MyBB Community Forums

MyBB Community Forums > Resources > Third Party Integration > Password Decryption
Full Version: Password Decryption
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

cblacks

2015-04-10, 07:08 PM
Hello, i want to connect my server login with mybb but it keep says invalid password.
Is there something wrong in the decrypt section ?






this is what i have : 




<?php

$host = "Host";
$user = "Username";
$pass = "Password";
$name = "Database Name";
$_GET['name'] = str_replace("_"," ",$_GET['name']);
if($_GET['crypt'] != 4556879){
	echo '-1';
	exit;
}
if(!@mysql_connect($host, $user, $pass))  {
	die("error connecting to mysql server - " . mysql_error());	
}
if(!@mysql_select_db($name))  {
	die("error selecting mysql database - " . mysql_error());	
}

$query = mysql_query("SELECT * FROM mybb_users WHERE username = '".$_GET['name']."'");
if($row = mysql_fetch_array($query)){

$pass2 = md5(md5($row["salt"]).md5($_GET['pass']));
if($pass2 == $row["password"])
	echo ''.(2+$row["usergroupid"]);
else
	echo '1';
} else
echo '0';
?>

TheOnlyDroid

2015-04-10, 10:07 PM
Don't decrypt, just encrypt the password or use what MyBB uses in your site.

Destroy666

2015-04-11, 02:38 AM
1. usergroupid field doesn't exist in mybb_users table (unless it's your custom field).
2. Your query is vulnerable to SQL injections.
3. Why is this code used?
$_GET['name'] = str_replace("_"," ",$_GET['name']);
4. I don't see any "invalid password" error in the posted code. It's harder to tell what's wrong if you post only parts of it - I don't see anything wrong except 1. 2. and 3. in this excerpt.
MyBB Community Forums > Resources > Third Party Integration > Password Decryption