Path: news.corradoroberto.it!.POSTED.desktop.corradoroberto.it!not-for-mail
From: "Roberto CORRADO" <i@secure.corradoroberto.it>
Newsgroups: news.software.nntp
Subject: INN2, unofficial rewrite ckpasswd in PHP to bad experiment compatible with htpasswd bcrypt or sqlite db authentication method.
Date: Fri, 27 Feb 2026 16:45:08 +0100
Organization: NNTPD of domain: corradoroberto.it (for authenticated users)
Lines: 113
Message-ID: <10nse66$prs$1@news.corradoroberto.it>
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Injection-Date: Fri, 27 Feb 2026 15:45:10 -0000 (UTC)
Injection-Info: gatto.corradoroberto.it; posting-account="news@corradoroberto.it"; posting-host="desktop.corradoroberto.it:192.168.1.4";
logging-data="26492"; mail-complaints-to="abuse@corradoroberto.it"
Cancel-Lock: sha1:mDidHXFz332BsHLPoBXQtGQmdQI= sha256:C8+3WNGpjmKRC89/ZTN0HNUBuYxyJ11CtG1UBY8Uq8w=
sha1:kz5lxhaOeGc4m6uoKCbyc1phhVA= sha256:BnSOu0d480RfTJ9c5CSSTtSZavq/csDk7BKgRO30ayo=
X-Priority: 3
X-Mailver: 8
X-Newsreader: CatWalker 0126
X-NNTP-Posting-Date: Fri, 27 Feb 2026 16:45:11 +0100
X-Copyright: The distribution through any means different from
usenet is forbidden. The publishing of this article on
the WEB Is also forbidden. Quotations are allowed.
X-MSMail-Priority: Normal
X-LDAPD: CORRADO-ROBERTO
X-TYPE: RCS 126
X-MTA: Sendmail MHS X.400
Xref: news.corradoroberto.it news.software.nntp:1486
Dear newsadmin,
I am writing because I should like to share my bad script who might need =
it...
I consider bcrypt to be a good level of security for encrypting =
passwords.
I hope I have done something pleasing
have a nice day.
--=20
Roberto
https://secure.corradoroberto.it/m9/usenet2/newsgroups.php?art_group=3Dne=
ws.software.nntp&article_id=3D1486
"""
#!/usr/bin/php
<?php
// APR1-MD5 encryption method (windows compatible)
function crypt_apr1_md5($plainpasswd, $salt){
$tmp =3D "";
$len =3D strlen($plainpasswd);
$text =3D $plainpasswd.'$apr1$'.$salt;
$bin =3D pack("H32", md5($plainpasswd.$salt.$plainpasswd));
for($i =3D $len; $i > 0; $i -=3D 16) { $text .=3D substr($bin, 0, =
min(16, $i)); }
for($i =3D $len; $i > 0; $i >>=3D 1) { $text .=3D ($i & 1) ? chr(0) =
: $plainpasswd[0]; }
$bin =3D pack("H32", md5($text));
for($i =3D 0; $i < 1000; $i++){
$new =3D ($i & 1) ? $plainpasswd : $bin;
if ($i % 3) $new .=3D $salt;
if ($i % 7) $new .=3D $plainpasswd;
$new .=3D ($i & 1) ? $bin : $plainpasswd;
$bin =3D pack("H32", md5($new));
}
for ($i =3D 0; $i < 5; $i++){
$k =3D $i + 6;
$j =3D $i + 12;
if ($j =3D=3D 16) $j =3D 5;
$tmp =3D $bin[$i].$bin[$k].$bin[$j].$tmp;
}
$tmp =3D chr(0).chr(0).$bin[11].$tmp;
$tmp =3D strtr(strrev(substr(base64_encode($tmp), 2)),
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
return "$"."apr1"."$".$salt."$".$tmp;
}
function get_htpasswd ($passwdFile, $username){
$lines =3D file($passwdFile);
foreach ($lines as $line){
$arr =3D explode(":", $line);
$fileUsername =3D $arr[0];
if ($fileUsername =3D=3D $username){
$filePasswd =3D trim($arr[1]);
return $filePasswd;
}
}
return false;
}
function matches($password, $filePasswd){
if (strpos($filePasswd, '$apr1') =3D=3D=3D 0){
// MD5
$passParts =3D explode('$', $filePasswd);
$salt =3D $passParts[2];
$hashed =3D crypt_apr1_md5($password, $salt);
return $hashed =3D=3D $filePasswd;
}elseif (strpos($filePasswd, '{SHA}') =3D=3D=3D 0){
// SHA1
$hashed =3D "{SHA}" . base64_encode(sha1($password, TRUE));
return $hashed =3D=3D $filePasswd;
}elseif (strpos($filePasswd, '$2y$') =3D=3D=3D 0){
// Bcrypt
return password_verify ($password, $filePasswd);
}else{
// Crypt
$salt =3D substr($filePasswd, 0, 2);
$hashed =3D crypt($password, $salt);
return $hashed =3D=3D $filePasswd;
}
return false;
}
$handle =3D fopen('php://stdin', 'r');
while (!feof($handle)){
$buffer =3D fgets($handle);
$prefix =3D 'ClientAuthname:';
if(substr($buffer, 0, strlen($prefix)) =3D=3D $prefix){
$username =3D trim(substr($buffer, =
strlen($prefix)));
}
$prefix =3D 'ClientPassword:';
if(substr($buffer, 0, strlen($prefix)) =3D=3D $prefix){
$password =3D trim(substr($buffer, =
strlen($prefix)));
}
}
fclose($handle);
$filePasswd =3D get_htpasswd('/etc/inn/local-user-database', $username);
if(matches($password, $filePasswd)){
echo "User:$username\n";
exit(0);
}else{
echo "ckpasswd: invalid password for user $username\n";
exit(1);
}
?>
"""
| Oggetto |
INN2, unofficial rewrite ckpasswd in PHP to bad experiment compatible with htpasswd bcrypt or sqlite db authentication method. |
| Mittente |
Roberto CORRADO |
| Data |
Fri, 27 Feb 2026 16:45:08 +0100 |
| Newsgroups |
news.software.nntp |
Dear newsadmin,
I am writing because I should like to share my bad script who might need it...
I consider bcrypt to be a good level of security for encrypting passwords.
I hope I have done something pleasing
have a nice day.
--
Roberto
https://secure.corradoroberto.it/m9/usenet2/newsgroups.php?art_group=news.software.nntp&article_id=1486
"""
#!/usr/bin/php
<?php
// APR1-MD5 encryption method (windows compatible)
function crypt_apr1_md5($plainpasswd, $salt){
$tmp = "";
$len = strlen($plainpasswd);
$text = $plainpasswd.'$apr1$'.$salt;
$bin = pack("H32", md5($plainpasswd.$salt.$plainpasswd));
for($i = $len; $i > 0; $i -= 16) { $text .= substr($bin, 0, min(16, $i)); }
for($i = $len; $i > 0; $i >>= 1) { $text .= ($i & 1) ? chr(0) : $plainpasswd[0]; }
$bin = pack("H32", md5($text));
for($i = 0; $i < 1000; $i++){
$new = ($i & 1) ? $plainpasswd : $bin;
if ($i % 3) $new .= $salt;
if ($i % 7) $new .= $plainpasswd;
$new .= ($i & 1) ? $bin : $plainpasswd;
$bin = pack("H32", md5($new));
}
for ($i = 0; $i < 5; $i++){
$k = $i + 6;
$j = $i + 12;
if ($j == 16) $j = 5;
$tmp = $bin[$i].$bin[$k].$bin[$j].$tmp;
}
$tmp = chr(0).chr(0).$bin[11].$tmp;
$tmp = strtr(strrev(substr(base64_encode($tmp), 2)),
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
return "$"."apr1"."$".$salt."$".$tmp;
}
function get_htpasswd ($passwdFile, $username){
$lines = file($passwdFile);
foreach ($lines as $line){
$arr = explode(":", $line);
$fileUsername = $arr[0];
if ($fileUsername == $username){
$filePasswd = trim($arr[1]);
return $filePasswd;
}
}
return false;
}
function matches($password, $filePasswd){
if (strpos($filePasswd, '$apr1') === 0){
// MD5
$passParts = explode('$', $filePasswd);
$salt = $passParts[2];
$hashed = crypt_apr1_md5($password, $salt);
return $hashed == $filePasswd;
}elseif (strpos($filePasswd, '{SHA}') === 0){
// SHA1
$hashed = "{SHA}" . base64_encode(sha1($password, TRUE));
return $hashed == $filePasswd;
}elseif (strpos($filePasswd, '$2y$') === 0){
// Bcrypt
return password_verify ($password, $filePasswd);
}else{
// Crypt
$salt = substr($filePasswd, 0, 2);
$hashed = crypt($password, $salt);
return $hashed == $filePasswd;
}
return false;
}
$handle = fopen('php://stdin', 'r');
while (!feof($handle)){
$buffer = fgets($handle);
$prefix = 'ClientAuthname:';
if(substr($buffer, 0, strlen($prefix)) == $prefix){
$username = trim(substr($buffer, strlen($prefix)));
}
$prefix = 'ClientPassword:';
if(substr($buffer, 0, strlen($prefix)) == $prefix){
$password = trim(substr($buffer, strlen($prefix)));
}
}
fclose($handle);
$filePasswd = get_htpasswd('/etc/inn/local-user-database', $username);
if(matches($password, $filePasswd)){
echo "User:$username\n";
exit(0);
}else{
echo "ckpasswd: invalid password for user $username\n";
exit(1);
}
?>
"""
| |
|
|
INN2, unofficial rewrite ckpasswd in PHP to bad experiment compatible with htpasswd bcrypt or sql... (Messaggio attuale)
