Using hash instead of pwd (David's code)

[mstuebner]

Hello again,

motivated by another thread in this forum I tried again to use the hash instead of the password and used the code David gave:

Code:

$fp = fsockopen("ssl://" . $Server, 2087, $errno, $errstr, 30);

# Die on error initializing socket
if ($errno == 0 && $fp == FALSE) { die("Socket Error: Could not initialize socket.");
} elseif ($fp == FALSE) { die("Socket Error #" . $errno . ": " . $errstr); }

# Assemble the header to send
$header = "";
$header .= "GET " . $apiPath . " HTTP/1.0\r\n";
$header .= "Host: " . $Server . "\r\n";
$header .= "Authorization: WHM " . $hash . "\r\n";
$header .= "Connection: close\r\n";
$header .= "\r\n";

# Send the Header
fputs($fp, $header);

# Get the raw output from the server
$rawResult = "";
while (!feof($fp)) {
$rawResult .= @fgets($fp, 128); // Suppress errors with @
}
		
# Close the socket
fclose($fp);

I tried both options:

1. the hash in the format it is given in WHM
2. the hash in ONE LONG line

Both returns me a login page instead of executing the requested API function. So meanwhile I stepped back to use usr/pwd, but I think in that way it is not really usable for the public.

Any other idea, or did someone used the hash-way successfully?

br Matthias

[dom974]

Hi,

Same result here, I get the login page. Does anyone have an idea ?

Dominique

[cPanelDavidG]

Okay, so it wasn't just my test server being all weird on me.

I tried dumping the key to a file (to save time editing) and reading from that. However, WHM seems to only detect the first line of the hash if you leave newline characters in (judging by brute force information).

I just took Nick's code and translated it to PHP. Unless Perl does something bizarre under the hood with headers, I don't understand why the code wouldn't work. The key issue is the Authorization: WHM as you can replace that with Authorization: Basic with a user/pass and it'll work just fine.

[rapidot]

I can't get mine to work for the life of me either. I've outputed the $hash, and it looks fine doesn't look like php does anything terrible to it.

Perhaps cPanel developers can create a working sample PHP login script w/ $hash for us to use?

[mstuebner]

Perhaps cPanel developers can create a working sample PHP login script w/ $hash for us to use?

Even that I'm not one of them, here comes the code that finally works with hash:

REMARK: The below is NOT my style of programming, but I had to copy all in one function to make it "stand-alone".

PHP Code:

    function sendRequestCurl() {

        $accesshash = '2ef4c87d56b85a666dd10612b10065a8
9a3ef8ce4c95e488e4d111ed9710ce97
901ec100595dee38e71bb616e66ba649
05a9ad371df0f8c69aa42c8c2a1b9737
----    some parts cut out ------------
d0afb3baee2e9a7a22cf96b5c8cac90d
bc60a6089de5f49bbf31aac3f32ae9b6
3a8c55146a64a5762e0cc1ae4036ce7a';

        $admin = "root";
        $request = "/xml-api/listaccts?searchtype=user&search=";

        $cleanaccesshash = preg_replace("'(\r|\n)'","",$accesshash);
        $authstr = $admin . ":" . $cleanaccesshash;

        $rurl = "https://ns.domain.net:2087" . $request;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,0);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,0);
        curl_setopt($ch, CURLOPT_URL, $rurl);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
        
        $curlheaders[0] = "Authorization: WHM $authstr";
        curl_setopt($ch,CURLOPT_HTTPHEADER,$curlheaders);
        
        $data=curl_exec ($ch);

        curl_close ($ch);
        if(!empty($data)) return(simplexml_load_string($data)); else return;
    } 


I hope it helps, I like to return something for the help I got.

[cPanelDavidG]

Even that I'm not one of them, here comes the code that finally works with hash:

REMARK: The below is NOT my style of programming, but I had to copy all in one function to make it "stand-alone".

PHP Code:

    function sendRequestCurl() {

        $accesshash = '2ef4c87d56b85a666dd10612b10065a8
9a3ef8ce4c95e488e4d111ed9710ce97
901ec100595dee38e71bb616e66ba649
05a9ad371df0f8c69aa42c8c2a1b9737
----    some parts cut out ------------
d0afb3baee2e9a7a22cf96b5c8cac90d
bc60a6089de5f49bbf31aac3f32ae9b6
3a8c55146a64a5762e0cc1ae4036ce7a';

        $admin = "root";
        $request = "/xml-api/listaccts?searchtype=user&search=";

        $cleanaccesshash = preg_replace("'(\r|\n)'","",$accesshash);
        $authstr = $admin . ":" . $cleanaccesshash;

        $rurl = "https://ns.domain.net:2087" . $request;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,0);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,0);
        curl_setopt($ch, CURLOPT_URL, $rurl);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
        
        $curlheaders[0] = "Authorization: WHM $authstr";
        curl_setopt($ch,CURLOPT_HTTPHEADER,$curlheaders);
        
        $data=curl_exec ($ch);

        curl_close ($ch);
        if(!empty($data)) return(simplexml_load_string($data)); else return;
    } 


I hope it helps, I like to return something for the help I got.

Thanks, such a silly mistake on my part. Here's a revised version of my code:

PHP Code:

// $hash = your hash (not needed if using password authentication)
// $user = username for the reseller accompanying that hash
// $pass = password for that reseller (not needed if using hash authentication)
// $theServer = your server's hostname or IP

# What is the path to the API function you wish to use?
$apiPath = "/xml-api/gethostname";

// NOTE:
//    THIS CODE WILL ONLY WORK IF YOU HAVE ENABLED
//    OPENSSL IN PHP.  YOU CAN DO THIS BY GOING TO WHM
//    AND IN THE SOFTWARE SECTION, CLICK ON APACHE UPDATE
//    THEN LOAD PREVIOUS CONFIG AND THEN CHECK THE BOX
//    NEXT TO OPENSSL TO ENABLE SSL SUPPORT
//
// Of course, you could always go with http:// and 2086, but why?

# Make hash into one long string, in case it isn't already
$hash = str_replace("\n","",$hash); // Note \r is not part of the newline indicator on *nix systems.

# Open a socket for HTTPS
$fp = fsockopen("ssl://" . $theServer, 2087, $errno, $errstr, 30);

# Uncomment to use unsecure HTTP instead
//$fp = fsockopen($theServer, 2086, $errno, $errstr, 30);

# Die on error initializing socket
if ($errno == 0 && $fp == FALSE) {
 die("Socket Error: Could not initialize socket.");
} elseif ($fp == FALSE) {
 die("Socket Error #" . $errno . ": " . $errstr);
}

# Assemble the header to send
$header = "";
$header .= "GET " . $apiPath . " HTTP/1.0\r\n";
$header .= "Host: " . $theServer . "\r\n";
$header .= "Connection: Close\r\n";
$header .= "Authorization: WHM " . $user . ":" . $hash . "\r\n";
# Comment above line and uncomment below line to use password authentication in place of hash authentication
//$header .= "Authorization: Basic " . base64_encode($user . ":" . $pass) . "\r\n";
$header .= "\r\n";

# Send the Header
fputs($fp, $header);

# Get the raw output from the server
$rawResult = "";
while (!feof($fp)) {
 $rawResult .= @fgets($fp, 128); // Suppress errors with @
}

# Close the socket
fclose($fp);

# Ignore headers
$rawResultParts = explode("\r\n\r\n",$rawResult);
$result = $rawResultParts[1];

# Output XML
echo $result; 


Keep in mind this code is merely an example to assist you in learning how to use the API.

[webignition]

I was just reading this thread out of curiosity and can suggest a slight improvement to David's last code posting.

The line:

Code:

$hash = str_replace("\n","",$hash);

could be changed to

Code:

$hash = str_replace(array("\r", "\n"),"",$hash);

This will get rid of any carriage return as well as new line characters - you can never tell how or when a user will sneak a carriage return in where it's otherwise not expected!

[dom974]

Keep in mind this code is merely an example to assist you in learning how to use the API.

Hi David,

Could you tell me if it's possible to have a time out set when accessing xml data via php's function FILE_GET_CONTENTS() ?

It seems sometimes, the functions get timed out trying to read the xml stream (especially when other people are connected at WHM/CPANEL at the same time). This could be useful !

Thank you,

Dominique

[cPanelDavidG]

Hi David,

Could you tell me if it's possible to have a time out set when accessing xml data via php's function FILE_GET_CONTENTS() ?

It seems sometimes, the functions get timed out trying to read the xml stream (especially when other people are connected at WHM/CPANEL at the same time). This could be useful !

Thank you,

Dominique

I believe the default timeout for PHP is 300 seconds (5 minutes). IIRC, this can be changed in php.ini - the php.ini file for cpsrvd (cPanel/WHM itself) is located at:

Code:

/usr/local/cpanel/3rdparty/etc/php.ini

The timeout should govern file_get_contents() but that's not a guarantee .

[dom974]

I believe the default timeout for PHP is 300 seconds (5 minutes). IIRC, this can be changed in php.ini - the php.ini file for cpsrvd (cPanel/WHM itself) is located at:

Code:

/usr/local/cpanel/3rdparty/etc/php.ini

The timeout should govern file_get_contents() but that's not a guarantee .

Well, I don't think changing php.ini setting is a good thing, 5 minutes is ok for most of the php scripts.
But in this special case, we want to decrease it at a very low number. I tought one of you could have the answer

I'm surprised nobody else raised this question, or maybe the xml-api has not been heavily used yet ...

dominique