A document issued by the Ministry of Education, BBS of major universities in China were set to allow posting only on campus overnight. Our School Forum uses bbsxp (broken through the Forum system). Originally, due to server bandwidth, the popularity is very low. The Administrator's brother has banned external IP addresses and cannot log in and post messages. A lot of bamboo are using the iron broadband on campus to access the Internet, and some of them have graduated. Our computer edition's cute Echo cannot even get in... (a lot of nonsense)
OK. Let's start.
The IP address used to filter the Forum is on the Setup. ASP page,
If request. Cookies ("username") <> empty then
SQL = "select * from [user] Where username = '" & htmlencode (request. Cookies ("username "))&"'"
Set rs = conn. Execute (SQL)
If Rs. EOF then response. Cookies ("username") = ""
If request. Cookies ("userpass") <> RS ("userpass") Then response. Cookies ("username") = ""
Membercode = RS ("membercode ")
Userface = "" & RS ("userface ")&""
Newmessage = RS ("newmessage ")
Userlife = RS ("userlife ")
Set rs = nothing
End if
If request. servervariables ("http_x_forwarded_for") = empty then
Remoteaddr = request. servervariables ("remote_addr ")
Else
Remoteaddr = request. servervariables ("http_x_forwarded_for ")
End if
If badip <> empty then
Filtrate = Split (badip, "| ")
For I = 0 to ubound (filtrate)
If instr ("|" & remoteaddr & "", "|" & filtrate (I) & ")> 0 then response. Redirect" INC/badip.htm"
Next
End if
If request. Cookies ("skins") = empty then response. Cookies ("skins") = Style
This code is setup. ASP to verify the user, read it first. if the cookies are not empty, read the database to verify that the user's password is correct. If the cookies are correct, define the variables and assign values to all the variables needed in the database. Then, read ip.if the IP belongs to the blocked IP address, the badip.htm is forbidden to log on.
The system in our school is different from this code. They modify the code themselves. Block all out-of-school IP addresses, but all of them are modified on this basis. Their verification was written with another piece of code for verification. It should be the IP segment code on the login page. I guess it is to first judge whether the cookies are true. If so, I will skip the authentication IP segment. If it is null, the user does not log on and then performs IP address verification. Their idea should be like this. (No way, not my own system. I can only guess their IP address sealing ideas), leading to poor filtering.
If the personal file contains cookies, the system considers that the user has logged on, instead of verifying the IP address. This is the key to cracking the locked IP address login today. Counterfeit cookies
Get/images/closedfold.gif HTTP/1.1
Accept: */*
Referer: [url] http://bbs.glite.edu.cn/ShowForum.asp? Forumid = 31 [/url]
Accept-language: ZH-CN
Accept-encoding: gzip, deflate
If-modified-since: Wed, 15 May 2002 07:17:34 GMT
If-None-match: "07b5995e0fbc11: 17b1"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; sv1; Maxthon)
HOST: bbs.glite.edu.cn
connection: keep-alive
COOKIE: onlinetime = 2005% 2d5% 2d28 + 14% 3a43% 3a04; addmin = 60; aspsessionidacbsqcct = Shanghai; forumid = 31; filename = % 7c2005528131326% 7c2005528134747; username = yuan8627; userpass = Shanghai; eremite = 0
Packet Capture shows the content of cookies. The onlinetime is online in minutes addmin. Check username = yuan8627; userpass = f1913eb31c9ca1f1341b1dc9de069d8c ;. We have to scold bbsxp for being the spam of this forum again. Both the user name and password are in the database, even though they are encrypted by MD5. The password in cookies in dvbbs is different from the password in the database. Therefore, it is almost impossible to forge cookies. Bbsxp does not have enough code security considerations. It is also known as the safest in China .... if a user hijacks the cookies of bamboo or the administrator, then the cookies are forged. The front-end permission can be used to delete, modify, and Forum posts. The consequences are unimaginable. This is left to those who are interested.
Today, we want to forge a cookie that has been logged on, and then break through the IP address blocking.
You cannot log on, and you cannot use iecv.exe for editing. when cookies are modified, the index in the directory is modified. dat: {ie index file. The more web pages you browse, the more index is hidden. dat "index file capacity is larger. This option can initialize the index. dat file .} I found that IE has a function to import and export cookies. Therefore, I first export my cookies, and then replace the username and password with another number, and then import them. The cookie is successfully imported and the index. dat file in the directory is modified.
Therefore, we only need to export the previous cookies, and then import them directly to the Forum to allow free access to the Forum. There is no IP address restriction.
I successfully tested it on the public network of tietong.
# Internet Explorer Cookie file, exported for Netscape browsers.
Bbs.glite.edu.cn true/false 1149109143 username should be overwritten with your user name
Bbs.glite.edu.cn true/false 1149109143 userpass please use your encrypted password to overwrite
Bbs.glite.edu.cn true/false 1149109143 eremite 0
This is the exported content of the cookies file. It is overwritten by the user name and the MD5 encrypted password. You can use IE to import it to the Forum.
MD5 is a 32-bit encryption tool.