=from 2005.5.11.10:00.PM
=to ...5.12.8:10.AM
I'm sorry for the lack of summaries these days. In the first few days of this month, I focused on the development of Thief 0.03.
At the very beginning, I found that thief.pl couldn't log in the Educational Administration System (EAS) even using my own account. However, I could always do this in a web browser, such as IE. Later I utilized the Mozilla extension "Live HTTP Headers" to intercept the HTTP requests sent by the Mozilla or Firefox browser locating a missing HTTP attribute named "Referrer" in my perl script, whose value is a URL. I wondered why this peculiar attribute was necessary for login and subsequent page requests in the EAS site. I asked Laye about it, but there was no reply.
I must thank Laye for his implication in one of his e-mails that there was some wonderful tool which could record down the low-level actions performed by the browser. I found "Live HTTP Headers" on the Internet by myself and solved my problem immediately. However, what he actually used was another independent tool named EffeTech HTTP Sniffer, which did not rely on any specific browser and had the ability to keep record of all the HTTP requests and responses taking place over the Windows OS. All I could say was "Wow". It was very kind of him to offer me a serial number for this shareware after he learned that I loved this tool so much.
Yeah, just as what I said in a mail to Laye, HTTP Sniffer is the very tool that we perl hackers are dreaming of every night! The cost of developing a client-side web application will decrease significantly in virtue of the precise GET or POST headers intercepted by this application. For example, in a project I recently developed for the JMSoft Company, I was asked to develop a fully automated tester for a web-based JMOA system. If I knew HTTP Sniffer at that time, it would be a trivial task to implement such things.
Having successfully passed the login stage of the EAS site, I tried to modify the student ID encoded in the GET URL at once, hoping to access other user's pages. Unfortunately, I only confirmed the fact that the EAS team had completely fixed this infamous security leak. Bad luck!
I shortly realized that it would be good idea to "guess" other students' passwords in EAS making full use of the personal info obtained from the database of our university's public library. I wrote seven similar scripts named trypassword.pl, trypassword2.pl, ..., and trypassword7.pl respectively, to probe EAS's login system using different password patterns. Basing on student IDs, phone numbers, Chinese names, and birthdays extracted from the Personal ID numbers, I luckily cracked in total 738 accounts (well above 12%) of the students in Grade 03.
I'd like to write down some typical passwords cracked by my Thief project. I wonder if you can figure out the "meaning" yourself:
3030202018
19841101, 198467
841206, 05185763926, 6880313, 13706256959
zhoujie, lxb, liu
zhangmu1985, zhou1985, py1983
lxx3482858, 7301572huyewen
Thanks to the Imegen.exe program shipped with Windows. I got a GBK-PinYin mapping list within only a few minutes by using the Reverse-Conversion function provided by this tool. The data were actually extracted from the WINPY.MB file used by the Quan Pin IME (Input Method Editor). So we have no reason to worry about the correctness and completeness of our mapping list.
