Let's learn some great tricks during this f*cking pandemic!
Yeeeeeehaaaa let's jump in!
First and foremost we will introduce you to some naked facts! 😂
As a task, we need to pass the word “success” through the form on the site. Let’s try: we enter “success” and Sumbit. We get the error “Invalid token.”:
Open the source code of the page.
Between the <script></script> tags there is the following:
I can only understand the following lines:
As well look at the form being used to send the word “success”:
In the generate_token() function in the first line “phrase” variable is assigned. It got the value that has the field with the “phrase” id in the form. Then, in the second line of the considered function, the value of the phrase variable is processed by two functions and their value is assigned to the element with “token” id.
Outside the function, there is a call code for this function:
This call is not tied to any event (for example, form submission) or condition. This means that when the page is open in our browser, the generate_token() function has already been executed, that is, the token value for the “ChangeMe” string has already been calculated and assigned to the input field with the “token” id. For this reason, when we change the value of the “phrase” input field, it does not coincide with the token, which is what we get the message about.
It turns out that the only way to cope with the task is to change the value of the phrase field from “ChangeMe” to “success” before opening it in a web browser.
But the BIG question is: How?
This can be done in Burp Suite, which, among other things, can change the contents of any part (headers and body of requests and responses) of HTTP on the fly.
But I will show you a completely “childish” method, which I used from the first years of the appearance of my computer, for this method no tools are needed at all.
The essence is elementary: we save the page to our computer, open it with an editor (any text or HTML code editor), make the necessary changes, open this page in the browser and submit it!
We save (the name I chose is shorter, otherwise there may be problems due to special characters):
Open the *.html file and find the form:
As you can see, it has changed, namely, the value is assigned to the token field, apparently, this was done by the browser when saving:
So, firstly, change “ChangeMe” to “success”.
But when I open my saved file, it will have address something like file:///home/mial/Загрузки/1.html and the browser will try to send data from the form to the address file:///home/mial/Загрузки/1.html. But we need to send data to the server.
Sometimes the page may already have “action” set, but the address is indicated as a relative path – in this case, again, submitting the form will not work as we need. To fix, just specify the absolute path to the page on the target site.
Thirdly, as I mentioned, when saving the page, the browser entered the token value – we remove it (although, logically, this is not necessary, since the new value will be calculated and assigned after the page is opened).
So, we got the following form:
I save it and open the file in the browser:
I click the “Submit” button:
TRADEMARK LEGAL NOTICE
All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used on this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed on pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.