Page 1 of 3 123 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    37
    Rep Power
    2

    Encrypted invoices and understanding a PHP script


    Hi, I currently have a difficult problem that I hope someone can help with.

    I have been using a PHP based billing system for the last 8 years and I need to export my invoices into an accounting system.

    The problem...

    Around 2006, in an effort to prevent their customers moving to a different billing system, the developers encrypted all of the data for one of the database fields, so the invoice line items cannot be linked conventionally with their parent invoices.

    The database uses two tables for invoices. The first table contains a field named "id" which is the actual invoice number. The second table contains a field named "invoiceid" and this is the same data, but encrypted. There must be a passcode hard coded into the application that is used to decode the field when being accessed.

    I asked the developers for help and they provided me with a PHP script that they say will allow me to access the encrypted "invoiceid" column and I should then be able to export the data. Unfortunately - they provided only very basic instructions and I really don't know where to go from here.

    What I want to know is, how can that script be used to access the encrypted data? Ideally, I'd like to create a new field called "invoiceid2" in the invoice items table, read the actual invoice id's in from the main invoices table that correspond to the encrypted ones and update "invoiceid2" with those numbers in each row, then I will have a matching set of ID's in both tables that can be used to directly link them, without needing to run a separate PHP script to access them each time.

    Here is the PHP script they provided...

    PHP Code:
    REMOVED 
    Here are their instructions...
    Functions:
    1) create_encoded_password

    Usage: create_encoded_password(md5_encoded_password)

    Example:
    $newpass=create_encoded_password("md5encodedpassword");


    2) generate_seed

    Usage: generate_seed()

    Example: $newseed=generate_seed();

    2) create_encoded_invoiceid

    Usage: create_encoded_invoiceid($invoice_id)

    Example: $inc_enc=create_encoded_invoiceid($invoice_id);
    Then you can query the client_invoices_items table - where id = '$inc_enc'


    Instructions:
    Place this file in your /tools directory and include into your php script file.

    ....................

    My problem with the above script is that it appears to be a script that creates the encryption - but the data is already encrypted, so I'm really confused as to how it can be used to read the existing data - I don't know the original MD5 password.

    I'm out of my depth here.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    What ... the ... f*ck ... I've seen a lot of crap code in my life, but this one takes it to a whole new level.

    Well, the encryption is done with some homegrown RC4 implementation stolen from an Indian guy around 12 years ago. As if that wasn't bad enough, your "developers" completely screwed it up by getting some elementary school math wrong.

    Given this level of incompetence, I'm pretty sure that '...' actually is the key. Try it out by running some plaintext invoice IDs through the create_encoded_invoiceid() function and checking whether the result occurs in the "encrypted" invoice IDs.

    Comments on this post

    • requinix agrees : the variable arguments thing bothers me so much...
    Last edited by Jacques1; April 27th, 2013 at 04:29 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    37
    Rep Power
    2
    Sorry I'm not a programmer so I wouldn't know where to start.

    The developers of the accounting software won't do anything without charging me a ton of money and I'm only a small business owner - so what I'm trying to do is to get the invoice numbers into the that database table first - so they can then take over and import them. Any extra work from them is really really expensive and I can't afford it.

    If anyone can help me out here, or at least point me in the right direction I would really appreciate it. I simply don't know what to do. If I get a freelancer to look at it I need to know what to tell them - I don't speak your language. What do I need to do to get the invoice ID's into that second table?
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    OK, so are you willing to invest some time and common sense into doing this on your own? Or do you rather want to hire someone to do it?

    Because I'm not really interested in helping when all I get back is "I'm not a programmer", "I don't know what to do", "I don't speak your language".

    My suggestion is very simple:
    1. You pick a plaintext invoice ID. It doesn't matter which one, just pick an ID.
    2. You pass this ID to the encryption function: create_encoded_invoiceid(). Output the result.
    3. You take this result and check whether it's actually among the encrypted invoice IDs. So you search the encrypted IDs for this result.


    You certainly don't need to be a programmer for this. School kids do much more complicated stuff in their free time. If you just don't wanna fumble with code, what's the point of this thread? Hire somebody, tell him/her what to do, and that's it.

    If you do wanna go on, put your invoice ID in this test script and run it:
    PHP Code:
    <?php

    var_dump
    create_encoded_invoiceid('paste your invoice ID here') );

    function 
    create_encoded_invoiceid() { 
        
    $invid func_get_arg(0); /* argument #1 */ 

        
    return tcrypt("..."$invid"en"); 



    function 
    tcrypt() { 
        
    $pwd func_get_arg(0); /* argument #1 */ 
        
    $data func_get_arg(1); /* argument #2 */ 
        
    $case func_get_arg(2); /* argument #3 */ 

        
    if ($case == "de"
        { 
            
    $data urldecode($data); 
        } 
        
    $key[] = ""
        
    $box[] = ""
        
    $temp_swap ""
        
    $pwd_length 0
        
    $pwd_length strlen($pwd); 
        
    $i 0
        while (
    $i 255
        { 
            
    $key[$i] = ord(substr($pwd$i $pwd_length 11)); 
            
    $box[$i] = $i
            
    $i++; 
            continue; 
        } 
        
    $x 0
        
    $i 0
        while (
    $i 255
        { 
            
    $x $x $box[$i] + $key[$i] % 256
            
    $temp_swap $box[$i]; 
            
    $box[$i] = $box[$x]; 
            
    $box[$x] = $temp_swap
            
    $i++; 
            continue; 
        } 
        
    $temp ""
        
    $k ""
        
    $cipherby ""
        
    $cipher ""
        
    $a 0
        
    $j 0
        
    $i 0
        while (
    strlen($data) > $i
        { 
            
    $a $a 256
            
    $j $j $box[$a] % 256
            
    $temp $box[$a]; 
            
    $box[$a] = $box[$j]; 
            
    $box[$j] = $temp
            
    $k $box[$box[$a] + $box[$j] % 256]; 
            
    $cipherby ord(substr($data$i1)) ^ $k
            
    $cipher .= chr($cipherby); 
            
    $i++; 
            continue; 
        } 
        if (
    $case == "de"
        { 
            
    $cipher urldecode(urlencode($cipher));
        } 
         else  
        { 
            
    $cipher urlencode($cipher);
        } 
        return 
    $cipher
    }
    The output is the encrypted ID. Do your encrypted IDs in the database look like this? If they don't have all those "%", remove the
    PHP Code:
    $cipher urlencode($cipher); 
    in line 73 and try again. Then search the encrypted IDs in your database for string you see on your screen (you need to copy everything between the double quotes). Does this string exist in the database?
    Last edited by Jacques1; April 27th, 2013 at 04:29 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    37
    Rep Power
    2
    Ok, I appreciate you trying to help me out here but I've never been involved with PHP in any way so if you are prepared to guide me I'll try my best.

    Do I need to add some kind of mysql connection information to your code? Or do I need to include something? It strikes me that your code does not know how to connect to my database?
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by chris74
    Do I need to add some kind of mysql connection information to your code?
    No, the code is only supposed to encrypt a single invoice ID and output the result. Picking the invoice ID and checking the result of the script is done by you. That is, you do this with phpmyadmin or whatever tool you use for database administration.

    This script doesn't repair your data or something. Before you can actually decrypt the IDs, you first have to know the key -- and that's where we're at right know.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    37
    Rep Power
    2
    OK - so you are saying in easy terms....

    1. Go to phpmyadmin and look in the id column in the invoice table and pick out a real Invoice ID.
    2. Copy the script you gave me into my own text file and add the invoice ID where it says 'paste your invoice ID here'

    3. Run the script.
    4. Compare the result with the actual encrypted id in "invoiceid" table in my database.

    I know a small number of the ones that match - so if it is the same as what is in "invoiceid" - we are in business - yes?
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Yes.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    37
    Rep Power
    2
    Ok, your script returned the following value...

    string(6) "%E00_Y"

    But the actual value of "invoiceid" for each line item in the items table that matches that invoice is...

    %A4%98%C6%C5

    The data type is varchar(50)
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    37
    Rep Power
    2
    Is it something related to the "seed" value?

    Some of the invoices in the first table has a field named "seed". For that invoice the seed is...

    933595939
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    37
    Rep Power
    2
    I'd greatly appreciate any further advice anyone could give me with this problem.

    If I contact a freelancer to help me, will any experienced PHP developer be able to help - or do I need someone with particular specialist experience?

    As only one person has replied to my post, I'm guessing this may not be an easy problem to resolve?
  22. #12
  23. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,853
    Rep Power
    6351
    I'm not going to read through all your code right now (though I may this afternoon when I get really bored) but this line:

    Around 2006, in an effort to prevent their customers moving to a different billing system, the developers encrypted all of the data for one of the database fields, so the invoice line items cannot be linked conventionally with their parent invoices.
    Don't contact a developer, contact a lawyer. That's YOUR data, not theirs. They took your data and ruined it. They destroyed your financial recordkeeping abilities in an attempt to extort money from you.

    I am not a lawyer, but if I noticed someone had broken my database in an attempt to take my money, there would be hell to pay.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    37
    Rep Power
    2
    The database isn't broken as such. It can still be used with their system - just not with any other system.

    The only problem is that I need to try and get this data out - it represents ten years of my life. They are now ignoring my requests and emails :-(

    Someone must know how it can be done.

    Would it be possible to use that script to re-populate the encrypted rows with new encrypted ones, based on a new password?

    I think that's what that script does?
  26. #14
  27. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by chris74
    Someone must know how it can be done.
    Well, what kind of solution did you expect? None of us has the encryption key.

    You don't have the original source code, right? And the developers won't give you the key? Well, then the only possibility would be to attack the encryption function itself. It's so horribly broken that it seems to discard most of the encryption key. This might allow you to try out all possible keys until you've found the right one.

    But I haven't looked into that further.



    Originally Posted by chris74
    Would it be possible to use that script to re-populate the encrypted rows with new encrypted ones, based on a new password?

    I think that's what that script does?
    No, no, no! Get rid of all that broken encryption bullsh*t altogether. When you continue to use this crap, you're digging your own grave. You'll run into the same problems again and again.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  28. #15
  29. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    37
    Rep Power
    2
    The goal here is only to match up the invoice with the invoice items - so the data can be exported.

    I've looked into matching up the timestamps on the records and have identified that about 1100 of the invoices have the same timestamp, but a different ID. Potentially, these could be manually edited., to clean up the data - but the matching items would also need to be edited.

    I've also noticed that some of the invoice items have timestamps within a minute or so of each other, yet share the same invoice ID.

    So I decided it was too complicated to continue down that road and went back to the script that the developer had provided - to see if anyone here could work out how to use it.

    The developer said that the script could be used to gain access to query that table.

    You are telling me that this is not possible at all - right?

    Am I correct in thinking that the only way to do it is to find out how it is currently done in the existing application? In one of the PHP scripts there will be the passcode?

    They are all ioncube encoded.
Page 1 of 3 123 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo