Author: WormBuG
Transfer from: www.oso.com.cn
There are now many community networks to browse for users, all use cookie technology to avoid multiple input passwords (as THE9 and VR), so as long as the server is submitted to the user's cookie to rewrite the purpose of deception service.
Cookie spoofing principle
According to the browser's convention, only Cookies from the same domain can read and write, and the cookie is just a browser, there is no impact on the communication protocol, so there is a variety of ways for cookie deception:
1. Skip the browser, rewrite the communication data directly
2, modify the browser, let the browser can read or read free domain name cookies from the local
3, use the signature script, let the browser can read or write any domain name cookie from the local area (security issues)
4, deceive the browser, let the browser get a false domain name
among them:
Method 1, 2 requires more professional programming knowledge, and is not suitable for ordinary users.
There are two ways to implement the method 3:
1. Use the signature script directly, no signature verification, but produce a very serious security problem, because everyone has to go online, if this is your hard disk file ...
2. After signing the script, use the signature script, but a dedicated digital signature tool is required to be inappropriate for ordinary users.
Method 4 It should be the most suitable, and the domain name deception is simple, and it doesn't matter what tools (of course, if your machine is equipped with a web server), I will take the9 as an example, based on this method Explain the process of cookie spoofing (the bugs of any server mentioned below have been improved, so this article has no security impact on the9):
Note: The cookie we discussed is the cookie that will not leave the trace in the hard disk's cookie file, which is the cookie generated only within the browser's survival period. If the browser is turned off (the session is over) then this Cookies are deleted!
Cookie deceive
THE9 will return 3 cookies while logging in (this can be seen when the browser's warning cookie option is opened):
CGL_Random: Login Identification
CGL_Loginname (login name): identification mark
CGL_AreAid (community number): The community number you live
Just fill CGL_LoginName into the correct login name, then modify CGL_Random, you can achieve the purpose of spoofing service procedures.
The string of the general deception of the PHP program is:
1 '' L''1 '' = '1
Fill this in cgl_random, the service program is deceived!
Because the service procedure is unlikely to syntax checkup (the9 is now improved), then fill in this string, you can successfully deceive the other party program, and achieve a breakthrough purpose!
The current problem is how to return this browser to the cookie to THE9? Take a look at the9 domain name: http://www.the9.com/ I just have a web server on my machine, then do it!
First, a HTML setting cookie is called cookie.htm, then put this cookie into the web directory, this is not, because my machine's domain name is not set, then set the name of Host, but if you are in network settings If you set it, your machine is restarted, or think about your simple way!
Then we should edit the hosts file, this file should be in a Windows directory, you may not find it, but if you find the hosts.sam file, then remove the extension behind it, it is the file we want!
Edit the HOSTS file, fill in the following line:
127.0.0.1 www0.the9.com
Explain that 127.0.0.1 is the LO address of this machine, you can use the web address, and www0.the9.com is the domain name of our deception.
Then enter http://www0.the9.com/cookie.htm in the browser, look, set the cookie!
Take a look at http; // www.the9.com/main.htm, look!
But not all netizens have their own web server! then what should we do?
In fact, if you have a personal homepage, you can also achieve the purpose of cookie deception. For example, the IP address of the server of a personal page is 1.2.3.4, first upload the cookie.htm file, edit the hosts file:
1.2.3.4 www0.the9.com
Then visit http://www0.the9.com/***/cookie.htm, where *** is the address directory of your personal page.
For me, I made a tool on my homepage, now open, http://home.etang.com/fsl/9the/, do you know what to do? Oh, but you are not used, you have to edit your Hosts like this:
Etang's IP www.the9.com
The9's IP www0.the9.com
Why has to be this way? I will tell everyone.
Continue the9 cookie discussion, there are 2 cookies:
CGL_MAINSHOWINFO (personal information)
CGL_SHOWINFO_CHANGED (I don't know)
Since the second cookie doesn't know what is, it will discuss the first one.
The first cookie stores your name, title, resident community, street, whether there is work, star, house number, etc. (currently only knowing these, the rest of the information does not know its meaning, the specific format is given Everyone goes out), but Chinese is escape, if you are not Netscpae but IE, you can't use UNESCAPE to know its information, because IE uses Unicode without the double byte without using ASCII, if there is also the9 also Just support Unicode! :), but other websites of webmasters pay attention, you can grasp these T9 resident information in the form of CGI to achieve data sharing! Haha ... If you really want to do this, only use the signature script, you can't let others edit hosts (not paying attention to copyright!)? IE Cookie Vulnerability:
If you use IE, due to the vulnerability of IE itself, you don't have to edit Hosts, you can use the cookie of writing other domain names, you can use the following methods to deceive IE (specific to www.cookiecentral .com to see):
Suppose your homepage file is http://a.com/cookie.htm,
Use the following URL: http: //a.com/cookie.htm?.the9.com
If the direct input is not in the browser address bar, make a script, set the value of the location to this!
This address should be such: http://a.com/cookie.htm?.the9.com
Since IE's bug, mistakenly put the domain name in front of it is .The9.com!
Hosts file explanation
The HOSTS file can actually see a native DNS system, which can be responsible for explaining the domain name as an IP address, and its priority is higher than the DNS server, its specific implementation is part of the TCP / IP protocol.
If there is such a line:
202.109.110.3 www.the9.com
So when entering www.the9.com, the network protocol will first check the HOSTS file to find the match. If you can't find the DNS to check, so that you visit www.the9.com is actually accessing 202.109.110.3, not usually 202.109.110.2.
Note: Due to the role of the cache, if the browser edits HOSTS, the content in Hosts may not take effect on the spot, you can restart your browser or wait for a while and try again!
About Referr's spoof (this although it is not a cookie deception, it will be lazy to write one, it will return together)
Referer is an HTTP header. It is the role to sign where the user is incorporated by reference, in the9, the service program will take this, if you are manually entering the URL, then Referr will not set any value, service The program returns "speculative" words!
Since we have a domain name deception in front of the browser, the Referr is also deceived, but the service program is checked by the REFERER, so the domain name of www0.the9.com deceives the server, so I have to use www.the9. COM deception, then you have to set up a domain name to facilitate our access to THE9, but have to let cookie return to this true THE9, then use www0.the9.com! (This is known as you want to edit hosts when you visit my homepage tool?) If you use this method, then you can't click on The9 connection, and you can use the address deception in the tool to visit, as soby Being the benefits, everyone is looking for it, I don't want to tell them in detail, too tired!
About NetVampire:
Do you know this download tool? So have you used it 3.3? Great! Because it can change everyone to change the downloaded Referer, and it can inherit the browser cookie, return cookie to the server (but cookie can't change, if you can change, this tool is too ................)
postscript
It's better to say this about cookie and referer. I used cookie deceived before this week. The door is open (of course, there is still a common password), but the9 is improved, I can't guarantee other community networks. Also modified, of course, this article is just exploring technology, no legal responsibility
