[英]Using C# to authenticate against a vBulletin database
I spended all day looking for a solution for my problem and finally decided to make a post asking for help. 我整天都在寻找解决问题的方法,最后决定发帖寻求帮助。 I really dont know if this is the best place to post this but maybe someone can help me. 我真的不知道这是否是发布此信息的最佳地点,但也许有人可以帮助我。
So im trying to create a simple login form in C# Everything works fine on getting the username,MD5(password) and salt from the database. 因此,我试图在C#中创建一个简单的登录表单,从数据库中获取用户名,MD5(password)和salt后,一切工作正常。 Now my problem is how to make the compare from the password + salt inputed from my form. 现在我的问题是如何通过从表单输入的密码+ salt进行比较。 I have no idea how vbulleting stores the password when user creates an account on the forum, nor i have idea how he generates a salt, if its random, or username bases, and how many itenerations he takes. 我不知道当用户在论坛上创建一个帐户时,vbulleting如何存储密码,也不清楚他是如何生成盐的(无论是随机数还是用户名),以及他需要进行多少次迭代。
Can anyone help me? 谁能帮我?
EDIT: - 编辑:-
$vbulletin->userinfo['password'] != iif($password AND !$md5password, md5(md5($password) . $vbulletin->userinfo['salt']), '') AND
$vbulletin->userinfo['password'] != iif($md5password, md5($md5password . $vbulletin->userinfo['salt']), '') AND
$vbulletin->userinfo['password'] != iif($md5password_utf, md5($md5password_utf . $vbulletin->userinfo['salt']), '')
found that, but still have no clue how they make it, so ican try to reproduce it in c# 发现了这一点,但仍然不知道如何实现,因此我可以尝试在C#中重现它。
Best Regards, Magg 最好的问候,Magg
Given the code, formatted (and ignoring this might break the syntax): 给定代码的格式(忽略它可能会破坏语法):
$vbulletin->userinfo['password'] != iif($password AND !$md5password,
md5(md5($password) . $vbulletin->userinfo['salt']), '')
AND $vbulletin->userinfo['password'] != iif($md5password,
md5($md5password . $vbulletin->userinfo['salt']), '')
AND $vbulletin->userinfo['password'] != iif($md5password_utf,
md5($md5password_utf . $vbulletin->userinfo['salt']), '')
This expression detects "failure of all methods", but because I find that hard to read, let's rewrite it as a positive match for "success of any method" by applying De Morgan's with an implicit outside negation: 该表达式检测到“所有方法均失败”,但是由于我很难读懂,因此我们通过对De Morgan进行隐式外部否定,将其重写为“任何方法成功”的正匹配项:
$vbulletin->userinfo['password'] == iif($password AND !$md5password,
md5(md5($password) . $vbulletin->userinfo['salt']), '')
OR $vbulletin->userinfo['password'] == iif($md5password,
md5($md5password . $vbulletin->userinfo['salt']), '')
OR $vbulletin->userinfo['password'] == iif($md5password_utf,
md5($md5password_utf . $vbulletin->userinfo['salt']), '')
Now, apply simplification and noting and that iff(x,y,z)
works like x?y:z
we end up with something about like the following in C#: 现在,应用简化和注意,并且iff(x,y,z)
工作方式类似于x?y:z
我们最终在C#中得到如下内容:
storedPW == password && !md5password ? md5(md5(password) + salt) : ''
|| storedPW == md5password ? md5(md5password + salt) : ''
|| storedPw == md5password_utf ? md5(md5password_utf + salt) : ''
The checks are little bit ugly, but .. not my code. 检查有点难看,但是..不是我的代码。 The important bit to realize is the pattern is: 模式要实现的重要一点是:
md5(md5(password) + salt) -> storedPw
Unfortunately, this should have matched md5(md5($pass).$salt)
from the insidepro link - when using that tool, make sure you're supplying the plain text password and not the hash from the database. 不幸的是,这应该与Insidepro链接中的md5(md5($pass).$salt)
相匹配-使用该工具时,请确保您提供的是纯文本密码,而不是数据库中的哈希。
YMMV. YMMV。
So heres the solution to my problem, finally i managed to get it working. 因此,这是解决我的问题的方法,最终我设法使它起作用。
The problem was that C# uses all strings as unicode, and vbulletin uses all strings as UTF8 问题是C#使用所有字符串作为unicode,而vbulletin使用所有字符串作为UTF8
For the sake of testing, i created a new form, added a new textbox and a button. 为了进行测试,我创建了一个新表单,添加了一个新的文本框和一个按钮。 This dont connect in anyway to the database, and i provided the salt directly tooken from the database.(for the sake of testing) 无论如何这都不连接到数据库,我提供了直接从数据库中获取的盐。(为了测试)
Since was already stated vbulleting logins as the following: md5(md5(password)+salt) 由于已经声明了vbulleting登录,如下所示: md5(md5(password)+ salt)
So to reproduce the same in C# but using UTF8 heres the solution: 因此,要在C#中重现相同的内容,但要使用UTF8,请使用以下解决方案:
static public string GetMd5Sum(string str)
{
//vBulletin uses UTF8 as strings, so you need to pass the user input string as UTF8 also
Encoder enc = System.Text.Encoding.UTF8.GetEncoder();
//Create a byte[] array to store the new UTF8 string
byte[] utf8text = new byte[str.Length];
//Pass the string to the byte[] array
enc.GetBytes(str.ToCharArray(), 0, str.Length, utf8text , 0, true);
//Hash the byte[] array with our UTF8 string inside
MD5 md5 = new MD5CryptoServiceProvider();
byte[] result = md5.ComputeHash(utf8text);
//Build the final string by converting each byte
//into hex and appending it to a StringBuilder
StringBuilder sb = new StringBuilder();
for (int i = 0; i < result.Length; i++)
{
sb.Append(result[i].ToString("x2")); //x2 here so the outcome result is all in lowercase, couse vbulleting also stores all in lowercase
}
//And return it
return sb.ToString();
}
private void button1_Click(object sender, EventArgs e)
{
//Get the user input password as plain text
string pass = textBox1.Text;
//Here i provided the salt explicit that i took from the database
string salt = "N1GOt=>8sdO@E54)PH2@NCm5yI#]3u";
//Here we convert the plain text password into the first hash
string p1 = GetMd5Sum(pass);
//Here we add the salt to the previous hashed password
string p2 = p1 + salt;
//Here we hash again the previous hashed password + the salt string
string final = GetMd5Sum(p2);
//this was just to the test to see if it all works as intended
MessageBox.Show(final);
}
This will output the exact same hash stored in the database as password. 这将输出存储在数据库中的完全相同的哈希作为密码。
Thank you user2246647 for all your help on this problem i had. 谢谢user2246647为您解决的所有问题提供了帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.