Post subject: Re: Help! PHP, Perl, phpBB
PostPosted: Sun Nov 30, 2008 7:05 pm 
Offline
User avatar

Joined: Sun Jun 13, 2004 12:45 pm
Location: Rochester, MN
flambore wrote:
Most ISPs won't allow you to make OS calls.


Huh? Technically, reading a file is an OS call....

_________________
CubingUSA.com - Find other cubers, be notified of upcoming competitions, and more.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Forum powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group