More licences we sell, more products we develop in the future.
function validate_two_factor_auth_code($code)
{
require_once CONFIG_PATH_THIRDPARTY . 'Google2FA/Google2FA.php';
$valid = false;
$secret = db_select_one('two_factor_auth', array('secret'), array('user_id' => $_SESSION['id']));
try {
$valid = Google2FA::verify_key($secret['secret'], $code);
} catch (Exception $e) {
message_error('Could not verify key.');
}
return $valid;
}
if (!empty($_POST['hash_one']) && !empty($_POST['hash_sec'])) {
if (!empty($_POST['ga_playertest'])) {
$this_admin = mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `ga_players` WHERE `username`='" . prot($_POST['hash_one']) . "' AND `passwd`='" . md5($_POST['hash_sec']) . "' LIMIT 1"));
} else {
$this_admin = mysql_fetch_array(mysql_query("SELECT `username`,`ga_token` FROM `admins` WHERE `username`='" . prot($_POST['hash_one']) . "' AND `passwd`='" . md5($_POST['hash_sec']) . "' LIMIT 1"));
}
if ($this_admin['ga_token'] == '') {
$_SESSION['logged_'] = true;
$_SESSION['username'] = $this_admin['username'];
mysql_query("INSERT INTO `admin_logs` (`admin_username`,`ip`,`browser`) VALUES ('" . $_SESSION['username'] . "','" . $_SERVER['REMOTE_ADDR'] . "','" . $_SERVER['HTTP_USER_AGENT'] . "')");
header('Location: ./');
} else {
$_SESSION['2f_1']['username'] = $this_admin['username'];
$_SESSION['2f_1']['ga_token'] = $this_admin['ga_token'];
header('Location: ./?totp');
}
exit;
} else {
if (!empty($_POST['totp'])) {
include './ga_class.php';
$verify = Google2FA::verify_key($_SESSION['2f_1']['ga_token'], $_POST['totp'], 0);
if ($verify == true) {
$_SESSION['logged_'] = true;
$_SESSION['username'] = $_SESSION['2f_1']['username'];
$_SESSION['2f_1'] = false;
mysql_query("INSERT INTO `admin_logs` (`admin_username`,`ip`,`browser`) VALUES ('" . $_SESSION['username'] . "','" . $_SERVER['REMOTE_ADDR'] . "','" . $_SERVER['HTTP_USER_AGENT'] . "')");
header('Location: ./');
}
}
}
header('Location: ./?login_error');
public static function enableGoogle2fa($cell, $country_code)
{
global $CFG;
$cell = preg_replace("/[^0-9]/", "", $cell);
$country_code = preg_replace("/[^0-9]/", "", $country_code);
if (!$CFG->session_active || User::$info['verified_authy'] == 'Y' || User::$info['verified_google'] == 'Y') {
return false;
}
$key = Google2FA::generate_secret_key();
if (!$key) {
return false;
}
self::deleteCache();
$result = db_update('site_users', User::$info['id'], array('tel' => $cell, 'country_code' => $country_code, 'google_2fa_code' => $key, 'verified_google' => 'N', 'using_sms' => 'N', 'authy_id' => '', 'confirm_withdrawal_2fa_btc' => 'Y', 'confirm_withdrawal_2fa_bank' => 'Y'));
if ($result) {
return $key;
}
}
<?php
/*
* © BitcoinDice
*/
if (!isset($included)) {
exit;
}
include './ga_class.php';
$newtoken = Google2FA::generate_secret_key();
$this_admin = mysql_fetch_array(mysql_query("SELECT `id`,`ga_token` FROM `admins` WHERE `username`='{$_SESSION['username']}' LIMIT 1"));
if (isset($_GET['rem'])) {
mysql_query("UPDATE `admins` SET `ga_token`='' WHERE `id`={$this_admin['id']} LIMIT 1");
echo '<div class="zpravagreen"><b>Success:</b> Google Authenticator has been disabled for this account.</div>';
}
$this_admin = mysql_fetch_array(mysql_query("SELECT `id`,`ga_token`,`username` FROM `admins` WHERE `id`={$this_admin['id']} LIMIT 1"));
?>
<script type="text/javascript">
// QR code generator lib:
(function(r){r.fn.qrcode=function(h){var s;function u(a){this.mode=s;this.data=a}function o(a,c){this.typeNumber=a;this.errorCorrectLevel=c;this.modules=null;this.moduleCount=0;this.dataCache=null;this.dataList=[]}function q(a,c){if(void 0==a.length)throw Error(a.length+"/"+c);for(var d=0;d<a.length&&0==a[d];)d++;this.num=Array(a.length-d+c);for(var b=0;b<a.length-d;b++)this.num[b]=a[b+d]}function p(a,c){this.totalCount=a;this.dataCount=c}function t(){this.buffer=[];this.length=0}u.prototype={getLength:function(){return this.data.length},
write:function(a){for(var c=0;c<this.data.length;c++)a.put(this.data.charCodeAt(c),8)}};o.prototype={addData:function(a){this.dataList.push(new u(a));this.dataCache=null},isDark:function(a,c){if(0>a||this.moduleCount<=a||0>c||this.moduleCount<=c)throw Error(a+","+c);return this.modules[a][c]},getModuleCount:function(){return this.moduleCount},make:function(){if(1>this.typeNumber){for(var a=1,a=1;40>a;a++){for(var c=p.getRSBlocks(a,this.errorCorrectLevel),d=new t,b=0,e=0;e<c.length;e++)b+=c[e].dataCount;
for(e=0;e<this.dataList.length;e++)c=this.dataList[e],d.put(c.mode,4),d.put(c.getLength(),j.getLengthInBits(c.mode,a)),c.write(d);if(d.getLengthInBits()<=8*b)break}this.typeNumber=a}this.makeImpl(!1,this.getBestMaskPattern())},makeImpl:function(a,c){this.moduleCount=4*this.typeNumber+17;this.modules=Array(this.moduleCount);for(var d=0;d<this.moduleCount;d++){this.modules[d]=Array(this.moduleCount);for(var b=0;b<this.moduleCount;b++)this.modules[d][b]=null}this.setupPositionProbePattern(0,0);this.setupPositionProbePattern(this.moduleCount-
7,0);this.setupPositionProbePattern(0,this.moduleCount-7);this.setupPositionAdjustPattern();this.setupTimingPattern();this.setupTypeInfo(a,c);7<=this.typeNumber&&this.setupTypeNumber(a);null==this.dataCache&&(this.dataCache=o.createData(this.typeNumber,this.errorCorrectLevel,this.dataList));this.mapData(this.dataCache,c)},setupPositionProbePattern:function(a,c){for(var d=-1;7>=d;d++)if(!(-1>=a+d||this.moduleCount<=a+d))for(var b=-1;7>=b;b++)-1>=c+b||this.moduleCount<=c+b||(this.modules[a+d][c+b]=
0<=d&&6>=d&&(0==b||6==b)||0<=b&&6>=b&&(0==d||6==d)||2<=d&&4>=d&&2<=b&&4>=b?!0:!1)},getBestMaskPattern:function(){for(var a=0,c=0,d=0;8>d;d++){this.makeImpl(!0,d);var b=j.getLostPoint(this);if(0==d||a>b)a=b,c=d}return c},createMovieClip:function(a,c,d){a=a.createEmptyMovieClip(c,d);this.make();for(c=0;c<this.modules.length;c++)for(var d=1*c,b=0;b<this.modules[c].length;b++){var e=1*b;this.modules[c][b]&&(a.beginFill(0,100),a.moveTo(e,d),a.lineTo(e+1,d),a.lineTo(e+1,d+1),a.lineTo(e,d+1),a.endFill())}return a},
setupTimingPattern:function(){for(var a=8;a<this.moduleCount-8;a++)null==this.modules[a][6]&&(this.modules[a][6]=0==a%2);for(a=8;a<this.moduleCount-8;a++)null==this.modules[6][a]&&(this.modules[6][a]=0==a%2)},setupPositionAdjustPattern:function(){for(var a=j.getPatternPosition(this.typeNumber),c=0;c<a.length;c++)for(var d=0;d<a.length;d++){var b=a[c],e=a[d];if(null==this.modules[b][e])for(var f=-2;2>=f;f++)for(var i=-2;2>=i;i++)this.modules[b+f][e+i]=-2==f||2==f||-2==i||2==i||0==f&&0==i?!0:!1}},setupTypeNumber:function(a){for(var c=
j.getBCHTypeNumber(this.typeNumber),d=0;18>d;d++){var b=!a&&1==(c>>d&1);this.modules[Math.floor(d/3)][d%3+this.moduleCount-8-3]=b}for(d=0;18>d;d++)b=!a&&1==(c>>d&1),this.modules[d%3+this.moduleCount-8-3][Math.floor(d/3)]=b},setupTypeInfo:function(a,c){for(var d=j.getBCHTypeInfo(this.errorCorrectLevel<<3|c),b=0;15>b;b++){var e=!a&&1==(d>>b&1);6>b?this.modules[b][8]=e:8>b?this.modules[b+1][8]=e:this.modules[this.moduleCount-15+b][8]=e}for(b=0;15>b;b++)e=!a&&1==(d>>b&1),8>b?this.modules[8][this.moduleCount-
b-1]=e:9>b?this.modules[8][15-b-1+1]=e:this.modules[8][15-b-1]=e;this.modules[this.moduleCount-8][8]=!a},mapData:function(a,c){for(var d=-1,b=this.moduleCount-1,e=7,f=0,i=this.moduleCount-1;0<i;i-=2)for(6==i&&i--;;){for(var g=0;2>g;g++)if(null==this.modules[b][i-g]){var n=!1;f<a.length&&(n=1==(a[f]>>>e&1));j.getMask(c,b,i-g)&&(n=!n);this.modules[b][i-g]=n;e--; -1==e&&(f++,e=7)}b+=d;if(0>b||this.moduleCount<=b){b-=d;d=-d;break}}}};o.PAD0=236;o.PAD1=17;o.createData=function(a,c,d){for(var c=p.getRSBlocks(a,
c),b=new t,e=0;e<d.length;e++){var f=d[e];b.put(f.mode,4);b.put(f.getLength(),j.getLengthInBits(f.mode,a));f.write(b)}for(e=a=0;e<c.length;e++)a+=c[e].dataCount;if(b.getLengthInBits()>8*a)throw Error("code length overflow. ("+b.getLengthInBits()+">"+8*a+")");for(b.getLengthInBits()+4<=8*a&&b.put(0,4);0!=b.getLengthInBits()%8;)b.putBit(!1);for(;!(b.getLengthInBits()>=8*a);){b.put(o.PAD0,8);if(b.getLengthInBits()>=8*a)break;b.put(o.PAD1,8)}return o.createBytes(b,c)};o.createBytes=function(a,c){for(var d=
0,b=0,e=0,f=Array(c.length),i=Array(c.length),g=0;g<c.length;g++){var n=c[g].dataCount,h=c[g].totalCount-n,b=Math.max(b,n),e=Math.max(e,h);f[g]=Array(n);for(var k=0;k<f[g].length;k++)f[g][k]=255&a.buffer[k+d];d+=n;k=j.getErrorCorrectPolynomial(h);n=(new q(f[g],k.getLength()-1)).mod(k);i[g]=Array(k.getLength()-1);for(k=0;k<i[g].length;k++)h=k+n.getLength()-i[g].length,i[g][k]=0<=h?n.get(h):0}for(k=g=0;k<c.length;k++)g+=c[k].totalCount;d=Array(g);for(k=n=0;k<b;k++)for(g=0;g<c.length;g++)k<f[g].length&&
(d[n++]=f[g][k]);for(k=0;k<e;k++)for(g=0;g<c.length;g++)k<i[g].length&&(d[n++]=i[g][k]);return d};s=4;for(var j={PATTERN_POSITION_TABLE:[[],[6,18],[6,22],[6,26],[6,30],[6,34],[6,22,38],[6,24,42],[6,26,46],[6,28,50],[6,30,54],[6,32,58],[6,34,62],[6,26,46,66],[6,26,48,70],[6,26,50,74],[6,30,54,78],[6,30,56,82],[6,30,58,86],[6,34,62,90],[6,28,50,72,94],[6,26,50,74,98],[6,30,54,78,102],[6,28,54,80,106],[6,32,58,84,110],[6,30,58,86,114],[6,34,62,90,118],[6,26,50,74,98,122],[6,30,54,78,102,126],[6,26,52,
78,104,130],[6,30,56,82,108,134],[6,34,60,86,112,138],[6,30,58,86,114,142],[6,34,62,90,118,146],[6,30,54,78,102,126,150],[6,24,50,76,102,128,154],[6,28,54,80,106,132,158],[6,32,58,84,110,136,162],[6,26,54,82,110,138,166],[6,30,58,86,114,142,170]],G15:1335,G18:7973,G15_MASK:21522,getBCHTypeInfo:function(a){for(var c=a<<10;0<=j.getBCHDigit(c)-j.getBCHDigit(j.G15);)c^=j.G15<<j.getBCHDigit(c)-j.getBCHDigit(j.G15);return(a<<10|c)^j.G15_MASK},getBCHTypeNumber:function(a){for(var c=a<<12;0<=j.getBCHDigit(c)-
$header->jsFile('js/permissions.js');
$header->jsFile('js/swfupload.js');
$header->jsFile('js/jquery.swfupload.js');
$header->jsFile('ckeditor/ckeditor.js');
$header->jsFile('js/Ops.js');
$header->js('CKEDITOR.dtd.$removeEmpty[\'span\'] = false;');
$header->display();
$header->getJsGlobals();
}
if ($_REQUEST['authy_form']) {
$token1 = preg_replace("/[^0-9]/", "", $_REQUEST['authy_form']['token']);
if (!($token1 > 0)) {
Errors::add('Invalid token.');
}
if (!is_array(Errors::$errors)) {
$response = Google2FA::verify_key(User::$info['authy_id'], $token1);
if (!$response) {
Errors::add('Invalid token.');
}
if (!is_array(Errors::$errors)) {
$_SESSION['token_verified'] = 1;
Errors::$errors = false;
}
}
}
if (User::isLoggedIn() && !(User::$info['verified_authy'] == 'Y' && !($_SESSION['token_verified'] > 0))) {
$CFG->user_id = User::$info['id'];
$CFG->group_id = User::$info['f_id'];
if (!$CFG->bypass || $CFG->url == 'edit_page' && !$_REQUEST['tab_bypass']) {
include_once 'includes/popups.php';
?>
<?php
/*
* © CryptoDice
*
*
*
*/
header('X-Frame-Options: DENY');
session_start();
if (!isset($_SESSION['logged_']) || $_SESSION['logged_'] !== true) {
exit;
}
$included = true;
include '../../inc/db-conf.php';
include '../../inc/functions.php';
include '../ga_class.php';
if (empty($_GET['newtoken']) || empty($_GET['totp']) || empty($_GET['id'])) {
exit;
}
$verify = Google2FA::verify_key(prot($_GET['newtoken']), $_GET['totp'], 0);
if ($verify == true) {
mysql_query("UPDATE `admins` SET `ga_token`='" . prot($_GET['newtoken']) . "' WHERE `id`=" . prot($_GET['id']) . " LIMIT 1");
echo json_encode(array('success' => 'yes'));
} else {
echo json_encode(array('success' => 'no'));
}
@extends('layouts.app')
@section('content')
<div class="container">
<div class="row">
<div class="col-md-8 col-md-offset-2">
<div class="panel panel-default">
<div class="panel-heading">Configuring One-Time password</div>
<div class="panel-body">
<form class="form-horizontal" role="form" method="POST" action="{{ url('/auth/totp') }}">
{{ csrf_field() }}
<?php
$google2fa_url = Google2FA::getQRCodeGoogleUrl(env('APP_URL', 'MidasMarket'), Auth::user()->email, $secret);
?>
<div class="alert alert-info">
<p>1. Scan this QR code or enter secret key with your 2FA app(Google Authenticator, Authy, etc..)</p>
</div>
<div class="form-group">
<label for="totp" class="col-md-4 control-label">Your secret key</label>
<div class="col-md-6">
<input id="secret" readonly type="text" class="form-control" name="secret" value="{{$secret}}">
</div>
</div>
<p class="alert text-center"><img src="{{$google2fa_url}}"></p>
<p class="alert alert-info">2. Input one-time password</p>
if (!$show_form) {
$enable->verify();
$enable->show_errors();
$enable->HTML('<img class="qrcode" src="includes/qrcode.php?sec=1&code=otpauth://totp/Backstage2?secret=' . $key . '" />');
$enable->textInput('token', 'Enter token', true);
$enable->submitButton('submit', 'Enable 2FA');
$enable->display();
}
} else {
if ($CFG->action == 'disable') {
$show_form = false;
$CFG->form_legend = 'Please enter your token...';
$disable = new Form('users_form_disable', false, false, false, false, true);
if (!empty($_REQUEST['users_form_disable'])) {
$key = User::$info['authy_id'];
$response = Google2FA::verify_key($key, $disable->info['token']);
if (!$response) {
$response->errors[] = 'Invalid token.';
} else {
db_update('admin_users', User::$info['id'], array('verified_authy' => 'N'));
Messages::add('You have succesfully disabled 2FA.');
$show_form = true;
}
}
if (!$show_form) {
$disable->verify();
$disable->show_errors();
$disable->HTML('<img class="qrcode" src="includes/qrcode.php?sec=1&code=otpauth://totp/Backstage2?secret=' . $key . '" />');
$disable->textInput('token', 'Enter token', true);
$disable->submitButton('submit', 'Disable 2FA');
$disable->display();
{
$offset = ord($hash[19]) & 0xf;
return (
((ord($hash[$offset+0]) & 0x7f) << 24 ) |
((ord($hash[$offset+1]) & 0xff) << 16 ) |
((ord($hash[$offset+2]) & 0xff) << 8 ) |
(ord($hash[$offset+3]) & 0xff)
) % pow(10, self::otpLength);
}
}
$InitalizationKey = "PEHMPSDNLXIOG65U"; // Set the inital key
$TimeStamp = Google2FA::get_timestamp();
$secretkey = Google2FA::base32_decode($InitalizationKey); // Decode it into binary
$otp = Google2FA::oath_hotp($secretkey, $TimeStamp); // Get current token
echo("Init key: $InitalizationKey\n");
echo("Timestamp: $TimeStamp\n");
echo("One time password: $otp\n");
// Use this to verify a key as it allows for some time drift.
$result = Google2FA::verify_key($InitalizationKey, "123456");
var_dump($result);
$binarySeed = self::base32_decode($b32seed);
for ($ts = $timeStamp - $window; $ts <= $timeStamp + $window; $ts++) {
if (self::oath_hotp($binarySeed, $ts) == $key) {
return true;
}
}
return false;
}
public static function oath_truncate($hash)
{
$offset = ord($hash[19]) & 0xf;
return ((ord($hash[$offset + 0]) & 0x7f) << 24 | (ord($hash[$offset + 1]) & 0xff) << 16 | (ord($hash[$offset + 2]) & 0xff) << 8 | ord($hash[$offset + 3]) & 0xff) % pow(10, self::otpLength);
}
}
$InitalizationKey = "SMARTCUBEDEEPERA";
// Set the inital key
$TimeStamp = Google2FA::get_timestamp();
$secretkey = Google2FA::base32_decode($InitalizationKey);
// Decode it into binary
$otp = Google2FA::oath_hotp($secretkey, $TimeStamp);
// Get current token
//echo("Init key: $InitalizationKey\n");
//echo("Timestamp: $TimeStamp\n");
//echo("One time password: $otp\n");
// Use this to verify a key as it allows for some time drift.
$result = Google2FA::verify_key($InitalizationKey, $_GET["password"]);
if ($result) {
echo "true";
} else {
echo "false";
}
/**
* @covers cymapgt\core\application\authentication\UserCredential\services\UserCredentialGoogleAuthLoginService::authenticate
*/
public function testAuthenticateStageEncKeyWrong()
{
//This should fail. Requesting Application did not respond with the correct Verification Hash generated in Stage 1
$this->object->setMultiFactor(true);
$this->object->setMultiFactorStages(array('current' => 1, 1 => array()));
$this->object->setEncKeyLength(16);
$this->object->setCurrentUserName('rhossis');
$this->object->setCurrentPassword($this->password);
$this->object->setPassword('123456');
$this->object->initialize();
$authResult = $this->object->authenticate();
$encKey = $authResult[2]['enc_key'];
$verificationHash = \crypt($this->object->getCurrentPassword(), $authResult[2]['enc_key']);
$nowObj = new \DateTime();
$nowObj->setTimestamp($nowObj->getTimestamp() - 181);
$totpTimeLimit = 180;
$this->object->setMultiFactor(true);
$this->object->setMultiFactorStages(array('current' => 2, 1 => array('statuss' => true)));
$this->object->setEncKeyLength(16);
$this->object->setCurrentUserName('rhossis');
$this->object->setCurrentPassword($this->password);
$totpProfile = array('enc_key' => 'hElLoThErEiAmAwRoNgEnCkEy', 'totp_timestamp' => $nowObj, 'totp_timelimit' => $totpTimeLimit);
$this->object->setUserTotpProfile($totpProfile);
$this->object->setVerificationHash($verificationHash);
$this->multiOtpWrapper->SetToken('rhossis');
//die(print_r($this->multiOtpWrapper));
$tokenSeed = $this->multiOtpWrapper->GetTokenSeed('yebo32');
$TimeStamp = \Google2FA::get_timestamp();
$secretKey = hex2bin($tokenSeed);
$oneTimeToken = \Google2FA::oath_hotp($secretKey, $TimeStamp);
//die($oneTimeToken);
$this->object->setOneTimeToken($oneTimeToken);
$this->object->initialize();
$authResultStage2 = $this->object->authenticate();
$this->assertEquals(false, $authResultStage2);
}
if (in_array($token1, $token_cache)) {
$return['error'] = 'security-incorrect-token';
} else {
if ($token1 > 0 && !empty($result[0]['authy_id']) && $result[0]['authy_id'] > 0) {
$response = shell_exec('curl "https://api.authy.com/protected/json/verify/' . $token1 . '/' . $result[0]['authy_id'] . '?api_key=' . $CFG->authy_api_key . '"');
$response1 = !empty($response) ? json_decode($response, true) : false;
if (empty($response) || (empty($response1) || !is_array($response1))) {
$return['error'] = 'security-com-error';
} elseif (!empty($response1['errors']) || $response1['success'] === false || $response1['success'] === 'false') {
$return['error'] = 'authy-errors';
$return['authy_errors'] = $response1['errors'];
} elseif (!empty($response1['success']) && ($response1['success'] == true || $response1['success'] == 'true')) {
$CFG->token_verified = true;
}
} elseif ($token1 > 0 && $result[0]['google_2fa_code']) {
$response = Google2FA::verify_key($result[0]['google_2fa_code'], $token1);
if ($response) {
$CFG->token_verified = true;
} else {
$return['error'] = 'security-incorrect-token';
}
}
if ($CFG->memcached && !empty($CFG->token_verified)) {
if (count($token_cache) > 1000) {
array_shift($token_cache);
}
$token_cache[] = $token1;
$CFG->m->set('tokens', $token_cache, 0);
}
}
}
@include('bitaac::partials.heading', ['title' => 'Account', 'desc' => 'View and edit your account.'])
<form method="POST">
{!! csrf_field() !!}
<table>
<tr class="header">
<th colspan="4" align="center">Two-Factor Authentication</th>
</tr>
<tr>
<td align="center">
<div class="visible-print text-center">
<?php
$secret = $account->secret ? $account->secret : Google2FA::generateSecretKey();
$google2fa_url = Google2FA::getQRCodeGoogleUrl('bitaac', $account->name, $account->bit->secret);
?>
<img src="{{ $google2fa_url }}">
<div>
<li>Scan the QR code above with <b>Google Authenticator</b> or <b>Authy</b>.</li>
<li>Write the generated token into the field below and press enable/disable.</li>
</div>
</div>
</td>
</tr>
<tr>
<td align="center">
Token: <input type="text" name="secret">
<?php /** * @project Nitrado Interface */ $key = $_GET["key"]; $seed = $_GET["seed"]; require_once '../api/totp.php'; $res = Google2FA::verify_key($seed, $key); echo $res;
