Follow us on Twitter!
Capitalism is an Island of wealth in a sea of poverty
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 22
Guests Online: 20
Members Online: 2

Registered Members: 82839
Newest Member: fezphantom
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

Password recovery Javascript - NEED HELP -


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-04-09 12:40
Hi everyone

Couple of days ago, I came upon a site with a password recovery tool:
Code
<input type="text" value="" size="20" name="auth[username]" id="UNAME_LP"/>



and here the submit button:
Code
<a class="formbutton" href="javascript:void(mailPassword())" style="float: right;">Send Email</a>




Moreover, I came upon this javascript later in the source code:
Code
   function mailPassword()   {
      var uname = document.getElementById('UNAME_LP');
      if (callUrl('/*/*/ajax/mailpassword.html?auth[username]='+encodeURIComponent(uname.value)))   {
         notice("Your Password will now be sent");
      }   else   {
         notice("Error");      
      }
   }



If i click the submit button with the user "Test", it generates this url:
Code
mailpassword.html?auth[username]=Test




I tried to generate this url:
Code
mailpassword.html?auth[username]=Test&data[Email]=a@email.com


,
but this did not give any result

Any ideas on how to bypass this one? any help would be highly appreciated :)

Edited by on 10-04-09 22:06
Author

RE: Password recovery Javascript - NEED HELP -


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-04-09 12:52
Try to trace it and figure out where it stops working. Have you set up your server so that the mail function works?


Author

RE: Password recovery Javascript - NEED HELP -


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-04-09 13:16
@c4p_sl0ck:I'm really sorry, but I don't really understand you...what do you mean with tracing a site? For the second question: I did not set up any server, it's a site I came upon a couple of days ago

@MoshBat: So you think there is no way to bypass this one? Even not if I change the javascript snippet?
Author

RE: Password recovery Javascript - NEED HELP -


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-04-09 17:49
MoshBat wrote:
Okay, what is most likely happening is:
It is using $_GET (PHP) to get the username.
Then it is sending the email for that user, if it exists.
I doubt you can just change little bits of the URL to get an email sent to you.


I have to agree with MoshBat, the mail-part is most probably server-side, wich makes it more secure. Although there's a 'very' small chance that u can still change the email part.

As you can see in the URL (from the javascript) they use arrays in the URL, like this "/mailpassword.html?auth[username]=", the PHP function that can handle these links is parse_str. So that would mean that to code could look something like this:

Code
<?php

$aData['sEmail'] = 'test@test.com'; // Works!

if(!empty($_GET["aData"])) {
   parse_str($_SERVER['QUERY_STRING']);
   // $aData['sEmail'] = 'test@test.com'; // Doesnt work.
   print_r($aData);
}
?>

<html>
 <head><title>parse_str</title></head>
 <body style="font: 12px Verdana;">
  <br /><br />
  <form method="GET">
   Username: <input type="test" name="aData[sUsername]" /><input type="submit" value="Send!" />
  </form>
 </body>
</html>





So in this case you can use this link /code.php?aData[sUsername]=Bla&aData[sMail]=mymail@test.com, it will overwrite the pre-defined variable and replace it with yours . But as you probably noticed (see the comments) it only works if the sMail variable is defined before parse_str is used.

So considering what MoshBat said, that the mail adress is done server-side, based on the username, is most likely. Wich means that this won't work.

I hope this post clears up a few things.
Author

RE: Password recovery Javascript - NEED HELP -


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-04-09 19:12
Well, at least I tried^^ thanks everyone for the replies, It helped a lot Smile

P.S.: found a SQL injection on this site, gonna work in that direction Wink
Author

RE: Password recovery Javascript - NEED HELP -


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-04-09 19:30
Lol noo I don't trash 'em, it's actually for educational purposes only Grin
When i'm finished with the site, I'm gonna laugh at the admin and forget this site the very next day^^
Author

RE: Password recovery Javascript - NEED HELP -

korg
Admin from hell



Posts: 2798
Location: ENDING YOUR ONLINE EXPERIENCE!
Joined: 01.01.06
Rank:
God
Posted on 10-04-09 20:25
Well yeah just forget about it cause it would be stupid to help them fix it.


i57.photobucket.com/albums/g215/korg1269/shodan13.jpg

I deal in pain, All life I drain, I dominate, I seal your fate.
O R
Author

RE: Password recovery Javascript - NEED HELP -


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-04-09 21:46
@korg: in most cases, admins don't even respond to emails Wink donno if they read the messages, but still there will be no changes...if they don't care about their site's security, why should I Wink
@Moshbat: lol I'm not a big man, I just don't see the point in demolishing every site I can, I still beleive that the best hacker is the one who does his work without anyone noticing itWink
Author

RE: Password recovery Javascript - NEED HELP -


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-04-09 22:05
a) I don't think that it changes much when I post on a public forum like this, it could be any site on the inet, as I have changed the titles of the pages, and others
b) I have never said that I am the one who always stays unnoticed, I am just trying to achieve this Wink
c) I think you overestimate the popularity of this site when calling it spotlight Pfft
d) I think it's getting really off topic by now...