学破解论坛post登录
本帖最后由 红颜世家、 于 2015-4-16 18:52 编辑https://www.52hb.com/member.php?mod=logging&action=login&infloat=yes&handlekey=login&referer=http%3A%2F%2Fwww.xuepojie.com%2F&inajax=1&ajaxtarget=fwin_content_login
通过抓包获取的登录地址
精简后得到
https://www.52hb.com/member.php?mod=logging&action=login&infloat=yes&handlekey=login
我们直接继续抓包登录
POST /member.php?mod=logging&action=login&loginsubmit=yes&handlekey=login&loginhash=Lm0Z0&inajax=1 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-xpsdocument, */*
Referer: https://www.52hb.com/member.php?mod=logging&action=login&infloat=yes&handlekey=login
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.xuepojie.com
Content-Length: 238
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: xSCm_2132_seccode=479.3c3c31decfabe04085; xSCm_2132_saltkey=sLPj223U; xSCm_2132_lastvisit=1429174645; xSCm_2132_sid=KOblBJ; xSCm_2132_lastact=1429178246%09misc.php%09seccode; xSCm_2132_sendmail=1; pgv_info=ssi=s7824260390; pgv_pvi=8817606392
formhash=f52cd4b4&referer=http%3A%2F%2Fwww.xuepojie.com%2F.%2F&username=%BA%EC%D1%D5%CA%C0%BC%D2%A1%A2&password=b58ba*******************79d99021&questionid=0&answer=&seccodehash=cSKOblBJ&seccodemodid=member%3A%3Alogging&seccodeverify=ejfe
我们确定了关键参数有
formhash=f52cd4b4
username=%BA%EC%D1%D5%CA%C0%BC%D2%A1%A2我的名字
password=b58ba*******************79d99021 我的密码
seccodehash=cSKOblBJ
seccodeverify=ejfe 验证码
我们查找js得到
/*
(C)2001-2099 Comsenz Inc.
This is NOT a freeware, use is subject to license terms
$Id: md5.js 29228 2012-03-30 01:46:00Z monkey $
*/
var hexcase = 0;
var chrsz = 8;
function hex_md5(s){
return binl2hex(core_md5(str2binl(s), s.length * chrsz));
}
function core_md5(x, len) {
x |= 0x80 << ((len) % 32);
x[(((len + 64) >>> 9) << 4) + 14] = len;
var a =1732584193;
var b = -271733879;
var c = -1732584194;
var d =271733878;
for(var i = 0; i < x.length; i += 16) {
var olda = a;
var oldb = b;
var oldc = c;
var oldd = d;
a = md5_ff(a, b, c, d, x, 7 , -680876936);
d = md5_ff(d, a, b, c, x, 12, -389564586);
c = md5_ff(c, d, a, b, x, 17,606105819);
b = md5_ff(b, c, d, a, x, 22, -1044525330);
a = md5_ff(a, b, c, d, x, 7 , -176418897);
d = md5_ff(d, a, b, c, x, 12,1200080426);
c = md5_ff(c, d, a, b, x, 17, -1473231341);
b = md5_ff(b, c, d, a, x, 22, -45705983);
a = md5_ff(a, b, c, d, x, 7 ,1770035416);
d = md5_ff(d, a, b, c, x, 12, -1958414417);
c = md5_ff(c, d, a, b, x, 17, -42063);
b = md5_ff(b, c, d, a, x, 22, -1990404162);
a = md5_ff(a, b, c, d, x, 7 ,1804603682);
d = md5_ff(d, a, b, c, x, 12, -40341101);
c = md5_ff(c, d, a, b, x, 17, -1502002290);
b = md5_ff(b, c, d, a, x, 22,1236535329);
a = md5_gg(a, b, c, d, x, 5 , -165796510);
d = md5_gg(d, a, b, c, x, 9 , -1069501632);
c = md5_gg(c, d, a, b, x, 14,643717713);
b = md5_gg(b, c, d, a, x, 20, -373897302);
a = md5_gg(a, b, c, d, x, 5 , -701558691);
d = md5_gg(d, a, b, c, x, 9 ,38016083);
c = md5_gg(c, d, a, b, x, 14, -660478335);
b = md5_gg(b, c, d, a, x, 20, -405537848);
a = md5_gg(a, b, c, d, x, 5 ,568446438);
d = md5_gg(d, a, b, c, x, 9 , -1019803690);
c = md5_gg(c, d, a, b, x, 14, -187363961);
b = md5_gg(b, c, d, a, x, 20,1163531501);
a = md5_gg(a, b, c, d, x, 5 , -1444681467);
d = md5_gg(d, a, b, c, x, 9 , -51403784);
c = md5_gg(c, d, a, b, x, 14,1735328473);
b = md5_gg(b, c, d, a, x, 20, -1926607734);
a = md5_hh(a, b, c, d, x, 4 , -378558);
d = md5_hh(d, a, b, c, x, 11, -2022574463);
c = md5_hh(c, d, a, b, x, 16,1839030562);
b = md5_hh(b, c, d, a, x, 23, -35309556);
a = md5_hh(a, b, c, d, x, 4 , -1530992060);
d = md5_hh(d, a, b, c, x, 11,1272893353);
c = md5_hh(c, d, a, b, x, 16, -155497632);
b = md5_hh(b, c, d, a, x, 23, -1094730640);
a = md5_hh(a, b, c, d, x, 4 ,681279174);
d = md5_hh(d, a, b, c, x, 11, -358537222);
c = md5_hh(c, d, a, b, x, 16, -722521979);
b = md5_hh(b, c, d, a, x, 23,76029189);
a = md5_hh(a, b, c, d, x, 4 , -640364487);
d = md5_hh(d, a, b, c, x, 11, -421815835);
c = md5_hh(c, d, a, b, x, 16,530742520);
b = md5_hh(b, c, d, a, x, 23, -995338651);
a = md5_ii(a, b, c, d, x, 6 , -198630844);
d = md5_ii(d, a, b, c, x, 10,1126891415);
c = md5_ii(c, d, a, b, x, 15, -1416354905);
b = md5_ii(b, c, d, a, x, 21, -57434055);
a = md5_ii(a, b, c, d, x, 6 ,1700485571);
d = md5_ii(d, a, b, c, x, 10, -1894986606);
c = md5_ii(c, d, a, b, x, 15, -1051523);
b = md5_ii(b, c, d, a, x, 21, -2054922799);
a = md5_ii(a, b, c, d, x, 6 ,1873313359);
d = md5_ii(d, a, b, c, x, 10, -30611744);
c = md5_ii(c, d, a, b, x, 15, -1560198380);
b = md5_ii(b, c, d, a, x, 21,1309151649);
a = md5_ii(a, b, c, d, x, 6 , -145523070);
d = md5_ii(d, a, b, c, x, 10, -1120210379);
c = md5_ii(c, d, a, b, x, 15,718787259);
b = md5_ii(b, c, d, a, x, 21, -343485551);
a = safe_add(a, olda);
b = safe_add(b, oldb);
c = safe_add(c, oldc);
d = safe_add(d, oldd);
}
return Array(a, b, c, d);
}
function md5_cmn(q, a, b, x, s, t) {
return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s),b);
}
function md5_ff(a, b, c, d, x, s, t) {
return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t);
}
function md5_gg(a, b, c, d, x, s, t) {
return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t);
}
function md5_hh(a, b, c, d, x, s, t) {
return md5_cmn(b ^ c ^ d, a, b, x, s, t);
}
function md5_ii(a, b, c, d, x, s, t) {
return md5_cmn(c ^ (b | (~d)), a, b, x, s, t);
}
function safe_add(x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
}
function bit_rol(num, cnt) {
return (num << cnt) | (num >>> (32 - cnt));
}
function str2binl(str) {
var bin = Array();
var mask = (1 << chrsz) - 1;
for(var i = 0; i < str.length * chrsz; i += chrsz) {
bin |= (str.charCodeAt(i / chrsz) & mask) << (i%32);
}
return bin;
}
function binl2hex(binarray) {
var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
var str = "";
for(var i = 0; i < binarray.length * 4; i++) {
str += hex_tab.charAt((binarray >> ((i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray >> ((i%4)*8)) & 0xF);
}
return str;
}
var pwmd5log = new Array();
function pwmd5() {
if(!$(pwmd5.arguments) || $(pwmd5.arguments).value == '') {
return;
}
numargs = pwmd5.arguments.length;
for(var i = 0; i < numargs; i++) {
if(!pwmd5log] || $(pwmd5.arguments).value.length != 32) {
pwmd5log] = $(pwmd5.arguments).value = hex_md5($(pwmd5.arguments).value);
}
}
}
接下来我们开始寻找formhash和seccodehash
在https://www.52hb.com/member.p ... yes&handlekey=login找到了formhash和seccodehash
<input type="hidden" name="formhash" value="f52cd4b4" />
<span id="seccode_cSKOblBJ"></span><span class="Apple-tab-span" style="white-space:pre"> </span>
接下来我们找验证码
找到了= =
https://www.52hb.com/misc.php?mod=seccode&update=36618&idhash=cSKOblBJ
地址是这个
我们看看idhash从哪里来的
idhash就是seccodehash、
https://www.52hb.com/misc.php?mod=seccode&action=update&idhash=cSKOblBJ&0.05027298083679693&modid=member::logging
这个是获取图片的地址
接下来我们就全部找全了
开始做吾爱汇编论坛的post吧
在https://www.52hb.com/member.p ... hash=Lm0Z0&inajax=1
我们发现还有loginhash=Lm0Z0
再找一下
依然在页面里
代码为
我们写代码吧
好流弊啊 DZ高人
{:5_117:}沙发。
本帖最后由 Desire 于 2015-4-16 20:08 编辑
之前研究过,后来发现哈希太多就懒得搞了
{:5_188:}这也能给威望,那我把我的评分软件开源给不给我个精华咧
{:5_188:}大大还能再叼点么
...差点以为是入侵吾爱汇编论坛- -! 膜拜大神!
{:5_116:}楼主这么帅 我们都惊呆了!
学习了, 膜拜技术大神!
楼主带我飞
{:5_118:}不会写,求源码,~