Password recovery Javascript - NEED HELP -
Hi everyone
Couple of days ago, I came upon a site with a password recovery tool:
markup<input type="text" value="" size="20" name="auth[username]" id="UNAME_LP"/>
and here the submit button:
markup<a class="formbutton" href="javascript:void(mailPassword())" style="float: right;">Send Email</a>
Moreover, I came upon this javascript later in the source code:
var uname = document.getElementById('UNAME_LP');
if (callUrl('/*/*/ajax/mailpassword.html?auth[username]='+encodeURIComponent(uname.value))) {
notice("Your Password will now be sent");
} else {
notice("Error");
}
}```
If i click the submit button with the user "Test", it generates this url:
```markupmailpassword.html?auth[username]=Test```
I tried to generate this url:
```markupmailpassword.html?auth[username]=Test&data[Email]=a@email.com```,
but this did not give any result
Any ideas on how to bypass this one? any help would be highly appreciated :)
@c4p_sl0ck:I'm really sorry, but I don't really understand you…what do you mean with tracing a site? For the second question: I did not set up any server, it's a site I came upon a couple of days ago
@MoshBat: So you think there is no way to bypass this one? Even not if I change the javascript snippet?
MoshBat wrote: Okay, what is most likely happening is: It is using $_GET (PHP) to get the username. Then it is sending the email for that user, if it exists. I doubt you can just change little bits of the URL to get an email sent to you.
I have to agree with MoshBat, the mail-part is most probably server-side, wich makes it more secure. Although there's a 'very' small chance that u can still change the email part.
As you can see in the URL (from the javascript) they use arrays in the URL, like this "/mailpassword.html?auth[username]=", the PHP function that can handle these links is parse_str. So that would mean that to code could look something like this:
$aData['sEmail'] = 'test@test.com'; // Works!
if(!empty($_GET["aData"])) {
parse_str($_SERVER['QUERY_STRING']);
// $aData['sEmail'] = 'test@test.com'; // Doesnt work.
print_r($aData);
}
?>
<html>
<head><title>parse_str</title></head>
<body style="font: 12px Verdana;">
<br /><br />
<form method="GET">
Username: <input type="test" name="aData[sUsername]" /><input type="submit" value="Send!" />
</form>
</body>
</html>
So in this case you can use this link /code.php?aData[sUsername]=Bla&aData[sMail]=mymail@test.com, it will overwrite the pre-defined variable and replace it with yours . But as you probably noticed (see the comments) it only works if the sMail variable is defined before parse_str is used.
So considering what MoshBat said, that the mail adress is done server-side, based on the username, is most likely. Wich means that this won't work.
I hope this post clears up a few things.
@korg: in most cases, admins don't even respond to emails ;) donno if they read the messages, but still there will be no changes…if they don't care about their site's security, why should I ;) @Moshbat: lol I'm not a big man, I just don't see the point in demolishing every site I can, I still beleive that the best hacker is the one who does his work without anyone noticing it;)
a) I don't think that it changes much when I post on a public forum like this, it could be any site on the inet, as I have changed the titles of the pages, and others b) I have never said that I am the one who always stays unnoticed, I am just trying to achieve this ;) c) I think you overestimate the popularity of this site when calling it spotlight :p d) I think it's getting really off topic by now…