To crack someone else's ASP Trojan Password method _ Vulnerability Research

Source: Internet
Author: User
Tags chr
Break the target: to crack an ASP Trojan encrypted login cracked asp trojan password land. Because there is no version in the Trojan, specifically do not know what the name of this Trojan.
Break the train of thought: Two kinds, use encrypt cipher to replace cipher text and use cipher text and encrypt algorithm to solve the password. The former is not really cracked.
Break purpose: nothing to play.
If you do not get the ASP source code, then can be said to crack the password, I have no chance of success. A friend of Huaxia said he got a web permission,
But unable to modify the home page, found that there is already an ASP trojan, but the password is encrypted. So there's this animation. Okay, scrap.
Too much talk, then, to prepare, this explanation will be quite long.
ASP Trojan login Password verification key code is as follows:
If Epass (Trim (Request.Form ("password")) = "Q_ux624q|p" Then
Response.Cookies ("password") = "8811748"
...
<%
End Select
function Epass (pass)
Temppass=strreverse (Left (pass& "zxcvbnm,./", 10))
Templen=len (pass)
Mmpassword= ""
For J=1 to 10
MMPASSWORD=MMPASSWORD+CHR (ASC (Mid temppass,j,1)-templen+int (j*1.1))
Next
Epass=replace (Mmpassword, "'", "B")
End Function
%>
Obviously, the Epass function is used to encrypt the input password, and then the resulting ciphertext and the original ciphertext are compared. If you have a little bit of programming basics
, especially VB, then epass encryption algorithm will be at a glance. If not, then, never mind, believe that after my explanation, you will soon
Got it. function, the variable that holds the password is pass. pass& "zxcvbnm,./" connects the contents of pass to the zxcvbnm,./to get a new character.
String. Left (pass& "zxcvbnm,./", 10) takes the first 10 digits. The StrReverse function reverses the resulting 10-bit string order. Len (pass) Gets the password
Length. Below is a loop. The resulting string will be in each bit of the ASCII code-password length + rounded (character location *1.1), and then the resulting value
Converts to a character reconnect. Finally, the resulting string is replaced with the ' character ' all in B, so the ciphertext is produced. If we extract the encryption algorithm with
Their ciphertext replaces the original cipher, then the matched password will become your password. But as I said, it's not really a crack.
If we enter love, the encryption process is as follows
Love
Lovezxcvbnm,./' connection
Lovezxcvbn ' Take the top 10 bits
Nbvcxzevol ' order reversed

(ASCII)-4 (digits) +int (1 (position) *1.1) =107
107 ASCII code is k, and so on, the last cipher:
K ' Ucy|hzts
We can use ciphertext and encryption algorithm to reverse the introduction of the password. Start with the last step of the algorithm. The last step replaces all with B ', is there any need for the B
Replace back ', the answer is in the negative. As long as we can get the final ciphertext, the password is not the same as possible. If there are 10 B, the number of the original password
On 2 of the 10-time side, although the original password is only one, but 1024 passwords are correct. If you want to perfect crack friend, you can try to write all
The combination.
Then this step can be ignored.
The algorithm above is very clear.
Chr (ASC (Mid temppass,j,1)-templen+int (j*1.1))
We'll just have to simply switch the + and--change it.
Chr (ASC (Mid temppass,j,1) +templen-int (j*1.1))
But there is a problem, we do not know the length of the password, it does not matter, fortunately the password is between 1-10 digits, not too long.
Then we can use a loop of 1 to 10 to find all the possible passwords, and then use the StrReverse function in order to reverse it.
So what do we know about the final code? Can be based on pass& "zxcvbnm,./", see if the password in addition to the last few zxvbnm,./.
So that's the real code. So if the password is 10 bits, it will always be true because there is no connection at the back. So we may get two answers.
Here's the decryption function I wrote.
function Ccode (code)
For Templen1=1 to 10
Mmcode= ""
For J=1 to 10
MMCODE=MMCODE+CHR (ASC (Mid code,j,1) +templen1-int (j*1.1))
Next
Ccode=strreverse (Mmcode)
Response.Write "Password" &templen1& ":" &Ccode& "<br>"
If Mid (Ccode,templen1+1,10-templen1) =left ("zxcvbnm,./", 10-templen1) and templen1<>10 then Result=left (Ccode, TEMPLEN1)
Next
Response.Write "Last Password:" &result
End Function
Well, the algorithm may not be fully mastered in such a short period of time, this is normal, then I will be in the compressed package with the documentation and decryption of the ASP source code, we take back
Take a good look at it:). Likewise, the password 10 is eternally correct. Then we will be the original text of the ASP to take a look, what will be the result. OK, all two passwords can be logged in.
To test my local assumption of IIS, if the local can not set up a Web server, you may contact me, in other languages to write

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.