某天,在乌云上看到dede Oday,可以查询到管理员密码。测试,证实0day有效,正欲将admin密码拿去解密时,突然发现这个字符串竟然是20位的,一般像CMD5.COM等网站查只有16、32或40位的,但从没见过20位的呀。网上寻求破解,官方有个工具,需要将文件传到根目录才可以用,看来无望了……
不过还好,可以拿出来分析分析:
else if($step==3){ $pwdm = ''; if($pwd!=''){ $pwdm = ",pwd='".md5($pwd)."'"; $pwd = ",pwd='".substr(md5($pwd),5,20)."'"; } $query = "Update '#@__admin' set uname='$uname' $pwd where id='$id'"; $dsql->ExecuteNoneQuery($query); $query = "Update '#@__member' set uname='$uname' $pwdm where mid='$id'"; $dsql->ExecuteNoneQuery($query); ShowMsg("成功更改一个帐户!","radminpass.php"); }
没怎么看懂,member经过md5 直接加密的吧?admin 的md5加密了,然后从第5位开始取20个字符。汗……以前见过40位的,好像是加起来的,这个倒好还减了几个字符,这怎么弄?郁闷中。
上面是网上搜索到的关于dedecms加密的文章,由上面我们知道DEDE的MD5是从第5位(取20)开始将32位MD5变成了一个20位的密码,不知道DEDE编写者是不是忘记16位MD5也是可以从32位中取16获得的,就是从第9位(取16)而得到16位的加密密码。
下面sys_admin_user_add.php 文件是最新的5.5版本,可以看出加密方式没有改变。
<?php require_once(dirname(__FILE__).\"/config.php\"); CheckPurview(\'sys_User\'); require_once(DEDEINC.\"/typelink.class.php\"); if(empty($dopost)) { $dopost=\'\'; } if($dopost==\'add\') { if(ereg(\"[^0-9a-zA-Z_@!.-]\", $pwd) || ereg(\"[^0-9a-zA-Z_@!.-]\", $userid)) { ShowMsg(\'密码或或用户名不合法,<br />请使用[0-9a-zA-Z_@!.-]内的字符!\', \'-1\', 0, 3000); exit(); } $safecodeok = substr(md5($cfg_cookie_encode.$randcode), 0, 24); if($safecode != $safecodeok ) { ShowMsg(\'请填写安全验证串!\',\'-1\',0,3000); exit(); } $row = $dsql->GetOne(\"Select count(*) as dd from `dede_member` where userid like \'$userid\' \"); if($row[\'dd\']>0) { ShowMsg(\'用户名已存在!\',\'-1\'); exit(); } $mpwd = md5($pwd); $pwd = substr(md5($pwd), 5, 20); $typeid = join(\',\', $typeids); if($typeid==\'0\') $typeid = \'\'; //关连前台会员帐号 $adminquery = \"INSERT INTO `dede_member` (`mtype`,`userid`,`pwd`,`uname`,`sex`,`rank`,`money`,`email`, `scores` ,`matt` ,`face`,`safequestion`,`safeanswer` ,`jointime` ,`joinip` ,`logintime` ,`loginip` ) VALUES (\'个人\',\'$userid\',\'$mpwd\',\'$uname\',\'男\',\'100\',\'0\',\'$email\',\'1000\',\'10\',\'\',\'0\',\'\',\'0\',\'\',\'0\',\'\'); \"; $dsql->ExecuteNoneQuery($adminquery); $mid = $dsql->GetLastID(); if($mid <= 0 ) { die($dsql->GetError().\' 数据库出错!\'); } //后台管理员 $inquery = \"Insert Into `dede_admin`(id,usertype,userid,pwd,uname,typeid,tname,email) values(\'$mid\',\'$usertype\',\'$userid\',\'$pwd\',\'$uname\',\'$typeid\',\'$tname\',\'$email\'); \"; $rs = $dsql->ExecuteNoneQuery($inquery); $adminquery = \"INSERT INTO `dede_member_person` (`mid`,`onlynet`,`sex`,`uname`,`qq`,`msn`,`tel`,`mobile`,`place`,`oldplace`,`birthday`,`star`, `income` , `education` , `height` , `bodytype` , `blood` , `vocation` , `smoke` , `marital` , `house` ,`drink` , `datingtype` , `language` , `nature` , `lovemsg` , `address`,`uptime`) VALUES (\'$mid\', \'1\', \'男\', \'{$userid}\', \'\', \'\', \'\', \'\', \'0\', \'0\',\'1980-01-01\', \'1\', \'0\', \'0\', \'160\', \'0\', \'0\', \'0\', \'0\', \'0\', \'0\',\'0\', \'0\', \'\', \'\', \'\', \'\',\'0\'); \"; $dsql->ExecuteNoneQuery($adminquery); $adminquery = \"INSERT INTO `dede_member_tj` (`mid`,`article`,`album`,`archives`,`homecount`,`pagecount`,`feedback`,`friend`,`stow`) VALUES (\'$mid\',\'0\',\'0\',\'0\',\'0\',\'0\',\'0\',\'0\',\'0\'); \"; $dsql->ExecuteNoneQuery($adminquery); $adminquery = \"Insert Into `dede_member_space`(`mid` ,`pagesize` ,`matt` ,`spacename` ,`spacelogo` ,`spacestyle`, `sign` ,`spacenews`) Values(\'$mid\',\'10\',\'0\',\'{$uname}的空间\',\'\',\'person\',\'\',\'\'); \"; $dsql->ExecuteNoneQuery($adminquery); ShowMsg(\'成功增加一个用户!\', \'sys_admin_user.php\'); exit(); } $randcode = mt_rand(10000, 99999); $safecode = substr(md5($cfg_cookie_encode.$randcode), 0, 24); $typeOptions = \'\'; $dsql->SetQuery(\" Select id,typename From `dede_arctype` where reid=0 And (ispart=0 Or ispart=1) \"); $dsql->Execute(\'op\'); while($row = $dsql->GetObject(\'op\')) { $topc = $row->id; $typeOptions .= \"<option value=\'{$row->id}\' class=\'btype\'>{$row->typename}</option>rn\"; $dsql->SetQuery(\" Select id,typename From `dede_arctype` where reid={$row->id} And (ispart=0 Or ispart=1) \"); $dsql->Execute(\'s\'); while($row = $dsql->GetObject(\'s\')) { $typeOptions .= \"<option value=\'{$row->id}\' class=\'stype\'>—{$row->typename}</option>rn\"; } } include DedeInclude(\'templets/sys_admin_user_add.htm\'); ?>
下面大家直接看例子就明白了,明文都是123456
DEDECMS加密方式:
原:e10adc3949ba59abbe56e057f20f883e
取:c3949ba59abbe56e057f
MD5 16位的计算方法:
原:e10adc3949ba59abbe56e057f20f883e
取:49ba59abbe56e057
如何计算DEDECMSHASH得到16位MD5?
我们只要将20位MD5 从第4位(取16即可),也可以是想成去前3减末1,就得到结果如下:
解密方式:
原:c3949ba59abbe56e057f
取:49ba59abbe56e057