JS密码脚本 [英] JS password script
问题描述
大家好,
我正在尝试使用JS密码保护我网站中的页面
计划。
现在我知道JS可以很容易地绕过,但我来了一个代码
以下。
我的问题是:
1.有没有办法为这个脚本找到密码?怎么容易?
2. JS中是否有更强大的方案?
< SCRIPT>
var texts =" 5d4v129v3387ff76" ;;
var interpret ="" ;;
var whatisthis =" var xorm = prompt(''输入密码:'','''');
(x = 1; x <6; x ++){interpret + =(texts.indexOf(x));}如果
(xorm ==解释){interpret =解释+
''。php''; location.href = interpret;} else {location.href =''login.php'';}" ;;
eval(whatisthis);
< / SCRIPT>
谢谢大家。
m。
Hello all,
I am trying to protect a page within my site with a JS password
scheme.
Now I know JS can be quite easily "circumvented", but I came by a code
below.
My question is:
1. Is there a way to find a password for this script? How easily?
2. Is there a stronger scheme available in JS?
<SCRIPT>
var texts = "5d4v129v3387ff76";
var interpret = "";
var whatisthis = "var xorm = prompt(''Enter the password:'','''');for
(x=1; x<6; x++) {interpret += (texts.indexOf(x));}if
(xorm==interpret){interpret = interpret +
''.php'';location.href=interpret;}else{location.href =''login.php'';}";
eval(whatisthis);
</SCRIPT>
I thank you all.
m.
推荐答案
Max写道:
大家好,
我正在努力保护页面在我的网站内有一个JS密码
方案。
现在我知道JS可以很容易地绕过,但我来了一个代码
下面。
我的问题是:
1.有没有办法找到密码这个脚本?如何轻松?
2. JS中是否有更强大的方案?
< SCRIPT>
var texts =" 5d4v129v3387ff76" ;;
var interpre =" ;" ;;
var whatisthis =" var xorm = prompt(''输入密码:'','''');
(x = 1; x< 6; x ++){解释+ =(texts.indexOf(x));}如果
(xorm ==解释){interpret = interpret +
''。php''; location.href = interpret;} else {location .href =''login.php'';}" ;;
eval(whatisthis);
< / SCRIPT>
谢谢大家。
m。
Hello all,
I am trying to protect a page within my site with a JS password
scheme.
Now I know JS can be quite easily "circumvented", but I came by a code
below.
My question is:
1. Is there a way to find a password for this script? How easily?
2. Is there a stronger scheme available in JS?
<SCRIPT>
var texts = "5d4v129v3387ff76";
var interpret = "";
var whatisthis = "var xorm = prompt(''Enter the password:'','''');for
(x=1; x<6; x++) {interpret += (texts.indexOf(x));}if
(xorm==interpret){interpret = interpret +
''.php'';location.href=interpret;}else{location.href =''login.php'';}";
eval(whatisthis);
</SCRIPT>
I thank you all.
m.
这是一个经常被问到的问题。您可以使用
javascript安全地保护页面,但是这种努力是令人望而却步的。
使用算法加密页面。编写您自己的或者,例如,
示例,javascript中的标准算法,如三重DES。使用输入的
密码来解密页面。
由于页面上没有密码,因此页面是安全的
选择
算法。
但是,维护这样的页面非常困难。使用服务器端解决方案你会做得更好
。
除了上述内容,你的一些客户还会关闭javascript。
他们将无法进入您的网站。
This is a often asked question. You CAN protect a page securely with
javascript, but the effort is prohibitive.
Use an algorithm to encrypt the page. Write your own or there are, for
example, standard algorithms in javascript like triple DES. Use the
password entered to decrypt the page.
Since the password doesn''t exist on the page, the page is secure as the
algorithm chosen.
However, maintaining such a page is very difficult. You will do MUCH
better using a server side solution.
Besides the above, some of your clients will have javascript turned off.
They will be unable to enter your site.
在文章< pt ************** ******************@4ax.com> ;, Max< no ***** @ all.ws>
写道:
In article <pt********************************@4ax.com>, Max <no*****@all.ws>
writes:
大家好,
我正在尝试使用JS密码
方案来保护我网站中的页面。
现在我知道JS可以很容易被规避,但我来自下面的代码
。
错误代码。
我的问题是:
1。有没有办法找到这个脚本的密码?多么容易?
见下文。
2. JS中是否有更强大的方案?
是的,它也很容易被规避。
< SCRIPT>
var texts =" 5d4v129v3387ff76" ;;
var interpret ="" ;;
var whatisthis =" var xorm = prompt(''输入密码:'','''');
(x = 1; x< 6 ; x ++){interpret + =(texts.indexOf(x));}如果
(xorm == interpret){interpret = interpret +
''。php''; location.href = interpret; } else {location.hre f =''login.php'';}" ;;
eval(whatisthis);
< / SCRIPT>
Hello all,
I am trying to protect a page within my site with a JS password
scheme.
Now I know JS can be quite easily "circumvented", but I came by a code
below.
Bad code at that.
My question is:
1. Is there a way to find a password for this script? How easily?
See below.
2. Is there a stronger scheme available in JS?
Yes, and it is just as easily circumvented.
<SCRIPT>
var texts = "5d4v129v3387ff76";
var interpret = "";
var whatisthis = "var xorm = prompt(''Enter the password:'','''');for
(x=1; x<6; x++) {interpret += (texts.indexOf(x));}if
(xorm==interpret){interpret = interpret +
''.php'';location.href=interpret;}else{location.hre f=''login.php'';}";
eval(whatisthis);
</SCRIPT>
让我们重新编写它,没有eval:
var texts =" 5d4v129v3387ff76" ;;
var interpret =" ;" ;;
var xorm = prompt(''输入密码:'','''');
for(x = 1; x< 6; x ++)
{interpret + =(texts.indexOf(x));}
if(xorm == interpret)
{interpret = interpret +''。php''; location.href = interpret;}
else
{location。 href =''login.php'';}" ;;
现在,让脚本本身告诉我们interpet持有什么:
var texts = " 5d4v129v3387ff76";
var interpret ="" ;;
var xorm = prompt(''输入密码:'',''''); < (/ x $ 1;
; X - 10 6; x ++)
{interpret + =(texts.indexOf(x));}
alert(解释)
//给我45820
if(xorm ==解释)
{
alert(''你做对了'')
// interpret = interpret +''。php''; location.href = interpret;
}
else
{
提醒(''你错了'')
//location.href=''login.php'';
} ;
输入45820警告我,我说得对。
获得它的时间:不到60秒。
- -
Randy
Lets re-write it, without the eval:
var texts = "5d4v129v3387ff76";
var interpret = "";
var xorm = prompt(''Enter the password:'','''');
for (x=1; x<6; x++)
{interpret += (texts.indexOf(x));}
if(xorm==interpret)
{interpret = interpret + ''.php'';location.href=interpret;}
else
{location.href=''login.php'';}";
Now, lets have the script itself tell us what interpet holds:
var texts = "5d4v129v3387ff76";
var interpret = "";
var xorm = prompt(''Enter the password:'','''');
for (x=1; x<6; x++)
{interpret += (texts.indexOf(x));}
alert(interpret)
//Gives me 45820
if (xorm==interpret)
{
alert(''You got it right'')
//interpret = interpret + ''.php'';location.href=interpret;
}
else
{
alert(''You Got it Wrong'')
//location.href=''login.php'';
};
Entering 45820 alerts me that I got it right.
Time to get it: less than 60 seconds.
--
Randy
我试图用我的网站保护页面一个JS密码
方案。
现在我知道JS可以很容易地绕过,但我来自下面的代码
。
您发布的代码的密码是45820。如果您输入此密码,您将被重定向到页面
" 45820.php" (当前服务器),如果您输入任何其他字符串,您将被重定向到login.php;页面。
为了从发布的代码中获取密码,可以使用此块:
var texts =" 5d4v129v3387ff76" ;;
var interpret ="" ;;
for(x = 1; x< 6; x ++){interpret + =(texts.indexOf(x));} <
警报(解释);
(这避免了在晦涩的文本中手动计算数字1..6的位置的负担。 />
string :))
我的问题是:
1.有没有办法找到这个脚本的密码?多么容易?
让我这样回答:你在23:40发布了你的消息,大约23:55读了它,现在是0:21。
此外,有一位同事是谁回答它的速度比我快。
2. JS中是否有更强大的方案?
I am trying to protect a page within my site with a JS password
scheme.
Now I know JS can be quite easily "circumvented", but I came by a code
below.
The password to the code you posted is "45820". If you enter this password, you will be redirected to the page
"45820.php" (current server), if you enter any other string you will be redirected to the "login.php" page.
For obtaining the password from the posted code, this chunk can be used:
var texts = "5d4v129v3387ff76";
var interpret = "";
for(x=1; x<6; x++) {interpret += (texts.indexOf(x));}
alert(interpret);
(This circumvents the burden of manually counting the positions of the numbers 1..6 in the obscure "texts"
string :) )
My question is:
1. Is there a way to find a password for this script? How easily? Let me answer it this way: You posted your message at 23:40, I read it approximately 23:55, it is now 0:21.
Moreover, there is one colleague who answered it way more quickly than me.
2. Is there a stronger scheme available in JS?
您可以尝试以下方法:不要做决定是正确的密码在Javascript中,因为
这将要求您将(1)存储在脚本中的密码作为普通字符串(这是非常可笑的)或(2)以一些混淆的方式存储的密码加上你的脚本使用的机制
去混淆它(这很容易破解:只需在无关紧要的情况下插入警报(...)复杂的
解密例程.HikksNotAtHome我就是这样做的,因为我们懒得手动弄明白。
无论哪种方式,你都提供破解你所需要的一切与页面捆绑在一起的保护。
我能想到的唯一可能性是:保留决定密码是否正确。到服务器,
从那以后你不必将密码存储在客户端(即在你的Javascript中)。只需将用户输入的字符串重定向到
:如果是有效的密码,字符串,然后页面将出现,如果不是这样,
服务器将发送给你404(文件未找到)。除非您的服务器允许目录内容列表,否则这应该比上述想法更安全。
不要误会我的意思:无论你从哪个角度看在它,所有这一切都是一个穷人的密码
保护。例如,第二种方法会遇到任何知道网址即刻具有访问权限的人,这意味着:快速浏览一下访问受保护页面的计算机的浏览器缓存,或者代理
记录到服务器的某个地方,会破坏你的保护。但它总比没有好。
对于任何体面的密码保护,你(imho)肯定需要一个服务器端解决方案;考虑PHP或Perl。
最好的问候
Hendrik Krauss
You could try the following: Don''t make the decision "is that the correct password" in the Javascript, since
this will require that you have either (1) the password stored in your script as a plain string (which is
ridiculous) or (2) the password stored in some obfuscated way plus a mechanism your script uses for
de-obfuscating it (which is trivial to crack: just insert an alert(...) after the no-matter-how-complicated
decryption routine. HikksNotAtHome an I did it that way since we were too lazy to figure it out manually).
Either way, you are delivering everything needed for cracking your protection bundled with the page.
The only possibility I can think of is this: Leave the decision "is that password correct" to the server,
since then you don''t have to have the password stored client-side (i.e. in your Javascript). Just redirect to
the string the user entered: if it is the valid "password" string, then the page will appear, if not so, the
server will send you a 404 (file not found). Unless your server allows directory content listing, this should
be somewhat more secure than the above idea.
Don''t get me wrong: no matter from which angle you look at it, all this is pretty much a poor man''s password
protection. The second method, for example, suffers from anyone knowing the url instantly having access, which
means: a quick glance at the browser cache of a machine that accessed the ''protected'' page, or at the proxy
logs somewhere along the way towards the server, will break your protection. But it''s better than nothing.
For any decent password protection, you''ll (imho) definitely need a server-side solution; consider PHP or Perl.
Best regards
Hendrik Krauss
这篇关于JS密码脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
