logo
::[Home]
::[News]
::[Challenges]
::[Ranking]
::[My Account]
::[Forum]
::[Chat]
::[Private Messages]
::[Vulnerable Code]
::[Tutorials]
::[Downloads/Scripts]
::[Support]
::[Links]
::[Contact/FAQ]
::[Login]
0 anonymous
Views: 1089641 Challenges: 342
Users: 12689 Online: 11

Settings
Search
0 new posts

Tuts4you, something not very harmful – 10 Posts

  • Tuts4you, something not very harmful

    11/06/2007 10:49
    DigitalAcid's Avatar DigitalAcid 4540
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Whenever i visit a site, i usually try things like these:<br><br>http://www.tuts4you.com/user.php?\"&gt;DigitalAcidWasHere<br><br>You can type anything after the \"&gt; and it will be shown on the site.<br>I tried using alert and document.write, but the site seems to filter out most of the special characters, like semicolon, comma etc. resulting in an \"Access Denied\" page =).<br>
    Edit
    Reply
    Quote
    0 Likes
  • 11/06/2007 10:49
    Bander's Avatar Bander 150
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Hmm, I'm unable to reproduce that. The site keeps url encoding everything.<br><br>I get access denied when I try a single quote.
    Edit
    Reply
    Quote
    0 Likes
  • 11/06/2007 10:49
    DigitalAcid's Avatar DigitalAcid 4540
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    It's a \" (quotation mark ?) not 2 '...
    Edit
    Reply
    Quote
    0 Likes
  • 11/06/2007 10:49
    moose's Avatar moose 3250
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    I just copied this into the adress bar and it didn't work...
    Edit
    Reply
    Quote
    0 Likes
  • 11/06/2007 10:49
    Bander's Avatar Bander 150
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Ok - let me be more specific <img alt="\&quot;:)\&quot;" src="%5C"><br><br>A double quote is url encoded before being echoed into the page and a single quote brings up \"Access Denied\"
    Edit
    Reply
    Quote
    0 Likes
  • 11/06/2007 10:49
    DigitalAcid's Avatar DigitalAcid 4540
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    I'm using IE...<br>Didn't try it yet with Firefox and Opera back then.<br>It seems it doesn't work with those 2.
    Edit
    Reply
    Quote
    0 Likes
  • 11/06/2007 10:49
    moose's Avatar moose 3250
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    with ie it works ... strange<br><br>does the browser encode the url? why doesn't ie urlencode?
    Edit
    Reply
    Quote
    0 Likes
  • 11/06/2007 10:49
    theAnswer's Avatar theAnswer 2010
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    PHP runs server-side, so it should not be browser-dependent.
    Edit
    Reply
    Quote
    0 Likes
  • 11/06/2007 10:49
    moose's Avatar moose 3250
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    I thought (in fact I wrote) the same before I tried it out ...
    Edit
    Reply
    Quote
    0 Likes
  • 11/06/2007 10:49
    quangntenemy's Avatar quangntenemy 7120
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    The problem is that FF and IE encode the url differently before sending them. Check the source <img alt="\&quot;:P\&quot;" src="%5C"><br>FF:<br><pre>&lt;form method=\"post\" action=\"http://www.tuts4you.com/user.php?%22%3E%3Cmarquee%3EDigitalAcidWasHere%3C/marquee%3E\"&gt;</pre><br>IE:<br><pre>&lt;form method=\"post\" action=\"http://www.tuts4you.com/user.php?&amp;amp;quot;&gt;&lt;marquee&gt;DigitalAcidWasHere&lt;/marquee&gt;\"&gt;</pre><br>IE seems to render the code incorrectly too <img alt="\&quot;:P\&quot;" src="%5C">
    Edit
    Reply
    Quote
    0 Likes