Administrator password encryption method of zhimeng CMS (MD516 can be restored)

Today, I had nothing to worry about. I took a buddy's monitoring test and the website was quite big. There were many things. Based on my years of experience, I saw at a glance that it was almost the same as DEDECMS, ).
The website subject is built by DEDECMS and is added with the SNS of UcenterHome. Failed to try dede background. I casually wrote some tips for V5.31. It seems unstable.
You have no intention of breaking into a directory, but you cannot remember which one you want to break into (if you don't mention it). // you also want to get the user name and password as follows:

Insert into 'dede _ admin' VALUES ('1', '10', 'admin', f000026fa5440d90f8', 'admin '......
// This is just an example, not true, but with the same digits
Obviously, at present, websites are generally encrypted using md5 encryption, but this string is 20 bits, and 16.32 or even 40 bits are found online, that is, 20 bits have not been seen.
Attackers are seeking to crack the Internet. The official website has a tool that requires uploading files to the root directory for use. It seems that there is no hope ......
But fortunately, we can analyze it.
Elseif ($ step = 3 ){
$ Pwdm = ";
If ($ pwd! = "){
$ Pwdm = ", pwd = '". md5 ($ pwd )."'";
$ Pwd = ", pwd = '". substr (md5 ($ pwd), 5, 20 )."'";
}
$ Query = "Update 'dede _ admin' set uname = '$ uname' $ pwd where id =' $ id '";
$ Dsql-> ExecuteNoneQuery ($ query );
$ Query = "Update 'dede _ member' set uname = '$ uname' $ pwdm where mid =' $ id '";
$ Dsql-> ExecuteNoneQuery ($ query );
ShowMsg ("successfully changed an account !"," Radminpass. php ");
}
I don't know how to understand it. member is directly encrypted with md5.
The admin's md5 is encrypted, and then 20 characters are taken from the 5th-bit start.
Khan ...... I have seen 40 bits before, and it seems to be the sum up. This is actually a little less than a few characters. How can this problem be solved? Depressed.
It's complicated. Let's put it first. It's not broken yet ......
The above is the article about dedecms encryption found on the Internet. We know that the MD5 of DEDE is a 20-bit password starting from 5th bits (20, I don't know if DEDE writers forget that 16-bit MD5 can also be obtained from 16 in 32 bits, that is, a 16-bit encrypted password is obtained from 9th bits (16 bits. The following sys_admin_user_add.php file is the latest version 5.5. It can be seen that the encryption method has not changed.
Source code of the sys_admin_user_add.php file:
Copy the Code <? Php
Require_once (dirname (_ FILE _). "/config. php ");
CheckPurview (sys_User );
Require_once (DEDEINC. "/typelink. class. php ");
If (empty ($ dopost ))
{
$ Dopost =;
}
If ($ dopost = add)
{
If (ereg ("[^ 0-9a-zA-Z _@!. -] ", $ Pwd) | ereg (" [^ 0-9a-zA-Z _@!. -] ", $ Userid ))
{
ShowMsg (the password or user name is invalid. <br/> use [0-9a-zA-Z _@!. -] Characters in !, -1, 0, 3000 );
Exit ();
}
$ Safecodeok = substr (md5 ($ pai_cookie_encode. $ randcode), 0, 24 );
If ($ safecode! = $ Safecodeok)
{
ShowMsg (enter the security verification string !, -3000 );
Exit ();
}
$ Row = $ dsql-> GetOne ("Select count (*) as dd from 'dede _ member' where userid like $ userid ");
If ($ row [dd]> 0)
{
ShowMsg (the user name already exists !, -1 );
Exit ();
}
$ Mpwd = md5 ($ pwd );
$ Pwd = substr (md5 ($ pwd), 5, 20 );
$ Typeid = join (, $ typeids );
If ($ typeid = 0) $ typeid =;
// Associated front-end member account
$ Adminquery = "insert into 'dede _ member' ('mtype ', 'userid', 'pwd', 'uname', 'sex', 'rank', 'money ', 'email ',
'Scores', 'Matt ', 'face', 'safequestion', 'safeanswer', 'jobtime', 'jobip', 'logintime', 'loginip ')
VALUES (personal, $ userid, $ mpwd, $ uname, male, 0, $ email, 0, 0 ,);";
$ Dsql-> ExecuteNoneQuery ($ adminquery );
$ Mid = $ dsql-> GetLastID ();
If ($ mid <= 0)
{
Die ($ dsql-> GetError (). Database Error !);
}
// Background Administrator
$ Inquery = "Insert Into 'dede _ admin' (id, usertype, userid, pwd, uname, typeid, tname, email)
Values ($ mid, $ usertype, $ userid, $ pwd, $ uname, $ typeid, $ tname, $ email );";
$ Rs = $ dsql-> ExecuteNoneQuery ($ inquery );
$ Adminquery = "insert into 'dede _ member_person '('mid', 'onlynet', 'sex', 'uname', 'qq', 'msn ', 'tel ', 'mobile', 'place', 'oldplace', 'birthday', 'star ',
'Welcome ', 'education', 'height', 'bodytype', 'blood', 'vocation', 'smoke', 'marker', 'house', 'drink ', 'datingtype', 'language', 'Nature ', 'lovemsg', 'address', 'uptime ')
VALUES ($ mid, 1, male, {$ userid}, 0, 0,160-01-01, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 );";
$ Dsql-> ExecuteNoneQuery ($ adminquery );
$ Adminquery = "insert into 'dede _ member_tj '('mid', 'Article', 'album ', 'archivees', 'homecount', 'pagecount', 'feedback ', 'friend', 'stow ')
VALUES ($ mid, 0, 0, 0, 0, 0, 0 );";
$ Dsql-> ExecuteNoneQuery ($ adminquery );
$ Adminquery = "Insert Into 'dede _ member_space '('mid', 'pagesize', 'Matt ', 'spacename', 'spacelogo', 'spacestyle', 'sign ', 'spacendone ')
Values ($ mid, 10, 0, {$ uname} space, person ,,);";
$ Dsql-> ExecuteNoneQuery ($ adminquery );
ShowMsg (a user is added successfully !, Sys_admin_user.php );
Exit ();
}
$ Randcode = mt_rand (10000,999 99 );
$ Safecode = substr (md5 ($ pai_cookie_encode. $ randcode), 0, 24 );
$ TypeOptions =;
$ Dsql-> SetQuery ("Select id, typename From 'dede _ arctype 'where reid = 0 And (ispart = 0 Or ispart = 1 )");
$ Dsql-> Execute (op );
While ($ row = $ dsql-> GetObject (op ))
{
$ Topc = $ row-> id;
$ TypeOptions. = "<option value = {$ row-> id} class = btype >{$ row-> typename} </option> ";
$ Dsql-> SetQuery ("Select id, typename From 'dede _ arctype 'where reid = {$ row-> id} And (ispart = 0 Or ispart = 1 )");
$ Dsql-> Execute (s );
While ($ row = $ dsql-> GetObject (s ))
{
$ TypeOptions. = "<option value = {$ row-> id} class = stype>-{$ row-> typename} </option> ";
}
}
Include DedeInclude (templets/sys_admin_user_add.htm );
?>
 

We can see the example below.
The plaintext value is 123456.
DEDECMS Encryption Method
Original: e10adc3949ba59abbe56e057f20f883e
Obtain: c3949ba59abbe56e057f
Calculation Method of MD516
Original: e10adc3949ba59abbe56e057f20f883e
Fetch: 49ba59abbe56e057
If DEDECMSHASH is calculated to get 16-bit MD5?
We only need to extract the 20-bit MD5 value from the 4th-bit (take 16), or we want to delete the first 3 minus the last 1. The result is as follows:
Decryption Method:
Original: c3949ba59abbe56e057f
Fetch: 49ba59abbe56e057