Cookie spoofing in cainiao tutorial

First, several basic concepts

Cookie spoofing means that, in a system that only performs cookies verification on users, the cookies can be used by modifying the content of cookies.

User permission to log on. (Well, I have my own definition. Don't laugh)

So what is cookies? Here I will give you a professional explanation. Cookies are a file stored in the browser directory.

This file records the information you visit a specific site, and can only be read back by the site that created this cookie, which consists of about 255 words

Only occupies 4 kb of hard disk space. When a user is browsing a website, it is stored in the Random Access Memory RAM of the user's machine

After exiting the browser, it is stored in the user's hard disk. Most of the information stored in Cookies is common, such as when you

When browsing a site, this file records the key information and the address of the accessed site. However, many Web sites use

Cookies are used to store private data, such as registration passwords, user names, and credit card numbers.

Second, Principle Analysis

　

First, let's take a look at how 6 kbbs works. In login. asp, We can find row 113--124,

See the following:

　

If login = false then

Tl = "login failure"

Mes = mes & "· <a href = javascript: history. go (-1)>

Src = pic/re.gif align = absmiddle> return and enter again </a>"

Else

Response. Cookies (prefix) ("lgname") = lgname

Session (prefix & "lgname") = lgname

Response. Cookies (prefix) ("lgpwd") = lgpwd

Response. Cookies (prefix) ("lgtype") = lgtype

Response. Cookies (prefix) ("lgcook") = cook

If cook> 0 then

Response. Cookies (prefix). Expires = date + cook

End if

　

Don't be dizzy, cainiao. You have to be dizzy and I am dizzy. Let me change the meaning of this passage, that is, if you fail to log on to him

It will show that you failed to log on and guide you back to the previous page. Otherwise, you will be written into the cookies. If your cookies have

Then your expiration time is the expiration time of your cookies-that is, the time when you save cookies.

　

What do you think of here? Yes, you only need cookies to log on to it later. If the information in my cookies is administrator

I am not an administrator? Smart, let's look at how we do it:

Third, Cookie spoofing instances

Here, I will take 6kbbs as an example, and assume that you have obtained the website database or the administrator's MD5 encrypted password. How to get

How about follow me % $ % to search for the keyword "powered by 6kbbs" in the search engine, then you will see a lot

6 kbbs website, his database in http: // www. ***. com/bbs/db/6 K. mdb (after my test, I found that

At least 60% of the users in this forum do not change the default database path. I don't know why). Okay, download

Are you back? We are about to start work.

First, register a user first, and then log on to the system. Are you ready? There is an option to store cookies. You must select one,

I chose to save it for one month, because it saves the cookies that will be written into your computer. Next, open the database and check

There is something in the admin table. No matter what it is, you only need the person with the bd of 16. It may be none.

You can visit their forum to see who the Administrator is, and then use his account and encrypted password in the database.

Cheat.

When IECookiesView is turned on, Are you confused? Go http://www.down99.com/SoftView/SoftView_270.html

Download it back and listen again. Everybody is waiting for you. Hurry up, haha % $ ...... % ￥, Forget it. I will introduce it first.

Let's take a look at IECookiesView. This software is used to view and modify cookies on the local machine. It is very convenient for us to use cookies.

Fraudulent intrusion, ah, saving the download so quickly. Let's continue. No nonsense (below: dizzy, so much nonsense)

I really want to hit him with bananas)

Find the website you want to cheat in IECookiesView. Have you seen it? Your username and MD5 encrypted password, me

Let's change these two items to the Administrator, that is, replacing the Administrator account in the database with the MD5 encrypted password.

. Click "Change cookies", OK, open a new IE, and visit the Forum again? You now

The Administrator is already logged on ...... # ￥ ·, Haha,

Don't make trouble.

==================

Digress

==================

1. You can only get the front-end administrator privilege to cheat on this forum. You need to enter the password in the background and verify the session, not

Cookies, so we cannot cheat.

2. This forum also has an upload vulnerability. You can upload Trojans. I will not upload this forum because many experts have already written animation tutorials.

If you are interested, you can search for it, learn it, and do not do anything bad.

3. Cookie spoofing exists in many programs that do not do session verification. Therefore, if you get the database or

If the Administrator encrypts the password, try cookie spoofing, which will have unexpected results.