这个例子源自hackthissite.net的一个挑战,其实要点就是要改表单中一个hidden的邮箱。先上代码,表单在148行,或者你可以用ctrl+f查找"@"来定位这个表单。其余都基本是废话。
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Hack This Site!</title>
<meta name="verify-v1" content="s/YXn7eQrMBoF9PL5jLJDiWpAxEXpJzE9JLg/zM4C2Y=" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="Author" content="HackThisSite.org Crew." />
<meta name="Description" content="HackThisSite! is a legal and safe network security resource where users test their hacking skills on various challenges and learn about hacking and network security. Also provided are articles, comprehensive and active forums, and guides and tutorials. Learn how to hack!" />
<meta name="KeyWords" content="challenge, computer, culture, deface, digital, ethics, games, guide, hack, hack forums, hacker, hackers, hacking, hacking challenges, hacking forums, mission, net, programming, radical, revolution, root, rooting, security, site, society, tutorial, tutorials, war, wargame, wargames, web, website" />
<link rel="icon" href="https://data.htscdn.org/favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="https://data.htscdn.org/favicon.ico" type="image/x-icon" />
<link href="https://data.htscdn.org/themes/Dark/Dark.css" rel="stylesheet" type="text/css" />
<link href="https://www.hackthissite.org/pages/hts.rss.php" rel="alternate" type="application/rss+xml" title="HTS RSS feed" />
<base href="https://www.hackthissite.org" />
<script type="text/javascript" src="https://data.htscdn.org/js/jquery-1.8.1.min.js"></script>
<script type="text/javascript">
(function() {
function async_load(script_url){
var protocol = ('https:' == document.location.protocol ? 'https://' : 'http://');
var s = document.createElement('script'); s.src = protocol + script_url;
var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x);
}
bm_website_code = '3CBA71AF7B7E4145';
jQuery(document).ready(function(){async_load('asset.pagefair.com/measure.min.js')});
jQuery(document).ready(function(){async_load('asset.pagefair.net/ads.min.js')});
})();
</script>
</head>
<body>
<span id="blank-element" style="display: none"></span>
<div id="topbar" align="center">
<a href="https://www.hackthissite.org" id="active">HackThisSite</a> - <a href="irc://irc.hackthissite.org:+7000/">IRC</a> - <a href="https://www.hackthissite.org/forums">Forums</a> - <a href="http://radio.hackthissite.org">Radio</a> - <a href="http://hts.io/x/http://www.cafepress.com/htsstore" target="_new">Store</a> - <a href="http://hts.io" target="_new">URL Shortener</a> --- <a href="http://hts.io/x/https://www.facebook.com/hackthissite" target="_new">Like Us</a> - <a href="http://hts.io/x/https://twitter.com/#!/hackthissite" target="_new">Follow Us</a></div>
<div class="hts-header">
<a href="/"><img src="https://data.htscdn.org/themes/Dark/images/header.jpg" alt="Hack This Site" border="0" /></a>
<br />
<a href="https://www.hackthissite.org/81B6jjN6173zd07H0C44eZLN50uzPfb16498l855DJkd2cT7j3HQbhQnVkg0AM62g8nmf68rqY2jFL5sEh452xOf4B" target="_blank"><img src="https://www.hackthissite.org/iJW6z8Pl520u1Ka0nB93NG16Io3td3DZ0T6LkF8AQ3Kx079NtXOse0wsKObUTOI5I9AeNl38kTABdFYxX25bnL3yz7vpzegSlr16F5jQkozptt8cCpT5gDaGaB3npv0HupQkPFXFz0DEn8" alt="Cybrary - Free Online IT & Cyber Security Training" id="atimg" class="abstaimg" title="Cybrary - Free Online IT & Cyber Security Training" border="0" /></a><br />[<a href="https://www.hackthissite.org/advertise/">Advertise With HackThisSite.org</a>]</div>
<table width="780" border="0" cellpadding="0" cellspacing="0" class="siteheader cmTable">
<tr>
<td class="sitetopheader"><blockquote>When they discover the center of the universe, a lot of people will be disappointed to discover they are not it.</blockquote></td>
</tr>
<tr>
<td><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="160" valign="top" class="navbar"><div align="center">
<br />
<div style="margin-right: 7px; border: 3px double #555555; background-color: #006600; font-weight: bold">
<img src="https://data.htscdn.org/images/lock.png" style="float: left; margin: 4px 0 0 5px">
You are browsing HackThisSite over SSL
</div>
<br /> <div>Hello, <a href="/user/view/chengdazhi/">chengdazhi</a><br />
<a href="/user/edit/2032921/">Settings</a> - <a href="/?logout&nce=Cxn4sGjrEC3wGFWVbMzCR4Igwc4KwIbKdmTANuu9h">Logout</a><br /><br />
<a class="nav" href="/user/themes/"> Skin Chooser</a><br /><br />
<a class="nav" href="http://www.hackthissite.org/forums/ucp.php?i=pm">Private Messages</a><br />
<a class="nav" href="/pages/messages/msys/">HTS Messages Center</a><br />
You have 0 new messages.<br />
</div>
<h4 class="header">Donate</h4>
<p>
<a href="https://www.hackthissite.org/donate/">
<img
src="https://data.htscdn.org/images/donate.png"
border="0"
title="Donate to HackThisSite.org"
alt="Donate to HackThisSite.org" />
</a>
<br />
HTS costs up to $300 a month to operate. We <strong>need</strong> your help!
</p>
<h4 class="header">Challenges</h4>
<ul class="navigation">
<li><a class="nav" href="/missions/basic/">Basic missions</a></li><li><a class="nav" href="/missions/realistic/">Realistic missions</a></li><li><a class="nav" href="/missions/application/">Application missions</a></li><li><a class="nav" href="/missions/programming/">Programming missions</a></li><li><a class="nav" href="/missions/phonephreaking/">Phonephreaking missions</a></li><li><a class="nav" href="/missions/javascript/">Javascript missions</a></li><li><a class="nav" href="/missions/forensic/">Forensic missions</a></li><li><a class="nav" href="/missions/playit/extbasic/0/">Extbasic missions</a></li><li><a class="nav" href="/missions/playit/stego/0/">Stego missions</a></li><li><a class="nav" href="irc://irc.hackthissite.org/htb">Irc missions</a></li></ul>
<h4 class="header">Get Informed</h4><ul class="navigation"><li><a class="nav" href="/blogs">Blogs</a></li><li><a class="nav" href="/news">News</a></li><li><a class="nav" href="/pages/articles/article.php">Articles</a></li><li><a class="nav" href="/lectures">Lectures</a></li><li><a class="nav" href="/pages/programs/programs.php">Useful Stuff</a></li><!--<li><a class="nav" href="ebooks">E-books</a></li>--><li><a class="nav" href="http://mirror.hackthissite.org/hackthiszine/">HackThisZine</a></li><li><a class="nav" href=""></a></li></ul><h4 class="header">Get Involved</h4><ul class="navigation"><li><a class="nav" href="/donate"><span class="completed">Donate to HackThisSite!</span></a></li><li><a class="nav" href="http://www.cafepress.com/htsstore">Store</a></li><li><a class="nav" href="/submit/article">Submit Article</a></li><li><a class="nav" href="/pages/bugManagement/index.php">Submit Bug Report</a></li><li><a class="nav" href="/submit/lecture">Submit Lecture</a></li><li><a class="nav" href="/pages/programs/insert.php">Submit Useful Stuff</a></li><!--<li><a class="nav" href="/pages/showsource/loopdeloop.php">We Want You!</a></li>--><li><a class="nav" href=""></a></li></ul><h4 class="header">Communicate</h4><ul class="navigation"><li><a class="nav" href="/forums">Forums</a></li><li><a class="nav" href="https://www.hackthissite.org/forums/ucp.php?i=pm">Private Messages</a></li><li><a class="nav" href="http://www.irc.hackthissite.org/idlerpg">IRC IdleRPG</a></li><li><a class="nav" href="https://www.hackthissite.org/irc/stats.php">IRC Stats</a></li><li><a class="nav" href="http://qdb.hackthissite.org">IRC Quotes</a></li><li><a class="nav" href="/user/search">Search Users</a></li><li><a class="nav" href="/user/gallery">User Pictures</a></li><li><a class="nav" href="/user/online">Who is Online</a></li><li><a class="nav" href="/user/rankings/">Rankings</a></li><li><a class="nav" href="/pages/irc/irc.php">IRC Chat</a></li><li><a class="nav" href="/pages/irc/reference.php">IRC Command Reference</a></li><li><a class="nav" href=""></a></li></ul><h4 class="header">About HTS</h4><ul class="navigation"><li><a class="nav" href="/info/about">About the Project</a></li><li><a class="nav" href="/info/billofrights">Bill of Rights</a></li><li><a class="nav" href="/info/legal">Legal Disclaimer</a></li><li><a class="nav" href="/info/privacy">Privacy Statements</a></li><li><a class="nav" href="/pages/info/staff">Meet the Staff</a></li><li><a class="nav" href="/info/underthehood">Under the Hood</a></li><li><a class="nav" href="/advertise">Advertise with HTS</a></li><li><a class="nav" href="/ipv6">IPv6</a></li><li><a class="nav" href="/hof">Hall of Fame</a></li><li><a class="nav" href=""></a></li></ul><h4 class="header"></h4><ul class="navigation"><li><a class="nav" href=""></a></li></ul>
<br />
<a href="/">
<img
src="https://data.htscdn.org/images/hts_80x15.gif"
width="80"
height="15"
border="0"
alt="" />
</a>
<br />
<a class="nav" href="https://www.hackthissite.org/pages/info/linktous.php">
Link to us!
</a>
<h4 class="header">
Partners
</h4>
<br />
<a target="_new" href="http://hts.io/x/http://affiliates.mozilla.org/link/banner/8528">
<img
src="//affiliates.mozilla.org/media/uploads/banners/ac502446d8392cea778bcdaf8b3e07f8958a0216.png"
alt="Download Firefox"
width="88" />
</a>
<br />
<a class="nav" target="_new" href="http://hts.io/x/http://www.hackbloc.org/">
<img src="https://data.htscdn.org/images/linkhb.gif" border="0" alt="Hackbloc" width="88" height="31" />
</a>
<br />
<a class="nav" target="_new" href="http://hts.io/x/http://www.hellboundhackers.org/">
<img
src="https://data.htscdn.org/images/hbhlogo.jpg"
width="88"
height="31"
border="0"
alt="Hellbound Hackers" />
</a>
<br />
<a class="nav" target="_new" href="http://hts.io/x/https://www.netsparker.com/blog">
<img
src="https://data.htscdn.org/images/netsparker.gif"
alt="Netsparker Security Blog"
width="88"
height="31"
border="0" />
</a>
<br />
<a class="nav" target="_new" href="http://hts.io/x/http://www.acunetix.com/blog">
<img
src="https://data.htscdn.org/images/acunetixblog.gif"
alt="Acunetix Security Blog"
width="88"
height="31"
border="0" />
</a>
<br />
<a class="nav" target="_new" href="http://hts.io/x/http://www.buddyns.com">
<img
src="https://data.htscdn.org/images/buddyns88x31.png"
alt="BuddyNS Secondary DNS"
width="88"
height="31"
border="0" />
</a>
<br />
</td>
<td valign="top" class="sitebuffer">
<br />
<br /><center>
<br /><center><b>Level 5</b></center><br /><br />Sam has gotten wise to all the people who wrote their own forms to get the password. Rather than actually learn the password, he decided to make his email program a little more secure.<br /><br /><center>
<form action="/missions/basic/5/level5.php" method="post"><input type="hidden" name="to" value="sam@hackthissite.org" />
<input type="submit" value="Send password to Sam" /></form></center><br /><br /><center><b>Password:</b><br />
<form action="/missions/basic/5/index.php" method="post"><input type="password" name="password" /><br /><br />
<input type="submit" value="submit" /></form>
</td>
</tr>
</table></td>
</tr>
<tr>
<td class="sitebottomheader"><img src="https://data.htscdn.org/themes/Dark/images/hts_bottomheadern.jpg" alt="End Footer" width="780" height="60" /></td>
</tr>
</table>
<br />
<div align="center" style="font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px; color:#CCCCCC">HackThisSite is is the collective work of the HackThisSite staff, licensed under a <a rel="license" href="http://hts.io/x/http://creativecommons.org/licenses/by-nc/3.0/" target="_new">CC BY-NC</a> license.<br />
We ask that you inform us upon sharing or distributing.<br /><br />
<sub>Page Generated: Mon, 23 Feb 2015 15:17:25 +0000<br />Web Node: www0 | Page Gen: 0.051s | DB: 15q<br />Current Code Revision: <a href="https://www.hackthissite.org/CHANGELOG">v3.2.3
(Fri, 27 Jun 2014 20:13:10 +0000)</a></sub><br />
</div>
</div>
<div align="center">
<p>
<a target="_new" href="http://hts.io/x/http://creativecommons.org/licenses/by-nc/3.0/"><img src="https://data.htscdn.org/images/cc_80x15.png" width="80" height="15" border="0" alt="" /></a>
<a target="_new" href="http://hts.io/x/http://validator.w3.org/check?uri=referer"><img src="https://data.htscdn.org/images/xhtml10.png" width="80" height="15" border="0" alt="" /></a>
<a target="_new" href="http://hts.io/x/http://jigsaw.w3.org/css-validator/check/referer"><img src="https://data.htscdn.org/images/css.png" width="80" height="15" border="0" alt="" /></a>
<a target="_new" href="http://hts.io/x/http://www.php.net/"> <img src="https://data.htscdn.org/images/phppow.gif" width="80" height="15" border="0" alt="" /></a>
<!--<a href="http://www.linux.com/"> <img src="../../images/linux2.gif" width="80" height="15" border="0" alt="" /></a>-->
<a target="_new" href="http://hts.io/x/http://www.freebsd.org/"> <img src="https://data.htscdn.org/images/freebsd.png" width="80" height="15" border="0" alt="" /></a>
<img src="https://data.htscdn.org/images/counter.php" height="14" border="0" alt="Page View Counter" />
</p>
</div>
<a href="http://hackthissite.org/hp.php"><div style="height: 0px; width: 0px;"></div></a><script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-2391176-1");
pageTracker._initData();
pageTracker._trackPageview();
</script>
<!--[if !(lt IE 8)]><!-->
<script type="text/javascript">
var tdwfb_config = {greeting: 'Dear HackThisSite User'};
(function(){
var e = document.createElement('script'); e.type='text/javascript'; e.async = true;
e.src = document.location.protocol + '//d1agz031tafz8n.cloudfront.net/thedaywefightback.js/widget.min.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(e, s);
})();
</script>
<!--<![endif]-->
</body>
</html>
于是我用抓包工具一看,果然用我修改的来提交时缺少referer这个请求头,而用原本的网页提交则不缺少,此时就需要用到javascript注入,它可以在不改变其他的任何东西的同时改表单。其实现在浏览器的审查元素都能做这件事,而不需要专门注入,但这个原理还是比较重要。
贴一下注入的方法:
打开原生网页后,直接在浏览器地址栏输入:
javascript: alert(document.forms[0].to.value="xxx@xxx.com")
然后回车,网页的代码就被修改了