Search code examples
c#sqlauthenticationhashmybb

How to login to myBB in C#. (Hashing not working correctly)

I am trying to login to a mybb account on my forum. I am needing to use the SQL database for the login, but the passwords are hashed. I have tried just about everything including hashing the password for the login, but it just wont work.

It works find with a regular non-hashed password, but not with the hashed one.

string salt = Global.salt; // get salt from db
string password = textBox2.Text;// get password from user
MD5 md5 = new MD5CryptoServiceProvider();

// Create md5 hash of salt
byte[] saltBytes = Encoding.Default.GetBytes(salt);
byte[] saltHashBytes;
using (Stream saltStream = GenerateStreamFromString(salt))
{
    saltHashBytes = md5.ComputeHash(saltStream);
}
string saltHash = System.BitConverter.ToString(saltHashBytes);

// Create your md5(password + md5(salt)) hash
byte[] passwordBytes = Encoding.Default.GetBytes(password + saltHash);
byte[] passwordHashBytes;
using (Stream saltStream = GenerateStreamFromString(salt))
{
    passwordHashBytes = md5.ComputeHash(saltStream);
}
string passwordHash = BitConverter.ToString(passwordHashBytes);

MessageBox.Show(passwordHash);

cmd = new MySqlCommand();
con.Open();
cmd.Connection = con;
cmd.CommandText = "SELECT * FROM testfdata_users where username='" + textBox1.Text + "' AND password='" + passwordHash + "'";
dr = cmd.ExecuteReader();
if (dr.Read())
{
    MessageBox.Show("Login success ");
}
else
{
    MessageBox.Show("Invalid Login please check username and password");
}
con.Close();

This is how I grab the salt from the database.

MySqlConnection con2 = new MySqlConnection("Server=host.com;Database=baseName;user=username;Pwd=pass;SslMode=none");
MySqlCommand cmd = new MySqlCommand("SELECT * FROM testfdata_users", con2);

con2.Open();

MySqlDataReader reader = cmd.ExecuteReader();

while (reader.Read())
{
    Global.salt = reader.GetString("salt");
}
Solution

  • I have figured out what the issue is. I will share what I did so anyone that has the same issue can find it here.

    First, you need to create this method.

    public string CalculateMD5Hash(string input)
{
     MD5 md5 = System.Security.Cryptography.MD5.Create();
     byte[] inputBytes = System.Text.Encoding.ASCII.GetBytes(input);
     byte[] hash = md5.ComputeHash(inputBytes);

     StringBuilder sb = new StringBuilder();
     for (int i = 0; i < hash.Length; i++)
     {
          sb.Append(hash[i].ToString("x2"));
     }
     return sb.ToString();
}

    Next, you need to grab the salt from your SQL database

    string salt;

MySqlConnection con2 = new MySqlConnection("Server=hostname;Database=databasename;user=username;Pwd=password;SslMode=none");

MySqlCommand cmd = new MySqlCommand("SELECT * FROM mybb_users", con2);

con2.Open();

MySqlDataReader reader = cmd.ExecuteReader();

while (reader.Read())
{
     if (reader.GetString("username") == user) // You can get 'user' from a textbox
          salt = reader.GetString("salt");
}

    Then, you need to hash the password the user inputs

    string passwordHash = CalculateMD5Hash(CalculateMD5Hash(salt) + CalculateMD5Hash(password));

    Lastly, you can login

    MySqlConnection con = new MySqlConnection("Server=remotemysql.com;Database=fofBv30s0W;user=fofBv30s0W;Pwd=sUFDdE8Tun;SslMode=none");

cmd = new MySqlCommand();
con.Open();
cmd.Connection = con;
cmd.CommandText = "SELECT * FROM mybb_users where username='" + username + "' AND password='" + passwordHash + "'";
dr = cmd.ExecuteReader();
if (dr.Read())
{
     // Do what you want after login
}
else
{
     MessageBox.Show("Invalid Login please check username and password");
}
con.Close();

    Together the code should look something like this

    public string CalculateMD5Hash(string input)
{
     MD5 md5 = System.Security.Cryptography.MD5.Create();
     byte[] inputBytes = System.Text.Encoding.ASCII.GetBytes(input);
     byte[] hash = md5.ComputeHash(inputBytes);

     StringBuilder sb = new StringBuilder();
     for (int i = 0; i < hash.Length; i++)
     {
          sb.Append(hash[i].ToString("x2"));
     }
     return sb.ToString();
}

private void button_Click(object sender, EventArgs e)
{
     string salt;
     string user = txtBx_User.Text;
     string password = txtBx_Pass.Text;

     MySqlConnection con2 = new MySqlConnection("Server=hostname;Database=databasename;user=username;Pwd=password;SslMode=none");

     MySqlCommand cmd = new MySqlCommand("SELECT * FROM mybb_users", con2);

     con2.Open();

     MySqlDataReader reader = cmd.ExecuteReader();

     while (reader.Read())
     {
          if (reader.GetString("username") == user)
               salt = reader.GetString("salt");
     }

     string passwordHash = CalculateMD5Hash(CalculateMD5Hash(salt) + CalculateMD5Hash(password));

     MySqlConnection con = new MySqlConnection("Server=remotemysql.com;Database=fofBv30s0W;user=fofBv30s0W;Pwd=sUFDdE8Tun;SslMode=none");

     cmd = new MySqlCommand();
     con.Open();
     cmd.Connection = con;
     cmd.CommandText = "SELECT * FROM mybb_users where username='" + username + "' AND password='" + passwordHash + "'";
     dr = cmd.ExecuteReader();
     if (dr.Read())
     {
          // Do what you want after login
     }
     else
     {
          MessageBox.Show("Invalid Login please check username and password");
     }
     con.Close();
}