Script that posts to the forums, help with the password hash

[Xulan]

I have a perl script that used to post to phpbb forums, and it was rather easy.  It just logins in when needed and then save the cookie info.  Then it could post anytime it needed after loading and sending the cookie with the posted form information and saving it again afterwards.  Very simple.

I'm having a rather difficult time doing the same thing with smf.  I see what needs to be sent to the forum to make for a valid login, however, I'm having trouble sending the right password hash.  I'm not a JS person.  Now, I can see the hash in the db, and I can match that via sha1 functions, but I also know there is some variable which changes the hash that needs to be sent from the script/browser, I'm guessing from the seed.  I noticed it changes (what is being sent form the browser to the smf login script).  I also see the page is running a js named sha1.js which does something to the hash I believe.

I know the base hash is user + pass and then running that through the sha1 js, and using some variable for a seed of some kind, it comes out with what is actually sent on the hash_passwrd form input item.

What I don't know is where the exact seed is... I see something that looks like a seed on the main page, but on the login page itself it does not exist:  onsubmit="hashLoginPassword(this, '4f728bb619870f97be3365408eab3079')

If anyone can help me I would appreciate it very much as would the group of people who are waiting on me =)

To sum it up, I need to be able to send the correct hash_passwrd in the login form to the login part of the script.  I know the following:

   "user" => "username",
   "passwrd" => "",
   "cookieneverexp" => "on",
   "hash_passwrd" => $password

I just need to know how to construct the password correctly.  I have various sha1 routines at my disposal, I just need to know where to find the variable that changes the hash that needs to be sent and how it is supposed to be constructed.

Thanks =)

[Xulan]

Even my JS'less mind was able to dig through and find this in the script.js file:

       doForm.hash_passwrd.value = hex_sha1(hex_sha1(doForm.user.value.toLowerCase() + doForm.passwrd.value) + cur_session_id);


Going to give that a whirl =)

[Xulan]

Ok, I got it to work.  Here's how for anyone else who may want to do this (you'll need to know how to do some things already via perl, php, js, etc):

1. Request the main page.  Get the cookie info and save it.  Find the folloing line in the returned main page:

onsubmit="hashLoginPassword(this, '4f728bb619870f97be3365408eab3079')

2. Extract that number.  That is your "sessionid", not the thing that says PHPSESSID=.

3. Combine the user + password into a single string.  We'll call this $userpass.

3. Do a hex sha1 hash of $userpass.  We'll call that $userpasshash.

4. Combine the $userpasshash + sessionid into a single string.  We'll call this $userpashsessionidhash.

5. Do a hex sha1 hash of $userpashsessionidhash.

That is your hash_passwrd that you need to send in your form along with the rest of the form (user, passwd="", and cookielength) along with the cookie info from the original request as a cookie entry in the http request header.

After you login via this method, you will stay logged in until you clear the cookie file, (or until you request a logout as if you clicked the logout button, but it's easier really just to clear the cookie file).