Attack | Chat room to record an attack on a PHP chat room
Speaker: Kent speaking time: 2001-09-10 15:17:56
Excerpt from: Morning Breeze Creative
Original Author: Eastdark
--------------------------------------------------------------------------------
Netizen "Small Good" gave me a chat room IP, let me go to see. Originally want to invade its server, probably technology not home, engaged for more than 10 minutes, also did not go in. So I just wanted to find out what bugs were in this chat room. The chat room can be seen to be formed with Php+mysql. Columns are: User registration, forget the password, modify the information, the user suicide, chat god list, chat instructions, refresh lists. Then there's the chat.
I casually registered a username, according to my preference, like open xxxxxx users, so that I use XXXXXX registered a user. Log in.
Where do you start? I would like to look at the revised information, general chat room There is always such a loophole. Click to modify the data, so the next screen, you need to enter the user name and secret. After the loss, next, enter the data modification. yes! data modification in the user nickname, in fact, is the user name, immediately view the source file, see the following HMTL statement:
=================================================cut===========
<form name= "Ezchat" action= "modifyed.php" method= "post" enctype= "Multipart/form-data" >
<input type= "hidden" name= "active" value= "Change" >
<input type= "hidden" name= "user_name" value= "xxxxxx" >
<input type= "hidden" name= "user_passwd_t" value= "xxxxx" >
<table cellspacing=1 cellpadding=2 width= "675" border=0 align=center "#FFFFFF" >
<tr align=center bgcolor= "#FFD193" >
<TD colspan= "4" height= > User Information </td>
</tr>
<tr align=center bgcolor= "#FFEACE" >
<TD width= "20%" height= ">"
<div align= "left" > User nickname: <font color= "#FF0000" ><b>*</b></font></div>
</td>
<TD width= "30%" height= ">"
<div align= "Left" >
<input type= "text" name= "user_name_1" readonly class= "input" value= "xxxxxx" >
</div>
</td>
==========================================end==================
Obviously, two of these hidden are used to determine whether you have the right to modify the data, but the person did not think that put a readnly input box is not safe, like the last time an ASP forum, ReadOnly does not solve anything. By convention, I save this document, do not modify two hidden, remove ReadOnly. And then to the list of the gods casually read a user name. To modify the form's action, remember to precede it with the URL path, and then change the user's nickname. Press the "Modify" command, what appears?
=========================================
Modified successfully
Congratulations, you have successfully modified the information \ ^_^/
==========================================
Haha, so I grabbed a username. Although there is no server to invade it, but also can get a good username, this is not a waste of effort. To sum up, when we encounter the submission form, we can think about modifying the value of the form to achieve the goal that the administrator could not have imagined. This is also a good way to cultivate our ability to observe! :)
