Attack | Elite colleagues of a website was stolen (in the Trojan), the original want to put the site password again to steal to estimate that they do not have this level not to try (is in the Etang application).
I saw he applied for a message book and thought if I could get the message book back. Scare him, give vent to vent. Looking for the change information (to steal the password here should be the entrance) start, so I also applied for the same message thin into the Change column, view the source file is as follows:
------------------------------------
<form action= "modifyok.asp" method= "POST" >
<tr class= "table001" >
<TD width= "20%" align= "right" ><table class= "JNFONT5" > Username:</table></td>
<TD width= "80%" > Mysoso
<input type= "hidden" name= "user" value= "Mysoso" ></td>
</tr>
<tr class= "table001" >
<TD width= "20%" align= "right" ><table class= "jnfont5" > Password:</table></td>
<TD width= "80%" >
<input type= "text" name= "pass" size= "" Maxlength= "class=" "Input1" value= "Mysoso" >
* 1-15 bytes </td>
</tr>
<tr class= "table001" >
<TD width= "20%" align= "right" ><table class= "jnfont5" > Webmaster name:</table></td>
<TD width= "80%" ><input type= "text" size= "M" maxlength= "" class= "input1" name= "Zhanzhang" value= "Soso" >
-----------------------------------------------
Carefully see the hidden form value is the user name, estimated not to use session control, so the original code is copied down, in FrontPage reprocessing,
The hidden form of the value to steal my colleague's user name, and then change the action to the corresponding URL, run on this machine, modify the password, submit, Oh, it was successful
PostScript: In fact this method I was in the PHP layout to see a friend attack a chat room after thinking of the method, of course, with the best control session. In addition to this there are in the password verification when the terrible or also pay attention to. I hope you can see after the harvest:
