vBulletin password encryption

XxharCs · 03/09/2017, 19:46

I need somehow to check my login credentials against the ones stored in the db of vBulletin.
I know that vB uses Bcrypt and I'm using this bcrypt library:

I never succeed to get matching passwords.(yeah I tweaked the library to use $2y$ prefix in the bcrypt_gensalt method)

Code:

#include <iostream>
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include "bcrypt.h"
#include "md5.h"

int main(int argc, char **argv)
{
        if(!(argc >= 2 && argc <= 3)) 
        {
                std::cerr << "Usage: ./bcrypt_release [password] [hash]" << std::endl;
                return EXIT_FAILURE;
        }

        std::string pw = md5(argv[1]);
    
        char salt[BCRYPT_HASHSIZE];
        char hash[BCRYPT_HASHSIZE];
        int ret;
    
        ret = bcrypt_gensalt(10, salt);
        ret = bcrypt_hashpw(pw.c_str(), salt, hash);
    
        if(argc == 3)
        {
                ret = bcrypt_checkpw(pw.c_str(), argv[2]);
                assert(ret != -1);
    
                std::cout << "pw: " << pw.c_str() << "\nsalt: " << salt << "\nhash: " << hash << "\nMatching passwords: " << (ret ? "[FAIL]" : "[OK]") << std::endl;
        }
        else if(argc == 2)
        {
                std::cout << "pw: " << pw.c_str() << "\nsalt: " << salt << "\nhash: " << hash << std::endl;
        }

        return EXIT_SUCCESS;
}

I also tried simple php code(which I found on the vB forums), to be sure it's not a C++ problem

Code:

$userSuppliedPassword = 'Plain Text Password';
$hashToMatch = 'user->token Column Value';
$options['cost'] = 10;
$options['salt'] = 'user->secret Column Value';
if (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $options['salt']))
{
$options['salt'] = str_replace('+', '.', base64_encode($options['salt']));
}
if ($hashToMatch == password_hash(md5($userSuppliedPassword), PASSWORD_BCRYPT, $options))
{
echo "Woot!<br/>\n";
}else{
echo "Sad Face.<br/>\n";
}

But still, pw's don't match.

Anyone an idea?

wurstbrot123 · 03/11/2017, 14:54

No clue what Version you are using but VBulletin 4 does it differently:

$encrypted = md5(md5($decryptedpassword) . $row->salt);

$encrypted will be same password as in the database than.

XxharCs · 03/11/2017, 16:36

Quote:

Originally Posted by wurstbrot123

No clue what Version you are using but VBulletin 4 does it differently:

$encrypted = md5(md5($decryptedpassword) . $row->salt);

$encrypted will be same password as in the database than.

Using vBulletin 5.
I even can't manage to do it via a WebRequest.( to check the user login)

wurstbrot123 · 03/11/2017, 20:07

You can actually ask the Customer Support if
you dont have a nulled Version.

They are pretty nice and even help with stuff like that.

Visual- · 03/22/2017, 14:42

Vbulleten 4 does it better

Dr. Coxxy · 03/22/2017, 18:23

php 7 ignores the salt parameter in password_hash afaik - which php version are you using?
also you should use password_verify and not == - though it shouldnt matter in your case, as youre using a custom hash.

XxharCs · 03/22/2017, 22:13

Quote:

Originally Posted by Dr. Coxxy

php 7 ignores the salt parameter in password_hash afaik - which php version are you using?
also you should use password_verify and not == - though it shouldnt matter in your case, as youre using a custom hash.

My webserver is running php7, though I'm trying not to accomplish this with php but in C++. But I managed a workaround with webrequests, cause I've not that much time to write the support