First, a few basic concepts
cookies deception, is in only for the user to do the cookies the authentication of the system, by modifying cookies of the content to obtain the appropriate user permissions to log on.
Second, the principle of analysis
We first look at the 6kbbs is how to do in the login. asp we find 1 1 3--1 2 4 lines, see below:
if login=false then tl=" Login failed" mes=mes&"
·Return to re-fill out the" else response. cookies(prefix)("lgname")
lgname response. cookies(prefix)("lgpwd")=
lgpwd response. cookies(prefix)("lgtype")=
lgtype response. cookies(prefix)("lgcook")=
cook if cook>0 then response. cookies(prefix). expires=
date+cook end if
I put this passage mean to put it another way, that is if your log in fails, he will show you logon failed and guide you to return to the previous page, otherwise just write you into the cookies inside, if your cookies ever then your expiration time is the your cookies the expiration time-that is, you save the cookies of the time.
To get here, you think? Yes, after log in it as long as the cookies, and that if my cookies inside information is administrator I is not become the administrator? Smart, then down to see how we do.
Third, cookies cheat instance
Here I am in 6kbbs, for example, at the same time assuming that you have to get to the website, the database or administrators md5 encryption of the password. How to take it, to the search engine to search for the keyword“powered by 6kbbs”,then you'll see a bunch of 6kbbs website,
First, we go to register a user, and then log on, see? There is a cookies option must be selected. My choice is to save a month, because the Save will then you on the machine to write into it the cookies. Next, open the database, see admin table there's something else besides you as long as the bd is 1 of 6 that person on the line. Likely not, it's okay, you to their forum to wander about, custody of the administrator who is then in the database inside to get his account number and encrypted password to cheat.
Open the iecookiesview, which software is used to view and modify the machine of cookies, it is convenient to our cookies cheat invasion.
In iecookiesview find you want to cheat that website, see? Have your user name and md5 encrypted password, we. these two entries to the administrator, is to put just the database inside the Admin Account and md5 encrypted password instead of your own. Click on the“change cookies”, open a new ie and then go visit that Forum and see no? You now have is the administrator.
1, on this forum of cheating can only get to the front Desk administrator permissions, the background need to enter a password, and session authentication, not cookies, so our cheat can not.
2, this forum also upload vulnerability, you can upload Trojans, taking into account many masters have written out the animation tutorial, I here would not write, we are interested can go search about it, learn about it good, not do bad things on the line.
3, cookies to deceive a substantial presence in the now some not to do session validation, so if you get to the database or the Administrator's encrypted password, may wish to try the cookie trick, there will be unexpected results Oh.