问题
Using either the phpass test program http://www.openwall.com/phpass/phpass-0.3.tar.gz , or python-phpass, and using C?*|Y[j"KQ'%gf for the plain text password, and $P$9kS6tD8tVxajypvJ5837.bt2emepD8/ as the hash, doing:
<?php
#
# This is a test program for the portable PHP password hashing framework.
#
# Written by Solar Designer and placed in the public domain.
# See PasswordHash.php for more information.
#
require 'PasswordHash.php';
header('Content-type: text/plain');
$t_hasher = new PasswordHash(8, FALSE);
$correct2 = 'C?*|Y[j"KQ\'%gf';
$hash2 = '$P$9kS6tD8tVxajypvJ5837.bt2emepD8/';
print 'Hash: [' . $hash2 . "]\n";
print 'correct: [' . $correct2 . "]\n";
$check = $t_hasher->CheckPassword($correct2, $hash2);
if ($check)
{
print "Check IF THIS WORKScorrect: '" . $check . "' (should be '1')\n";
}
else
{
print "IT FAILED!!!!!!!!\n\n\n";
}
?>
The hash was from phpBB3 (3.0.10), and when I supply that password to phpBB3, it does work correctly.
phpBB3 is supposed to be using phpass itself, doing $H$ instead of $P$.
The database entry in phpBB3 for this example is:
qlc4pi000000";0;"127.0.0.1";1351902499;"testpass";"testpass";"$H$9kS6tD8tVxajypvJ5837.bt2emepD8/";1351902499;0;"tp@inva.lid.com";266402289712;"''";1351902544;1351902499;0;"''";"''";0;0;0;0;0;0;0;"en";0.00;0;"D M d, Y g:i a";2;0;"''";0;0;0;0;-3;0;0;"t";"d";0;"t";"a";0;1;0;1;1;1;1;230271;"''";0;0;0;"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"''";"bf4ae169a5a21313";1;0;0
The plain text password used in phpBB3 is [C?*|Y[j"KQ'%gf] and the hash (converted from phpBB3 format is [$P$9kS6tD8tVxajypvJ5837.bt2emepD8/] (both password & hash are between the [])
Can anyone shed some light on what is going on, and why this doesn't work with phpass ? This is on the same machine that the forums are on, and again, it does work on the phpBB3 forums, so I can login fine. It just I can't authenticate with phpass externally when I access the phpBB3 database directly. It does work on other accounts though, it is only certain accounts it fails on.
回答1:
Turns out the issue is, phpBB3 converts the password to use html escape codes.
Now, once the password is converted, it matches the hash stored in phpBB3.
回答2:
The phpBB3 most likely applies PHP function htmlspecialchars (with no flags) to the password.
This fact noted by phpBoing was also noticed in discussion of question https://stackoverflow.com/a/12543884/1148030 .
The nonstandard identifier $H$ is useful. When $H$ is present implementation can know to apply escaping to support phpBB3.
来源:https://stackoverflow.com/questions/13205058/phpass-fails-on-authentication-on-certain-passwords-from-phpbb3