March 29, 2024, 08:08:35 AM

News:

Own IWBasic 2.x ? -----> Get your free upgrade to 3.x now.........


How to grab a password

Started by sapero, September 08, 2006, 01:20:46 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

sapero

September 08, 2006, 01:20:46 PM Last Edit: September 08, 2006, 01:31:21 PM by sapero
A man can forget. If you allow a cookie and autocomplete passwords for favorite forum like ionicwind, you can forget the password.
You can always run third party software for password recovery (check site nirsoft.net), but you don't know how it works!

// compile for console

// this example enumerates all passwords from all opened standard 'HTML' windows
#include "EnumHtmlPasswords.inc"
declare *ObjectFromLresult(int lResult, GUID* riid, int wParam, void* ppvObject),int;
int g_pwsFound;


global sub main()
{
ObjectFromLresult = GetProcAddress(LoadLibrary("oleacc.dll"), "ObjectFromLresult");
if (!ObjectFromLresult)
{
print("sorry, oleacc.dll::ObjectFromLresult not found"); return _getch();
}
SetGuid(&_IID_IHTMLInputElement, 810612178,298817717,-1442807109,198098176);

print("open any site, go to login, and type any password\nthen press any key to continue\n>",);
_getch();
print("\n\n");

UINT nMsg = RegisterWindowMessage("WM_HTML_GETOBJECT");

CoInitialize(NULL);
EnumChildWindows(GetDesktopWindow(), &EnumWindowsProc, nMsg);
CoUninitialize();


print("\n\nfinished.");
if (!g_pwsFound) print("no passwords found");
_getch();
}



sub EnumWindowsProc(int hwnd, int nMsg),BOOL
{
dstring classname[64];
classname[0] = 0;
GetClassName(hwnd, &classname, 64);

if (classname == "Internet Explorer_Server")
{
DWORD dwResult;
IHTMLDocument2 *spDoc;
SendMessageTimeout(hwnd, nMsg, 0, 0, SMTO_ABORTIFHUNG, 1000, &dwResult);

if (!ObjectFromLresult(dwResult, _IID_IHTMLDocument2, 0, &spDoc ))
{
wstring* bstrUrl = null;
if (!spDoc->get_URL(&bstrUrl) && (bstrUrl))
{
print("---------------\nsite: ", w2s(*(wstring)bstrUrl));
SysFreeString(bstrUrl);
}
EnumPasswords(spDoc);
spDoc->Release();
}
}
return true; // continue enumerating
}




sub EnumPasswords(IHTMLDocument2 *spDoc)
{
IHTMLElementCollection *pColl = null;
if (!spDoc->get_all(&pColl) && (pColl))ÂÃ,  ÂÃ, // document.all
{
VARIANT vTag;
vTag.vt = VT_BSTR;
vTag.bstrVal = SysAllocString(L"INPUT");
IDispatch *pdisp = null;
if (!pColl->tags(vTag, &pdisp) && (pdisp))ÂÃ,  // element = document.all.tags("INPUT")
{
IHTMLElementCollection *pInputCollection;
if (!pdisp->QueryInterface(_IID_IHTMLElementCollection, &pInputCollection))
{
VARIANT vName, vIndex;
vName.vt = VT_I4; vIndex.vt = VT_EMPTY;
LONG count = 0;
pInputCollection->get_length(&count);
for (vName.intVal=0; vName.intVal<count; vName.intVal++)
{
IDispatch *pInputdisp = null;
if (!pInputCollection->item(vName, vIndex, &pInputdisp) && (pInputdisp))ÂÃ,  // element[index]
{
IHTMLInputElement *input;
if (!pInputdisp->QueryInterface(_IID_IHTMLInputElement, &input))
{
wstring* bstrType = null;
if (!input->get_type(&bstrType) && (bstrType))ÂÃ,  // if element[index].type = "password"
{
if (*(wstring)bstrType == L"password")
{
wstring* bstrPassword = null;
if (!input->get_value(&bstrPassword) && (bstrPassword))
{
g_pwsFound++;
print(" - password: ",w2s(*(wstring)bstrPassword));ÂÃ,  // print element[index].value
SysFreeString(bstrPassword);
}
}
SysFreeString(bstrType);
}
input->Release();
}
pInputdisp->Release();
}
}
pInputCollection->Release();
}
}
SysFreeString(vTag.bstrVal);
}
}


include attached:

kryton9

Sapero, you are coming up with really cool stuff. Thanks for sharing.
I am amazed with all the neat things you write and how you ever figure all of this out is beyond me.
This goes for your other examples too, I just didn't want to write the same message on all of them.

Thanks.