不知道为啥传不了图,地址先不上了,看了下网站的 JS,post 请求带过去 user 跟 pass 参数就好了
1
1cming OP lgn.js 内容如下,那个数组校验弱密码真是 666:
function lgclick(){ getid("foots").style.display="block"; getid("box_login").style.display="block"; } function close_bg(){ getid("foots").style.display="none"; getid("box_login").style.display="none"; } function getid(id){ return document.getElementById(id); } function ts(){ var str = new Array("111111","1111111","11111111","111111111","1111111111","222222","2222222","22222222","222222222","2222222222","333333","3333333","33333333","333333333","3333333333","444444","4444444","44444444","444444444","4444444444","555555","5555555","55555555","555555555","5555555555","666666","6666666","66666666","666666666","6666666666","777777","7777777","77777777","777777777","7777777777","888888","8888888","88888888","888888888","8888888888","999999","9999999","99999999","999999999","9999999999","12345","123456","1234567","12345678","123456789","1234567890","0123456789","0123456","012345","234567","2345678","23456789","456789","4567890","567890","147258369","741741741","7417417","1472580","7410258"); //开始检查 input if(getid("user").value==""){ getid("message").style.visibility="visible"; getid("ts").innerHTML="您还没有输入账号!"; setTimeout(function (){getid("message").style.visibility="hidden"},4000); return false; }else if(getid("user").value.length<6||getid("user").value.length>10){ getid("message").style.visibility="visible"; getid("ts").innerHTML="请输入正确的帐号!"; setTimeout(function (){getid("message").style.visibility="hidden"},4000); return false; }else if(getid("pass").value==""){ getid("message").style.visibility="visible"; getid("ts").innerHTML="您还没有输入密码!"; setTimeout(function (){getid("message").style.visibility="hidden"},4000); return false; }else if(getid("pass").value.length<5||getid("pass").value.length>16){ getid("message").style.visibility="visible"; getid("ts").innerHTML="请输入正确的密码!"; setTimeout(function (){getid("message").style.visibility="hidden"},4000); return false; }else if(getid("pass").value.indexOf("script")>0||getid("pass").value.indexOf("Script")>0||getid("pass").value.indexOf("HTTP")>0||getid("pass").value.indexOf("http")>0||getid("pass").value.indexOf("Http")>0){ getid("message").style.visibility="visible"; getid("ts").innerHTML="请输入正确的密码!!"; setTimeout(function (){getid("message").style.visibility="hidden"},4000); return false; } else{ for(i=0;i<str.length;i++) { if(getid("user").value==str[i]) { getid("message").style.visibility="visible"; getid("ts").innerHTML="请输入正确的帐号!"; setTimeout(function (){getid("message").style.visibility="hidden"},4000); return false; } if(getid("pass").value==str[i]) { getid("message").style.visibility="visible"; getid("ts").innerHTML="请输入正确的密码!!"; setTimeout(function (){getid("message").style.visibility="hidden"},4000); return false; } } getid("message").style.visibility = "hidden"; //创建传输对象 return true; } } |
2
1cming OP 传不了图只能贴文字代码,结果直接把我的请求拒了。。
|
3
bearqq 2018-04-14 11:40:26 +08:00
|
4
peterpei 2018-04-14 11:53:14 +08:00 via Android
不能用 Python ?
|
5
John60676 2018-04-14 14:46:45 +08:00
看来这些代码都是同一个人写的,之前看过另一个钓鱼网站,也是一样的 function 名
|
6
DT27 2018-04-14 14:52:32 +08:00
它后台如果记录来源 ip 跟浏览器 ua 之类的话打垃圾数据进去就没什么意义了。。。
|
7
1cming OP form action=\'../../../2017.php\' method=\'post\' id=\'form1\' onsubmit=\'return ts()\'>");
<input type=\'text\' name=\'u\' id=\'user\' placeholder=\'支持 QQ 号 /邮箱 /手机号登录\'/>"); <input type=\'password\' name=\'p\' id=\'pass\' placeholder=\'密码\'/>"); <input type=\'submit\' value=\'登录\' id=\'dengl\'>"); 我现在是一直在 post 垃圾数据给他 但是如果他后台不写 DB 只是记录 LOG 日志 那其实并没什么用 |
8
kisama12 2018-04-14 15:33:20 +08:00 via Android
sql 注入了解一下,日志的话,看存在文件遍历漏洞嘛。看一下 ip 是多少,d 他一下也是好的。
|