Password decryption for a jsp site
On the login page, you can see the following in the source code:
Md5.decrypt (StrPwd)
I realized that this means that the encrypted user password stored in the database can be decrypted, and the name "md5" is just a disguise.
Com. b. s. l. u. MD5, but I did not find this class file in the class subdirectory of the WEB-INF directory, and later realized that it was in jar, So I downloaded a jar file under the lib directory.
Jar xvf that. jar files can be decompressed as needed, but the compiling environment of this server is very unusual. the java files installed on my computer cannot work and cannot be decompressed using the tool, finally, run jar xvf on the server and decompress it. Find the MD5.class
I thought it would be easy to decompile the class to get the java source code and then rewrite it in a handy language based on the algorithm for batch decryption. But the reality is cruel. This class file causes several decompilers to report errors, finally, The Decompilation failed.
Second, I directly wrote a jsp file and uploaded it to the server. The rough content is rough and can be used in short.
<% @ Page import = MD5 %> <% @ page contentType = text/html; charset = UTF-8 %> <% String pwd = request. getParameter (pwd); String strNewPwd =; MD5 md5 = new MD5 (); if (!. Equals (pwd) {strNewPwd = md5.decrypt (pwd, key12345); out. println (strNewPwd. trim ();} %>