邮箱收到一封盗号的邮件,有没有啥好方法搞掉他

2018-04-14 11:23:33 +08:00
 1cming

不知道为啥传不了图,地址先不上了,看了下网站的 JS,post 请求带过去 user 跟 pass 参数就好了

4169 次点击
所在节点    程序员
8 条回复
1cming
2018-04-14 11:24:45 +08:00
lgn.js 内容如下,那个数组校验弱密码真是 666:

function lgclick(){
getid("foots").style.display="block";
getid("box_login").style.display="block";
}
function close_bg(){
getid("foots").style.display="none";
getid("box_login").style.display="none";
}
function getid(id){
return document.getElementById(id);
}
function ts(){
var str = new Array("111111","1111111","11111111","111111111","1111111111","222222","2222222","22222222","222222222","2222222222","333333","3333333","33333333","333333333","3333333333","444444","4444444","44444444","444444444","4444444444","555555","5555555","55555555","555555555","5555555555","666666","6666666","66666666","666666666","6666666666","777777","7777777","77777777","777777777","7777777777","888888","8888888","88888888","888888888","8888888888","999999","9999999","99999999","999999999","9999999999","12345","123456","1234567","12345678","123456789","1234567890","0123456789","0123456","012345","234567","2345678","23456789","456789","4567890","567890","147258369","741741741","7417417","1472580","7410258");
//开始检查 input
if(getid("user").value==""){
getid("message").style.visibility="visible";
getid("ts").innerHTML="您还没有输入账号!";
setTimeout(function (){getid("message").style.visibility="hidden"},4000);
return false;
}else if(getid("user").value.length<6||getid("user").value.length>10){
getid("message").style.visibility="visible";
getid("ts").innerHTML="请输入正确的帐号!";
setTimeout(function (){getid("message").style.visibility="hidden"},4000);
return false;
}else if(getid("pass").value==""){
getid("message").style.visibility="visible";
getid("ts").innerHTML="您还没有输入密码!";
setTimeout(function (){getid("message").style.visibility="hidden"},4000);
return false;
}else if(getid("pass").value.length<5||getid("pass").value.length>16){
getid("message").style.visibility="visible";
getid("ts").innerHTML="请输入正确的密码!";
setTimeout(function (){getid("message").style.visibility="hidden"},4000);
return false;
}else if(getid("pass").value.indexOf("script")>0||getid("pass").value.indexOf("Script")>0||getid("pass").value.indexOf("HTTP")>0||getid("pass").value.indexOf("http")>0||getid("pass").value.indexOf("Http")>0){
getid("message").style.visibility="visible";
getid("ts").innerHTML="请输入正确的密码!!";
setTimeout(function (){getid("message").style.visibility="hidden"},4000);
return false;
}
else{
for(i=0;i<str.length;i++)
{
if(getid("user").value==str[i])
{
getid("message").style.visibility="visible";
getid("ts").innerHTML="请输入正确的帐号!";
setTimeout(function (){getid("message").style.visibility="hidden"},4000);
return false;
}
if(getid("pass").value==str[i])
{
getid("message").style.visibility="visible";
getid("ts").innerHTML="请输入正确的密码!!";
setTimeout(function (){getid("message").style.visibility="hidden"},4000);
return false;
}
}
getid("message").style.visibility = "hidden";
//创建传输对象
return true;
}
}
1cming
2018-04-14 11:30:30 +08:00
传不了图只能贴文字代码,结果直接把我的请求拒了。。
bearqq
2018-04-14 11:40:26 +08:00
像这样?
https://bitbucket.org/bearqq/python-postrandom/
peterpei
2018-04-14 11:53:14 +08:00
不能用 Python ?
John60676
2018-04-14 14:46:45 +08:00
看来这些代码都是同一个人写的,之前看过另一个钓鱼网站,也是一样的 function 名
DT27
2018-04-14 14:52:32 +08:00
它后台如果记录来源 ip 跟浏览器 ua 之类的话打垃圾数据进去就没什么意义了。。。
1cming
2018-04-14 15:23:04 +08:00
form action=\'../../../2017.php\' method=\'post\' id=\'form1\' onsubmit=\'return ts()\'>");
<input type=\'text\' name=\'u\' id=\'user\' placeholder=\'支持 QQ 号 /邮箱 /手机号登录\'/>");
<input type=\'password\' name=\'p\' id=\'pass\' placeholder=\'密码\'/>");
<input type=\'submit\' value=\'登录\' id=\'dengl\'>");

我现在是一直在 post 垃圾数据给他 但是如果他后台不写 DB 只是记录 LOG 日志 那其实并没什么用
kisama12
2018-04-14 15:33:20 +08:00
sql 注入了解一下,日志的话,看存在文件遍历漏洞嘛。看一下 ip 是多少,d 他一下也是好的。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/446742

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX