There are now many community networks to browse for users, all use cookie technology to avoid multiple input passwords (as THE9 and VR), so as long as the server is submitted to the user's cookie to rewrite the purpose of deception service.
Cookie spoofing principle
According to the browser's convention, only cookies from the same domain can read and write, and the cookie is just a browser, there is no impact on the communication protocol, so there is a variety of ways to perform cookie deception:
1. Skip the browser, rewrite the communication data directly
2, modify the browser, let the browser can read or read free domain name cookies from the local
3, use the signature script, let the browser can read or write any domain name cookie from the local area (security issues)
4, deceive the browser, let the browser get a false domain name
among them:
Method 1, 2 requires more professional programming knowledge, and is not suitable for ordinary users.
There are two ways to implement the method 3:
1. Use the signature script directly, no signature verification, but produce a very serious security problem, because everyone has to go online, if this is your hard disk file ...
2. After signing the script, use the signature script, but a dedicated digital signature tool is required to be inappropriate for ordinary users.
Method 4 It should be the most suitable, and the domain name deception is simple, and it doesn't matter what tools (of course, if your machine is equipped with a web server), I will take the9 as an example, based on this method Explain the process of cookie spoofing (the bugs of any server mentioned below have been improved, so this article has no security impact on the9):
Note: The cookie we discussed is the cookie that will not leave the trace in the hard disk's cookie file, which is the cookie generated only within the browser's survival period. If the browser is turned off (the session is over) then this Cookies are deleted!
Cookie deceive
THE9 will return 3 cookies while logging in (this can be seen when the browser's warning cookie option is opened):
CGL_Random: Login Identification
CGL_Loginname (login name): identification mark
CGL_AreAid (community number): The community number you live
Just fill the CGL_LoginName into the correct login name, then modify the CGL_Random, you can reach the deception service.
The purpose of the order.
The string of the general deception of the PHP program is:
1 '' L''1 '' = '1
Fill this in cgl_random, the service program is deceived!
Because the service procedure is unlikely to syntax checkup (the9 is now improved), then fill in this string, you can successfully deceive the other party program, and achieve a breakthrough purpose!
The current problem is how to return this browser to the cookie to THE9?
Take a look at the9 domain name: http://www.the9.com/, and the browser's cookie warning has told us that these 3 cookies will return to have .The9.com this domain name server,? I just have a web server on my machine, then do it!
First, a HTML setting cookie is called cookie.htm, then put this cookie into the web directory, this is not, because my machine's domain name is not set, then set the name of Host, but if you are in network settings If you set it, your machine is restarted, or think about your simple way! Then we should edit the hosts file, this file should be in a Windows directory, you may not find it, but if you find the hosts.sam file, then remove the extension behind it, it is the file we want!
Edit the HOSTS file, fill in the following line:
127.0.0.1 www0.the9.com
Explain that 127.0.0.1 is the LO address of this machine, you can use the web address, and www0.the9.com is the domain name of our deception.
Then enter in the browser
Http://www0.the9.com/cookie.htm, see, page out, set cookies!
Take a look at http; // www.the9.com/main.htm, look! But not all netizens have their own web server! then what should we do?
In fact, if you have a personal homepage, you can also achieve the purpose of cookie deception. For example, the IP address of the server of a personal page is 1.2.3.4, first upload the cookie.htm file, edit the hosts file:
1.2.3.4 www0.the9.com
Then access
http://www0.the9.com/***/cookie.htm, where *** is your personal homepage address directory.
For me, I made a tool on my homepage, now openly.
Http://home.etang.com/fsl/9the/, everyone knows how to do it? Oh, but you are not used, you have to edit your Hosts: Etang's IP
http://www.the9.com /
Why is this IP www0.the9.com? I will tell everyone.
Continue the9 cookie discussion, there are 2 cookies:
CGL_MAINSHOWINFO (personal information)
CGL_SHOWINFO_CHANGED (I don't know)
Since the second cookie doesn't know what is, it will discuss the first one.
The first cookie stores your name, title, resident community, street, whether there is work, star, house number, etc. (currently only knowing these, the rest of the information does not know its meaning, the specific format is given Everyone goes out), but Chinese is escape, if you are not Netscpae but IE, you can't use UNESCAPE to know its information, because IE uses Unicode without the double byte without using ASCII, if there is also the9 also Just support Unicode! :), but other websites of webmasters pay attention, you can grasp these T9 resident information in the form of CGI to achieve data sharing! Haha ... If you really want to do this, only use the signature script, you can't let others edit hosts (not paying attention to copyright!)? IE Cookie Vulnerability:
If you use IE, due to the vulnerability of IE itself, you can also read it if you don't have to edit hosts.
Cookies of the domain name, you can use the following methods to spoof IE (specific can go
Http://www.cookiecentral.com/ Take a look)
:
Suppose your homepage file
http://a.com/cookie.htm,
Use the following URLs:
http://a.com/cookie.htm?.the9.com /
If the direct input is not in the browser address bar, make a script, set the value of the location to this!
This address translation should be like this:
http://a.com/cookie.htm?.the9.com
Since IE's bug, mistakenly put the domain name in front of it is .The9.com!
Hosts file explanation
The HOSTS file can actually see a native DNS system, which can be responsible for explaining the domain name as an IP address, and its priority is higher than the DNS server, its specific implementation is part of the TCP / IP protocol.
If there is such a line:
202.109.110.3
http://www.the9.com /
So in the input
When http://www.the9.com/, the network protocol will first check the HOSTS file to find the match. If you can't find the DNS to check, you can visit
http://www.the9.com/ is actually accessing 202.109.110.3, rather than usual 202.109.110.2.
Note: Due to the role of the cache, if the browser edits HOSTS, the content in Hosts may not take effect on the spot, you can restart your browser or wait for a while and try again!
About Referr's spoof (this although it is not a cookie deception, it will be lazy to write one, it will return together)
Referer is an HTTP header. It is the role to sign where the user is incorporated by reference, in the9, the service program will take this, if you are manually entering the URL, then Referr will not set any value, service The program returns "speculative" words!
Since we have a domain name deception in front of the browser, then Referer is also deceived, but the service program is checked by the REFERER is the entire host name, so the domain name of www0.the9.com deceives the server, so it is
Http://www.the9.com/ Download, then you have to set up a domain name to facilitate our access to THE9, but also have to return to this true THE9, then use www0.the9.com! (This reflects that you want to edit your host when you visit my homepage tool?) If you use this method, then you can't click the 9 connection, and you can use the address in the tool.
Visit, as for the benefits of doing this, everyone is looking for it, I don't want to tell, too tired!
About NetVampire:
Do you know this download tool? So have you used it 3.3? Great! Because it can change everyone to change the downloaded Referer, and it can inherit the browser cookie, return cookie to the server (but cookie can't change, if you can change, this tool is too ................)
postscript
It's better to say this about cookie and referer. I used cookie deceived before this week. The door is open (of course, there is still a common password), but the9 is improved, I can't guarantee other community networks. Also modified, of course, this article is just exploring technology, no legal responsibility
