Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: manipulating query strings
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Wed, 25 Feb 2004 23:10:43 -0800

mabey graphically this clarifies things...

the below does work with a GET

---------- snip ----------
<form method="POST" action="http://www.geobytes.com/IpLocator.htm?GetLocation";>
 <input type="hidden" name="cid" value="0">
 <input type="hidden" name="c" value="">
 <input type="hidden" name="Template" value="iplocator.htm">
 <h3>IP Address to locate:<input type="text" name="ipaddress" size="15"
value="">&nbsp;<input type="submit" value="Submit">
---------- snip ---------------

 you change the "POST" to a "GET", it does not load

http://www.geobytes.com/IpLocator.htm?GetLocation?cid=0&c=&Template=iplocator.ht
m&ipaddress=0.0.0.0

yet,
-------- snip ----------
<FORM METHOD="GET" ACTION="http://www.cracks.spb.ru";
ENCTYPE="application/x-www-form-urlencoded">
<INPUT TYPE="hidden" NAME="page" VALUE="0">
Search cracks:
<INPUT TYPE="text" NAME="ss" VALUE="" SIZE=15>
<INPUT TYPE="submit" NAME="Search" VALUE="Search">
<BR></FORM>
--------- snip ----------

the above does work with a GET

so you can have an accept / deny rule based on the "METHOD"
obviously cracks.spb.ru accepts any "METHOD" while geobytes.com
only accepts a "POST"  METHOD. "hidden" tags are only client based
and the server script has no way to tell if it ( the info submitted )
was "hidden" or not.

hope this helps,

Donnie Werner
http://exploitlabs.com



The hidden input fields don't differ from any other input field, except of
course that if your browser is given a HTML form with >fields, it doesn't show
the hidden fields. So the hidden fields can be modified just like any other
fields, and when your browser >sends a form to the web server, it simply lists
all fields with their values - it doesn't differentiate between hidden and
visible.

Whether you can OVERRIDE the POSTed parameters by URL parameters, I'd say
generally no. I believe the default is, if the >web application gets a field
called "name" both as a POST data and as a URL parameter (script.asp?name=value)
then the >POSTed field overrides the URL field.

So, 1) it all depends on the web application and 2) most likely with defaults,
you can't.

If not, you can of course just take the HTML page with the form and save it to
your hard drive, and change the hidden fields to >something else with notepad,
or just delete them and pass the values in the URL.

All and all, if you aren't trying to accomplish XSS then I'd say you should try
perl's LWP (lib-www-perl) module: it's a simple >library you can easily use to
post any parameters you want and send arbitrary User-Agent versions etc.,
whatever suits your >needs.




---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]