Asp Trojan password set algorithm research-vulnerability warning-the black bar safety net

2006-06-10T00:00:00
ID MYHACK58:6220069677
Type myhack58
Reporter 佚名
Modified 2006-06-10T00:00:00

Description

asp Trojan password verification key code is as follows: if Epass(trim(request. form("password")))="q_ux624q|p" then response. cookies("password")="8 8 1 1 7 4 8" ... <% end select function Epass(pass) temppass=StrReverse(left(pass&"zxcvbnm,./", 1 0)) templen=len(pass) mmpassword="" for j=1 to 1 0 mmpassword=mmpassword+chr(asc(mid(temppass,j,1))-templen+int(j1.1)) next Epass=replace(mmpassword,"'","B") end function %> Obviously, using Epass function to the input of the password is encrypted, then the resulting ciphertext and the original ciphertext for comparison. If a little bit of programming fundamentals Words, especially VB, then Epass in the encryption algorithm at a glance. If not, then, okay, I believe that through my tutorials, you will soon Understand. Function to save the password variable is the pass. pass&"zxcvbnm,./" Will pass the contents of the zxcvbnm,./ Connected to get a new character String. left(pass&"zxcvbnm,./", 1 0)taken before 1 0 bit. StrReverse function will get the 1 0-bit string order reversed. len(pass)to obtain the password Length. The following is a cycle. The resulting string of each bit of the Ascii code-The password length+rounding(characters where the bit1.1),then the resulting value Converted into a character re-connection. Finally the resulting string with'characters all replaced by B, so that the ciphertext produced. If we extract the encryption algorithm used Own the ciphertext to replace the original ciphertext, then the phase image of the password will become your password. But like I said, This is not the true sense of the crack. If we enter love,the encryption process is as follows love lovezxcvbnm,./ 'Connection lovezxcvbn 'take ago 1 0 nbvcxzevol 'in reverse order n 1 1 0(ascii)-4(number of bits)+int(1(Position)1.1)=1 0 7 1 0 7 the ascii code for k,and so on, and finally the ciphertext is: k`ucy|hzts We can pass the ciphertext and the encryption algorithm to launch the anti-password. From the algorithm the last step start to push. The last step with B replace all', there is no need to be B Replace the back'?, the answer is no. As long as we get the final ciphertext, the password is not the same is also possible. If there is 1 0 A B, then the original password of the number Just 2 of the 1 0 th, while the original password is only one, but 1 0 2 4 password are correct. If you want perfect hack friends, you can try for yourself to write all Combination. Then this step can be ignored. The above algorithm is quite clear chr(asc(mid(temppass,j,1))-templen+int(j1.1)) We just simple+and-change what you can. chr(asc(mid(temppass,j,1))+templen-int(j1.1)) But there is a problem, we do not know in advance the length of the password, it does not matter, but fortunately the password in 1-1 0 bit in between, not too long. Then we can use a 1 to 1 0 of the cycle is obtained for all possible passwords, and then use the StrReverse function to reverse order it. Then finally get the password How do we determine which is it. According to the pass&"zxcvbnm,./", See in addition to the password and finally whether there zxvbnm,./ The first few are. Then this is the real password. Then if the password is 1 0, will be always correct, because the back does not exist in the connection. So we may get two answers. The following is me to write the decrypt function function Ccode(code) for templen1=1 to 1 0 mmcode="" for j=1 to 1 0 mmcode=mmcode+chr(asc(mid(code,j,1))+templen1-int(j1.1)) next Ccode=strReverse(mmcode) response. write "password"&amp; templen1&":"&Ccode&"<br>" if mid(Ccode,templen1+1,10-templen1)=left("zxcvbnm,./", 1 0-templen1) and templen1<>1 0 then result=left(Ccode,templen1) next response. write "last password:"&result end function