Skillfully crack open someone ASP Trojan password method-vulnerability warning-the black bar safety net

2007-01-09T00:00:00
ID MYHACK58:62200713663
Type myhack58
Reporter 佚名
Modified 2007-01-09T00:00:00

Description

Crack the objective: to crack a encrypted Asp Trojan login password. Since the Trojan there is no version described, specific also don't know what this Trojan is called what name.

Crack idea: the two, with the encrypted password replaces the ciphertext and use the ciphertext and the encryption algorithm of the inverse solution the password.

The former is simply not true of crack. If not Asp source code, then can be said about crack the code, I have no chance of winning. A Chinese friend said he got a Web of privileges, but cannot modify the home page, find where there are already a Asp Trojan, but the password is encrypted. Well, crap too much, well, ready, this time the explanation will be quite lengthy.

Asp Trojan password verification key code is as follows:

|

if Epass(trim(request. form("password")))="q_ux624q|p" then response. cookies("password")="8 8 1 1 7 4 8" ...


Obviously, using Epass function to the input of the password is encrypted, then the resulting ciphertext and the original ciphertext for comparison. If a little bit of programming, especially VB, then Epass in the encryption algorithm at a glance. If not, then, okay, I believe that through my tutorials, you will soon understand. Function to save the password variable is the pass. pass&"zxcvbnm,./" Will pass the contents of the zxcvbnm,./ Connected to get a new string. left(pass&"zxcvbnm,./", 1 0)taken before 1 0 bit. StrReverse function will get the 1 0-bit string order reversed. len(pass)to obtain the password length. The following is a cycle. The resulting string of each bit of the Ascii code-The password length+rounding(characters where the bit*1.1),then the resulting value is converted into character re-connection. Finally the resulting string with'characters all replaced by B, so that the ciphertext produced. If we extract the encryption algorithm with your own ciphertext to replace the original ciphertext, then the phase image of the password will become your password. But like I said, This is not the true sense of the crack.

If we enter love, the encryption process is as follows:

love lovezxcvbnm,./ 'Connection lovezxcvbn 'take ago 1 0 nbvcxzevol 'in reverse order n 1 1 0(ascii)-4(number of bits)+int(1(Position)*1.1)=1 0 7 1 0 7 the ascii code for k,and so on, and finally the ciphertext is: k`ucy|hzts


We can pass the ciphertext and the encryption algorithm to launch the anti-password, from the algorithm the last step start to push. The last step with B replace all', there is no need to be B replaced back'do, the answer is no. As long as we get the final ciphertext, the password is not the same is also possible. If there is 1 0 A B, then the original password is the number 2 of the 1 0 th, while the original password is only one, but 1 0 2 4 password are correct. If you want perfect hack friends, you can try for yourself to write all of the combinations. Then this step can be ignored, the above algorithm is clear.

chr(asc(mid(temppass,j,1))-templen+int(j*1.1))


We just simple+and-change what you can.

chr(asc(mid(temppass,j,1))+templen-int(j*1.1))


But there is a problem, we do not know in advance the length of the password, it does not matter, but fortunately the password in 1-1 0 bit in between, not too long. Then we can use a 1 to 1 0 of the cycle is obtained for all possible passwords, and then use the StrReverse function to reverse order it. Then finally get the password How do we determine which is it. According to the pass&"zxcvbnm,./", See in addition to the password and finally whether there zxvbnm,./ The first few are. Then this is the real password. Then if the password is 1 0, will be always correct, because the back does not exist in the connection. So we may get two answers.

The following is me to write the decrypt function:

function Ccode(code) for templen1=1 to 1 0 mmcode="" for j=1 to 1 0 mmcode=mmcode+chr(asc(mid(code,j,1))+templen1-int(j*1.1)) next Ccode=strReverse(mmcode) response. write "password"&templen1&":"&Ccode&" " if mid(Ccode,templen1+1,10-templen1)=left("zxcvbnm,./", 1 0-templen1) and templen1<>1 0 then result=left(Ccode,templen1) next response. write "last password:"&result end function


Well, the algorithm could in such a short time can not fully grasp, this is normal, then I will be in a compressed package comes with documentation and encryption and decryption of Asp source code, we get to go back a good studies. Similarly, password 1 0 eternal right. Then we will Asp in the original ciphertext to get over and see, what will be the result.