ECShop V2.7.3 Admin Password Encryption Method

Forgot the local ECShop admin password, so I took a look. ECShop V2.7.3 password encryption works like this:

if(!empty($ec_salt))     {          /* 检查密码是否正确 */          $sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt".             " FROM " . $ecs->table('admin_user') .             " WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5(md5($_POST['password']).$ec_salt) . "'";     }     else     {          /* 检查密码是否正确 */          $sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt".             " FROM " . $ecs->table('admin_user') .             " WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5($_POST['password']) . "'";     } 

It first checks whether the ec_salt field in the admin_user table is empty. If not empty, it encrypts like this: md5(md5(plaintext password).$ec_salt); if empty, it just uses md5(plaintext password).

For example, to reset the admin password (the ec_salt field for admin usually is not empty; $ec_salt is the value of the ec_salt field), set the password field value to: md5(md5('admin').$ec_salt)=374c3361928ab9ca42794299a48e83a1

Leave a Comment

Your email address will not be published.