DEDECMS administrator password cracking method summary

I just took over a customer's Enterprise website set up by Zhimeng dedecms. The administrator password cannot be found. Fortunately, the ftp password is available, and the mysql password configuration file of dede is common. inc. php has the mysql permission.
The pwd in the admin table suddenly says: c3949ba59abbe56e057f. I am here. What is the encryption method? I have seen mixed encryption, but it is usually md5 at the end. It should be 16 or 32 bits, what is this ?? 20 digits ....

Baidu gave a brief look at the password encryption method of the Weaver dream administrator and found that the people who wanted this method were lost. Generally, they all mixed strings and went in and then md5 and dedecms? Directly use md5 and then take the 20 characters starting from the fifth digit in 32 characters. According to the probability, the 20 can indeed be used to compare the correct password.

I thought it was wrong. Didn't the well-known md5 16-bit encryption be extracted from 32-bit data? That is, take 16 digits from the ninth digit, exactly in the 20 strings.

That is to say, the original password is 123456.
His md5 32 is: e10adc3949ba59abbe56e057f20f883e
Dede: e10adc3949ba59abbe56e057f20f883e? That is: c3949ba59abbe56e057f2
Actually, md5 16 is :? E10adc3949ba59abbe56e057f20f883e is: 49ba59abbe56e057
That is to say, as long as your dede encryption password starts from the fourth digit and takes 16 digits as the md5 16 Password: c3949ba59abbe56e057f2

This almost cannot be solved, but we can use some simple methods to directly MD5 a password and try again. There is another way.

Password reset tool has two versions: UTF-8/GBK, applicable to DedeCMS V5.3-5.6 version.

This allows new users to conveniently perform operations. You can also go to the database to crack the encrypted password, so that you can retrieve the forgotten password.

1. Copy the code in show source under the website of GBK version.

The code is as follows:

Copy code

<? Php /********************** DedeCMS administrator account resetting tool. Http://bbs.dedecms.com/ ***********************/ // Error_reporting (E_ALL | ~ E_NOTICE ); Require_once (dirname (_ FILE _). "/include/common. inc. php "); If (empty ($ step )) { $ Step = 1; } ?> <! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <Html xmlns = "http://www.w3.org/1999/xhtml"> <Head> <Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312"/> <Title> password resetting tool _ GBK </title> <Style type = "text/css"> <! -- Body { Font-family: "MS Serif", "New York", serif; Font-size: 12px; Color: #000; } Table { Border-top-width: 1px; Border-right-width: 1px; Border-left-width: 1px; Border-top-style: dotted; Border-right-style: dotted; Border-left-style: dotted; Border-top-color: # CCC; Border-right-color: # CCC; Border-left-color: # CCC; } Td { Border-bottom-width: 1px; Border-bottom-style: dotted; Border-bottom-color: # CCC; } --> </Style> </Head> <Body> <? Php If ($ step = 1) { $ Dsql-> SetQuery ("Select * From '# @__ admin' where usertype = '10 '"); $ Dsql-> Execute ("ut "); ?> <Table width = "98%" border = "0" align = "center" cellpadding = "3" cellspacing = "1"> <Tr> <Td height = "19" bgcolor = "# E7E7E7"> <table width = "96%" border = "0" cellspacing = "1" cellpadding = "1"> <Tr> <Td width = "24%"> <B> <strong> Step 1: select an administrator account </strong> </B> </td> <Td width = "76%" align = "right"> & nbsp; </td> </Tr> </Table> </td> </Tr> <Tr> <Td height = "215" align = "center" valign = "top" bgcolor = "# FFFFFF"> <form action = "radminpass. php "method =" post "name =" form1 "id =" form1 "> <Input type = "hidden" name = "step" value = "2"/> <Table width = "98%" border = "0" cellspacing = "1" cellpadding = "1"> <Tr> <Td height = "60" colspan = "2" align = "left"> This tool is created for newcomers who forget the administrator password and need to reset radminpass. copy the php file to the root directory and run & ldquo; http: // yousite/radminpass. php (yousite is the website domain name) & rdquo;, follow the instructions. <Font color = "# FF0000"> Please delete this file in time after recovery is complete! </Font> </td> </Tr> <Tr> <Td width = "16%" height = "30" align = "left"> select the super administrator ID: </td> & Lt; td width = "84%" align = "left" & gt; <Select name = 'id' style = 'width: 150px '> <? Php While ($ myrow = $ dsql-> GetObject ("ut "))   { Echo "<option value = '". $ myrow-> id. "'>". $ myrow-> userid. "</option> rn ";   } ?> </Select> </Td> </Tr> <Tr> <Td height = "60" align = "left"> & nbsp; </td> <Td align = "left"> <input type = "submit" name = "Submit" value = "Next & gt;" class = "coolbg np"/> </td> </Tr> </Table> </Form> </td> </Tr> </Table> <? Php } Elseif ($ step = 2 ){ $ Row = $ dsql-> GetOne ("Select * From '#@__ admin' where id =' $ ID '"); ?> <Table width = "98%" border = "0" align = "center" cellpadding = "3" cellspacing = "1"> <Tr> <Td height = "19" bgcolor = "# E7E7E7"> <table width = "96%" border = "0" cellspacing = "1" cellpadding = "1"> <Tr> <Td width = "24%"> <B> <strong> Step 2: Change the administrator password </strong> </B> </td> <Td width = "76%" align = "right"> & nbsp; </td> </Tr> </Table> </td> </Tr> <Tr> <Td height = "215" align = "center" valign = "top" bgcolor = "# FFFFFF"> <form action = "radminpass. php "method =" post "name =" form1 "id =" form1 "> <Input name = "step" type = "hidden" id = "step" value = "3"/> <Input type = "hidden" name = "id" value = "<? Php echo $ row ['id']?> "/> <Table width = "98%" border = "0" cellspacing = "1" cellpadding = "1"> <Tr> <Td width = "16%" height = "30" align = "left"> user logon ID: </td> <Td width = "84%" align = "left"> <? Php echo $ row ['userid']?> </Td> </Tr> <Tr> <Td height = "30" align = "left"> user pen name: </td> <Td align = "left"> <input name = "uname" type = "text" id = "uname" size = "16" value = "<? Php echo $ row ['uname']?> "Style =" width: 200px "/> </Td> </Tr> <Tr> <Td height = "30" align = "left"> user password: </td> <Td align = "left"> <input name = "pwd" type = "text" id = "pwd" size = "16" style = "width: 200px"/> & Nbsp; (leave it blank without modification. You can only use '0-9a-zA-Z .@_-! 'Characters within the specified range) </td> </Tr> <Tr> <Td height = "60" align = "left"> & nbsp; </td> <Td align = "left"> <input type = "submit" name = "Submit" value = "confirm to modify" class = "coolbg np"/> </td> </Tr> </Table> </Form> </td> </Tr> </Table> <? Php } Elseif ($ step = 3 ){ $ Pwdm = ''; If ($ pwd! = ''){ $ Pwdm = ", pwd = '". md5 ($ pwd )."'"; $ Pwd = ", pwd = '". substr (md5 ($ pwd), 5, 20 )."'"; } $ Query = "update' #@__ admin' set uname = '$ uname' $ pwd where id =' $ ID '"; $ Dsql-> ExecuteNoneQuery ($ query ); $ Query = "update' #@__ member 'set uname = '$ uname' $ pwdm where mid =' $ ID '"; $ Dsql-> ExecuteNoneQuery ($ query ); ShowMsg ("an account is successfully changed! "," Radminpass. php "); } ?> </Body> </Html>

3. Save it as radminpass. php. Upload it to the root directory of the website and run "http: // yousite/radminpass. php (yousite is the website domain name)". Follow the instructions to complete the operation. Please delete this file in time after recovery is complete!