The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 16, 2019, 01:54:07 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: JS MD5 to Perl MD5 headache  (Read 2415 times)
Bompa
Administrator
Lifer
*****
Offline Offline

Posts: 564


Where does this show?


View Profile
« on: March 30, 2009, 10:37:40 PM »

I am trying to help my nephew with his science project, Wink  he needs to login to
his account at school, but the login page uses some js to create a new variable
that is MD5'd with another variable. whew!

This is from the source of his login page:
Code:
var pass = loginform.password.value;
var chal = loginform.login_chal.value;
var res = MD5(chal + MD5(pass));
loginform.login_response.value = res;

We have var chal and we have our pass, and we see that the password is being
encrypted first, then combined with chal and encrypted again, or we think we see that.

And it seems that the var res is being put into the login form when the
form is sent; not before.

This is a typical var response as seen with liveheaders:
response=0036e42f73997652aaf0b599f21d430d

But I don't know if that is ascii, hex, dec, or some other.

My question is about JS MD5, specifically, because we will be using Perl's md5 module
and we need to two compatible.  Ummm, I need to know what to expect from the JS
MD5 is what I mean.

This is about JS MD5...
"...take a string input, and produce a fixed size number - 128 bits for MD4 and MD5; 160 bits for SHA-1."
- http://pajhome.org.uk/crypt/md5/


They say it returns "a number".  Does that mean ascii?

Perl's module will return in binary, hex, or base64.
$digest = md5($data);
$digest = md5_hex($data);
$digest = md5_base64($data);

Maybe I should get the hex or base64 and convert to ascii?

I have been trying for a few hours and I'm a bit lost.

I think I am overlooking some rudimentary troubleshooting/investigating techniques this time.

Any ideas?

Bompa
Logged

"The most beautiful and profound emotion we can experience is the sensation of the mystical..." - Albert Einstein
Bompa
Administrator
Lifer
*****
Offline Offline

Posts: 564


Where does this show?


View Profile
« Reply #1 on: March 31, 2009, 12:04:16 AM »

Go back to sleep America, I got it.

JS MD5 by default returns a 32 character hex value.

The part of the JS code that was confusing me was:
Code:
var res = MD5(chal + MD5(pass));

The equivalent in Perl is:
Code:
$res = md5_hex(($chal), md5_hex($pass));

All is well.

out,
Bompa
Logged

"The most beautiful and profound emotion we can experience is the sensation of the mystical..." - Albert Einstein
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #2 on: March 31, 2009, 03:01:00 PM »

Sorry I didn't get in earlier Bomps, glad you got it sorted.

G'mornin!
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #3 on: April 01, 2009, 10:33:24 AM »

Same, sorry.

That's awfully sloppy of them though. That system sounds like it's vulnerable to all sorts of nastiness.
Logged

hai
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!