Penetration Testing mailing list archives
Re: manipulating query strings
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Wed, 25 Feb 2004 23:10:43 -0800
mabey graphically this clarifies things... the below does work with a GET ---------- snip ---------- <form method="POST" action="http://www.geobytes.com/IpLocator.htm?GetLocation";> <input type="hidden" name="cid" value="0"> <input type="hidden" name="c" value=""> <input type="hidden" name="Template" value="iplocator.htm"> <h3>IP Address to locate:<input type="text" name="ipaddress" size="15" value=""> <input type="submit" value="Submit"> ---------- snip --------------- you change the "POST" to a "GET", it does not load http://www.geobytes.com/IpLocator.htm?GetLocation?cid=0&c=&Template=iplocator.ht m&ipaddress=0.0.0.0 yet, -------- snip ---------- <FORM METHOD="GET" ACTION="http://www.cracks.spb.ru"; ENCTYPE="application/x-www-form-urlencoded"> <INPUT TYPE="hidden" NAME="page" VALUE="0"> Search cracks: <INPUT TYPE="text" NAME="ss" VALUE="" SIZE=15> <INPUT TYPE="submit" NAME="Search" VALUE="Search"> <BR></FORM> --------- snip ---------- the above does work with a GET so you can have an accept / deny rule based on the "METHOD" obviously cracks.spb.ru accepts any "METHOD" while geobytes.com only accepts a "POST" METHOD. "hidden" tags are only client based and the server script has no way to tell if it ( the info submitted ) was "hidden" or not. hope this helps, Donnie Werner http://exploitlabs.com
The hidden input fields don't differ from any other input field, except of
course that if your browser is given a HTML form with >fields, it doesn't show the hidden fields. So the hidden fields can be modified just like any other fields, and when your browser >sends a form to the web server, it simply lists all fields with their values - it doesn't differentiate between hidden and visible.
Whether you can OVERRIDE the POSTed parameters by URL parameters, I'd say
generally no. I believe the default is, if the >web application gets a field called "name" both as a POST data and as a URL parameter (script.asp?name=value) then the >POSTed field overrides the URL field.
So, 1) it all depends on the web application and 2) most likely with defaults,
you can't.
If not, you can of course just take the HTML page with the form and save it to
your hard drive, and change the hidden fields to >something else with notepad, or just delete them and pass the values in the URL.
All and all, if you aren't trying to accomplish XSS then I'd say you should try
perl's LWP (lib-www-perl) module: it's a simple >library you can easily use to post any parameters you want and send arbitrary User-Agent versions etc., whatever suits your >needs.
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- manipulating query strings Vel (Feb 24)
- Re: manipulating query strings Eric Paynter (Feb 25)
- Re: manipulating query strings Ariel Martinez (Feb 26)
- RE: manipulating query strings Campbell Murray (Feb 25)
- Re: manipulating query strings Markus Toman (Feb 25)
- <Possible follow-ups>
- RE: manipulating query strings Kris Wilkinson (Feb 25)
- Re: manipulating query strings ma1ler_deamon (Feb 25)
- RE: manipulating query strings Toni Heinonen (Feb 25)
- Re: manipulating query strings morning_wood (Feb 26)
- Re: manipulating query strings Karsten Johansson (Feb 25)
- RE: manipulating query strings Scovetta, Michael V (Feb 25)
- Re: manipulating query strings marko (Feb 26)
- RE: manipulating query strings Nick Besant (Feb 26)
- Re: manipulating query strings Eric Paynter (Feb 25)