Study on the administrator password encryption method of zhimeng CMS and solutions to password loss

The website subject is built by DEDECMS and is added with the SNS of UcenterHome. Failed to try dede background. I casually wrote some tips for V5.31. It seems unstable. You have no intention of breaking into a directory, but you cannot remember which one you want to break into (if you don't want to mention it). You can get the username and password as follows: the INSERTINTO 'd website subject is built by DEDECMS and added to the SNS of UcenterHome. Try d EdE background failure. I casually wrote some tips for V5.31. It seems unstable.
You have no intention of breaking into a directory, but you cannot remember which one you want to break into (if you don't mention it). // you also want to get the user name and password as follows:

Insert into 'dede _ admin' VALUES ('1', '10', 'admin', 'f000026fa5440d90f8', 'admin '......
// This is just an example, not true, but with the same digits
Obviously, at present, websites are generally encrypted using md5 encryption, but this string is 20 bits, and 16.32 or even 40 bits are found online, that is, 20 bits have not been seen.
Attackers are seeking to crack the Internet. The official website has a tool that requires uploading files to the root directory for use. It seems that there is no hope ......
But fortunately, we can analyze it.
ELsEif ($ step = 3 ){
$PwdM = ";
If ($ pwd! = "){
$ Pwdm = ", pwd = '". md5 ($ pwd )."'";
$ Pwd = ", pwd = '".SuBsTr(Md5 ($ pwd), 5, 20 )."'";
}
$ Query = "UpDate'Dede _ admin'Set Uname= '$ Uname' $ pwd whereId= '$ Id '";
$ Dsql-> ExeCutENoneQuery ($ query );
$ Query = "Update 'dede _ member' set uname = '$ uname' $ pwdm where mid =' $ id '";
$ Dsql-> ExecuteNoneQuery ($ query );
ShowMsg ("successfully changed an account !"," Radminpass.Php");
}
I don't know how to understand it. member is directly encrypted with md5.
The admin's md5 is encrypted, and then 20 characters are taken from the 5th-bit start.
Khan ...... I have seen 40 bits before, and it seems to be the sum up. This is actually a little less than a few characters. How can this problem be solved? Depressed.
It's complicated. Let's put it first. It's not broken yet ......
The above is the article about dedecms encryption found on the Internet. We know that the MD5 of DEDE is a 20-bit password starting from 5th bits (20, I don't know if DEDE writers forget that 16-bit MD5 can also be obtained from 16 in 32 bits, that is, a 16-bit encrypted password is obtained from 9th bits (16 bits. Sys_admin_user_aDdThe. php file is the latest version 5.5. It can be seen that the encryption method has not changed.
Source code of the sys_admin_user_add.php file:
Copy code Require_oNcE (dirname (_ FILE _)./config. php );
CheckPurview ('sys _ user ');
Require_once (DEDEINC./typelink. class. php );
If (empty ($ dopost ))
{
$ Dopost = '';
}
If ($ dopost = 'add ')
{
If (ereg ([^ 0-9a-zA-Z _@!. -], $ Pwd) | ereg ([^ 0-9a-zA-Z _@!. -], $ Userid ))
{
ShowMsg ('invalid password or user name,
Use [0-9a-zA-Z _@!. -] Characters in! ','-1', 0, 3000 );
ExIt ();
}
$ Safecodeok = substr (md5 ($ pai_cookie_encode. $ randcode), 0, 24 );
If ($ safecode! = $ Safecodeok)
{
ShowMsg ('Enter the encryption method
Original: e10adc3949ba59abbe56e057f20f883e
Obtain: c3949ba59abbe56e057f
Calculation Method of MD516
Original: e10adc3949ba59abbe56e057f20f883e
Fetch: 49ba59abbe56e057
If DEDECMSHASH is calculated to get 16-bit MD5?
We only need to extract the 20-bit MD5 value from the 4th-bit (take 16), or we want to delete the first 3 minus the last 1. The result is as follows:
Decryption Method:
Original: c3949ba59abbe56e057f
Fetch: 49ba59abbe56e057