Skip to content

Hack This Site: Basic Mission 4

2009 June 21
tags: , , , ,
by jithinkr


This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot.

Once again check the source code. The script mails the password to the email id mentioned. First try to find out to which email id the script sends the password. It’s all there in the source code.

<form action=”/missions/basic/4/level4.phpmethod=”post“>

<input type=”hiddenname=”tovalue=”webmaster@hulla-balloo.com” /><input type=”submitvalue=”Send password to Sam” /></form></center><br /><br /><center><b>Password:</b><br />
<form action=”/missions/basic/4/index.phpmethod=”post“>
<input type=”passwordname=”password” /><br /><br /><input type=”submitvalue=”submit” /></form>

No we are not going to hack that email id. Instead we will tweak this web page, so that the script works in the way we want it to. Save a copy of the source code on your computer. Open it in your favorite HTML editor. Change the email id to an email id you have access to.

Save the file as HTML, and open it in your browser. Press the button to send the password to your email id. Well, you must have cracked it by now.

What (I think) You Learnt

It is easy to change the source code and gain access to sensitive information. Using the hidden value for hiding sensitive information in HTML code is never a very good idea. Use it elsewhere.

Blog Widget by LinkWithin

Technorati Tags: , , , ,

from → Hacks, OnLine

  • http://penguinftw.wordpress.com/ iPenguin

    Another way of doing this would be to inject javascript into that page in order to alter the submit button value or to edit it “live” by using some web-browser extension(s).
    Anyway, every way is fun when it works. ^^