MTGandP

Members
  • Content count

    1
  • Joined

  • Last visited

Community Reputation

0 Neutral

About MTGandP

  • Rank
    the 0ne

Profile Information

  • Gender
    Male
  1. Preface: I know very little about hacking (although I know a good deal about cryptography). I got a ways farther than some other people here did, but I still need some help. I looked at the page source, and it pretty clearly uses MD5. I looked around in the source code, and found something interesting. The below function is important: function doAdminLogin(form) { //deleteCookie("psaid"); var pw = form.password.value; var i = pw.indexOf(";"); if (i < 0) { form.username.value = pw; form.password.value = ""; } else { form.username.value = pw.substring(0,i); var pw2 = pw.substring(i+1); // Get the password and preserve the case pw = pw.substring(i+1).toLowerCase(); form.password.value = hex_hmac_md5(pskey, pw); if (form.ldappassword!=null) { // LDAP is enabled, so send the clear-text password // Customers should have SSL enabled if they are using LDAP form.ldappassword.value = pw2; // Send the pw, preserving the case for LDAP } } return true; } It looks like the page only submits if this function returns true. But it looks to me like it never returns anything BUT true, so how is it possible for a password submission to fail? How can I get my hands on the message digest? I would think that it wouldn't be too hard, since the secure part should be the hash function. But I can't find the MD anywhere, and I don't know how to access the Javascript code while it's running. Is there any way to? If so, I would much appreciate some help. I hope this info was helpful, and I also hope that someone can get further than I did. Edit: FYI, I have a 4.0. I'm not trying to change my grade. I just noticed the other day that I could see the password key on PowerSchool and decided to try and hack it. Please do not tell me to study.