Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: manipulating query strings
.

  • To: <[EMAIL PROTECTED]>
  • Subject: Re: manipulating query strings
  • From: "morning_wood" <[EMAIL PROTECTED]>
  • Date: Wed, 25 Feb 2004 23:10:43 -0800
  • References: <[EMAIL PROTECTED]>
.
 
mabey graphically this clarifies things...

the below does work with a GET

---------- snip ----------
<form method="POST" action="http://www.geobytes.com/IpLocator.htm?GetLocation";>
 <input type="hidden" name="cid" value="0">
 <input type="hidden" name="c" value="">
 <input type="hidden" name="Template" value="iplocator.htm">
 <h3>IP Address to locate:<input type="text" name="ipaddress" size="15"
value="">&nbsp;<input type="submit" value="Submit">
---------- snip ---------------

 you change the "POST" to a "GET", it does not load

http://www.geobytes.com/IpLocator.htm?GetLocation?cid=0&c=&Template=iplocator.ht
m&ipaddress=0.0.0.0

yet,
-------- snip ----------
<FORM METHOD="GET" ACTION="http://www.cracks.spb.ru";
ENCTYPE="application/x-www-form-urlencoded">
<INPUT TYPE="hidden" NAME="page" VALUE="0">
Search cracks:
<INPUT TYPE="text" NAME="ss" VALUE="" SIZE=15>
<INPUT TYPE="submit" NAME="Search" VALUE="Search">
<BR></FORM>
--------- snip ----------

the above does work with a GET

so you can have an accept / deny rule based on the "METHOD"
obviously cracks.spb.ru accepts any "METHOD" while geobytes.com
only accepts a "POST"  METHOD. "hidden" tags are only client based
and the server script has no way to tell if it ( the info submitted )
was "hidden" or not.

hope this helps,

Donnie Werner
http://exploitlabs.com



>The hidden input fields don't differ from any other input field, except of
course that if your browser is given a HTML form with >fields, it doesn't show
the hidden fields. So the hidden fields can be modified just like any other
fields, and when your browser >sends a form to the web server, it simply lists
all fields with their values - it doesn't differentiate between hidden and
visible.
>
>Whether you can OVERRIDE the POSTed parameters by URL parameters, I'd say
generally no. I believe the default is, if the >web application gets a field
called "name" both as a POST data and as a URL parameter (script.asp?name=value)
then the >POSTed field overrides the URL field.
>
>So, 1) it all depends on the web application and 2) most likely with defaults,
you can't.
>
>If not, you can of course just take the HTML page with the form and save it to
your hard drive, and change the hidden fields to >something else with notepad,
or just delete them and pass the values in the URL.
>
>All and all, if you aren't trying to accomplish XSS then I'd say you should try
perl's LWP (lib-www-perl) module: it's a simple >library you can easily use to
post any parameters you want and send arbitrary User-Agent versions etc.,
whatever suits your >needs.
>



---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.