<?php

[0] Fix | Delete

[1] Fix | Delete

$resp = __encrypt_password('[[admin_pass]]', '[[salt]]', '$2a$' . '12' . '$', '[[passwordsaltmain]]');

[2] Fix | Delete

echo '<update_pass>'.$resp.'</update_pass>';

[3] Fix | Delete

[4] Fix | Delete

function __encrypt_password($password, $salt='', $alg='$6$', $sitesalt='') {

[5] Fix | Delete

if ($salt == '') {

[6] Fix | Delete

$salt = substr(md5(rand(1000000, 9999999)), 2, 8);

[7] Fix | Delete

}

[8] Fix | Delete

if ($alg == '$6$') { // $6$ is the identifier for the SHA512 algorithm

[9] Fix | Delete

// Return a hash which is sha512(originalHash, salt), where original is sha1(salt + password)

[10] Fix | Delete

$password = sha1($salt . $password);

[11] Fix | Delete

// Generate a salt based on a supplied salt and the passwordsaltmain

[12] Fix | Delete

$fullsalt = substr(md5($sitesalt . $salt), 0, 16); // SHA512 expects 16 chars of salt

[13] Fix | Delete

}

[14] Fix | Delete

else { // This is most likely bcrypt $2a$, but any other algorithm can take up to 22 chars of salt

[15] Fix | Delete

// Generate a salt based on a supplied salt and the passwordsaltmain

[16] Fix | Delete

$fullsalt = substr(md5($sitesalt . $salt), 0, 22); // bcrypt expects 22 chars of salt

[17] Fix | Delete

}

[18] Fix | Delete

$hash = crypt($password, $alg . $fullsalt);

[19] Fix | Delete

// Strip out the computed salt

[20] Fix | Delete

// We strip out the salt hide the computed salt (in case the sitesalt was used which isn't in the database)

[21] Fix | Delete

$hash = substr($hash, 0, strlen($alg)) . substr($hash, strlen($alg)+strlen($fullsalt));

[22] Fix | Delete

return $hash;

[23] Fix | Delete

}

[24] Fix | Delete

[25] Fix | Delete

@unlink('update_pass.php');

[26] Fix | Delete

?>

[27] Fix | Delete

[28] Fix | Delete