Vbulletin Login help required

[dollar1]

I am trying to make a login for vbulletin through a windows application using mysql but whatever i tried has failed, i can connect with the database but i cannot find the password table, since vbulletin has md5 on their passwords.Do you think you can help me with this?It would be really nice and i would appreciate it.

Thanks,

Dollar1

[Jason]

Just MD5 hash the password the user input and then compare it to the md5'd passwords in the database. No decent database should ever store unhashed/encrypted passwords, it's a huge security risk.

To get the MD5 of the password:
[highlight=vb.net]
Imports System.Security.Cryptography
Imports System.Text
[/highlight]
[highlight=vb.net]
Private Function MD5HashString(ByVal word As String) As String
Dim wordBytes As Byte() = Encoding.ASCII.GetBytes(word)
Dim hashedBytes As Byte()
Using md5Crypto As New MD5CryptoServiceProvider()
hashedBytes = md5Crypto.ComputerHash(wordBytes)
End Using
Return String.Join("", hashedBytes.Select(Function(b As Byte) b.ToString("x2")).ToArray())
End Function
[/highlight]

[dollar1]

Just MD5 hash the password the user input and then compare it to the md5'd passwords in the database. No decent database should ever store unhashed/encrypted passwords, it's a huge security risk.

To get the MD5 of the password:
[highlight=vb.net]
Imports System.Security.Cryptography
Imports System.Text
[/highlight]
[highlight=vb.net]
Private Function MD5HashString(ByVal word As String) As String
Dim wordBytes As Byte() = Encoding.ASCII.GetBytes(word)
Dim hashedBytes As Byte()
Using md5Crypto As New MD5CryptoServiceProvider()
hashedBytes = md5Crypto.ComputerHash(wordBytes)
End Using
Return String.Join("", hashedBytes.Select(Function(b As Byte) b.ToString("x2")).ToArray())
End Function
[/highlight]

Thanks alot , do you think you can share the whole source with me , i would appreciate that .And even if you cant thanks for helping me.

[Blubb1337]

Thanks alot , do you think you can share the whole source with me , i would appreciate that .And even if you cant thanks for helping me.

Wrote it from top off my head, should work though.

[highlight="VB.Net"]Private SQLConn as New MySQLConnection("Server=myServerAddress;Database=m yDataBase;Uid=myUsername;Pwd=myPassword;")

Private SQLReader as MySQLReader 'might need as NEW

Private Function MD5HS(ByVal word As String) As String 'MD5HashString
Dim wordBytes As Byte() = Encoding.ASCII.GetBytes(word)
Dim hashedBytes As Byte()
Using md5Crypto As New MD5CryptoServiceProvider()
hashedBytes = md5Crypto.ComputerHash(wordBytes)
End Using
Return String.Join("", hashedBytes.Select(Function(b As Byte) b.ToString("x2")).ToArray())
End Function

Private Function Login(Byval Username As String,Byval Password As String) As Boolean
Dim Success as Boolean
Try
SQLConn.Open

Dim SQLQuery As New MySQLCommand(String.Format("SELECT * FROM users WHERE Username='{0}' AND Password='{1}' LIMIT 1",Username,MD5HS(Password)),SQLConn)

SQLReader = SQLQuery.ExecuteReader

Success = SQLReader.HasRows

SQLReader.Close
SQLConn.Close
SQLCommand.Dispose

Catch ex as MySQLException
SQLConn.Close
Msgbox(ex.tostring)
End Try

Return Success
End Function[/highlight]

PHP Script Sample:

[highlight="PHP"]<?php
$conn = mysql_connect("Server","User","Password")
or die ("Connection failed.");

//connect to the specific database
mysql_select_db("testdb");

$Username = $_GET['Username'];
$Password = $_GET['Password'];
$PW = md5($Password);

if(isset($Username)) {
if(isset($PW)) {

$Query = "SELECT * FROM users WHERE Username='".$Username."' AND Password='".$PW."' LIMIT 1";

$Result = mysql_query($Query);
$Count = mysql_num_rows($Result);

if($Count == 0) {
echo "False"; }
else {
echo "True"; }
} else {
echo "False"; }
}
?>[/highlight]

Url.php?Username=X&Password=Y

[ken53406]

Easier method is using HttpWebRequest.

Make a new module and put in

Code:

Imports System.Security.Cryptography
Imports System.Text

Module Module1
    Public Function Login(ByVal Username As String, ByVal Password As String)

        Password = MD5(Password)
        Dim valid As Boolean = False
        Dim data As String = "vb_login_username=" & Username & "&vb_login_password=&s=&do=login&vb_login_md5password=" & Password & "&vb_login_md5password_utf=" & Password

        Try
            Dim request As HttpWebRequest = WebRequest.Create("example.dotcom/login.php?do=login")
            request.Method = WebRequestMethods.Http.Post
            reques*****ntentType = "application/x-www-form-urlencoded"
            request.UserAgent = "-- vBulletin Vaidation  --"



            reques*****ntentLength = data.Length

            Dim rStream As New StreamWriter(request.GetRequestStream)

            rStream.Write(data)
            rStream.Flush()
            rStream.Close()

            Dim response As HttpWebResponse = request.GetResponse
            Dim resReader As New StreamReader(response.GetResponseStream)

            Dim str As String = resReader.ReadToEnd


            If str.Contains("Successful Login!") Then
                valid = True
            Else
                valid = False
            End If


            response.Close()

        Catch ex As Exception
            MessageBox.Show(ex.Message, "Error URFORUMNAME Forums-Login!", MessageBoxButtons.OK, MessageBoxIcon.Error)

        End Try

        Return valid

    End Function

    Public Function MD5(ByVal number As String) As String

        Dim ASCIIenc As New ASCIIEncoding
        Dim strReturn As String = String.Empty

        Dim ByteSourceText() As Byte = ASCIIenc.GetBytes(number)
        Dim Md5Hash As New MD5CryptoServiceProvider
        Dim ByteHash() As Byte = Md5Hash.ComputeHash(ByteSourceText)

        For Each b As Byte In ByteHash
            strReturn &= b.ToString("x2")
        Next

        Return strReturn

    End Function
End Module

put your url to the login.php page where it says example.dotcom/login.php?do=login

Code:

Dim request As HttpWebRequest = WebRequest.Create("example.dotcom/login.php?do=login")

For the login button put in

Code:

If Login(ComboBox1.Text, TextBox1.Text) Then
            MsgBox("Successfully Logged In! WELCOME!")
            Form2.Show()
            Me.Close()

        Else
            MsgBox("Incorrect Username/Password")
        End If

there ya go its secure, and its easier. uses only the vbulletin useraccounts

[Jason]

Easier method is using HttpWebRequest.

Make a new module and put in

Code:

BIG CODE BLOCK

there ya go its secure, and its easier. uses only the vbulletin useraccounts

That's not a better method, if you have access to your own VBulletin database, why the fuck would you want to use a workaround like this? It's slower and more cumbersome than just checking the database, although the actually DB work should be processed on a PHP script as decompiling apps and finding your MySQL credentials is far too easy with an exe.

[Blubb1337]

That's not a better method, if you have access to your own VBulletin database, why the fuck would you want to use a workaround like this? It's slower and more cumbersome than just checking the database, although the actually DB work should be processed on a PHP script as decompiling apps and finding your MySQL credentials is far too easy with an exe.

I can only agree to this. Most secure method will be PHP. As Jason said, people would be able to decompile your project else and find out your login data.

Also PHP allows you to use localhost as host -> way faster aswell.

[Jason]

I can only agree to this. Most secure method will be PHP. As Jason said, people would be able to decompile your project else and find out your login data.

Also PHP allows you to use localhost as host -> way faster aswell.

Although communicating with the PHP script from VB will slow the process down, even with sockets and a local database on the server, just sayin'.

[ken53406]

Uhm my method uses no passwords or usernames so decompiling it would not show any credentials at all... therefore its secure

[Jason]

Uhm my method uses no passwords or usernames so decompiling it would not show any credentials at all... therefore its secure

There are more elegant solutions with tighter security and far better efficiency. If you have a DB there, why would you ignore it?