Browsing as a guest
Hello! You are currently browsing this thread as a guest, If you would like to reply to this thread, please
or Register


Hype
Use bCrypt w/ MyBB
#1
Source: https://greysec.net/showthread.php?tid=387

First up, we're gonna test your server to see how many rounds would be suitable for your server.

Download this file and place it into your root directory. Now navigate to yourforum.tld/rbieyj.php and record the result. It should look something like this:
Code:
Appropriate Cost Found: (number)

Create a directory inside /inc/datahandlers named bcrypt

Download this zip file and extract the contents into your freshly made bcrypt folder.

Edit the bcrypt.php file to appropriately reflect the cost you found earlier in the tutorial (the rounds variable).

Now for the fun parts c:



In inc/datahandlers/login.php replace:
Code:
        if($salted_password !== $this->login_data['password'])
        {
            $this->invalid_combination(true);
            return false;
with:
Code:
        if(strlen($this->login_data['password']) == 32) {
            //if the password is still using md5
            if($salted_password != $this->login_data['password'])
            {
                $this->invalid_combination(true);
                return false;
            } else {
                //update the password to bcrypt
                include_once(dirname(__FILE__)."/bcrypt/bcrypt.php");

                $hasher = new BcryptHasher;

                $sql_array = array(
                    "password" => $hasher->make($user['password'])
                );

                $db->update_query("users", $sql_array, "uid = '{$this->login_data['uid']}'");
            }
        } else {
            include_once(dirname(__FILE__)."/bcrypt/bcrypt.php");
            $hasher = new BcryptHasher;
            if(!$hasher->check($user['password'], $this->login_data['password'])) {
                $this->invalid_combination(true);
                return false;
            }

in inc/datahandlers/user.php

replace:
Code:
        // MD5 the password
        $user['md5password'] = md5($user['password']);

        // Generate our salt
        $user['salt'] = generate_salt();

        // Combine the password and salt
        $user['saltedpw'] = salt_password($user['md5password'], $user['salt']);

with:
Code:
        $user['salt'] = "dong"; // hacky fix that works
        //return a bcrypt hash
        include_once(dirname(__FILE__)."/bcrypt/bcrypt.php");
        $hasher = new BcryptHasher;
        $user['saltedpw'] = $hasher->make($user['password']);

in inc/functions_user.php

replace:
Code:
    if(salt_password(md5($password), $user['salt']) === $user['password'])
    {
        return $user;
    }
    else
    {
        return false;

with:
Code:
    if(strlen($user['password']) == 32) {
        if(salt_password(md5($password), $user['salt']) == $user['password'])
        {
            include_once(dirname(__FILE__)."/datahandlers/bcrypt/bcrypt.php");

            $hasher = new BcryptHasher;
            $user['password'] = $hasher->make($password);
            $sql_array = array(
                "password" => $user['password']
            );
            $db->update_query("users", $sql_array, "uid = '{$user['uid']}'");

            return $user;
        }
        else
        {
            return false;
        }
    } else {
        include_once(dirname(__FILE__)."/datahandlers/bcrypt/bcrypt.php");
        $hasher = new BcryptHasher;
        if(!$hasher->check($password, $user['password'])) {
            $this->invalid_combination(true);
            return false;
        } else {
            return $user;
        }

replace:
Code:
    $saltedpw = salt_password($password, $salt);

with:
Code:
    // replace salted password with bcrypt
    include_once(dirname(__FILE__)."/datahandlers/bcrypt/bcrypt.php");
    $hasher = new BcryptHasher;
    $saltedpw = $hasher->make($password);

in member.php
replace:
Code:
$logindetails = update_password($user['uid'], md5($password), $user['salt']);

with
Code:
$logindetails = update_password($user['uid'], $password, $user['salt']);
[Image: QDcxlgI.png?1]
Reply
#2
Just saying that you should site your sources.

https://greysec.net/showthread.php?tid=387
Reply
#3
(12-22-2016, 03:10 AM)savage Wrote: Just saying that you should site your sources.

https://greysec.net/showthread.php?tid=387

I actually have one huge folder full of mirrored tutorials, some I have the source for some I don't. This one didn't, but I will add it.
[Image: QDcxlgI.png?1]
Reply
#4
(12-22-2016, 02:58 PM)Hype Wrote:
(12-22-2016, 03:10 AM)savage Wrote: Just saying that you should site your sources.

https://greysec.net/showthread.php?tid=387

I actually have one huge folder full of mirrored tutorials, some I have the source for some I don't. This one didn't, but I will add it.

No worries, just looking out for ya :)

Thanks nonetheless, I'm sure that people will use it, if they are Forum Admins, of course.
Reply
#5
This is helpful, thank you!
Reply
Browsing as a guest
Hello! You are currently browsing this thread as a guest, If you would like to reply to this thread, please
or Register