ideale
Antismut

Antismut site busting techniques


by Triple T
25 November 1998

courtesy of fravia+'s page of reverse engineering

So you want to access some parts of a site that your not supposed to
eh ?  There are usually only a few ways that sites restrict access to
their page.

Password Access
-CGI/Other Scripting 
-Javascript



First of all Password access, the easiest way is to search for a
password to this page.  Try altavista with the search string +"site
name" +password.  This will sometimes turn up pages of disgruntled
users who have paid for this site and dislike it, they are now set on
revenge and the only way they can do this is to let other people use
their login/password.  This might not yield anything but if it does it
is the easiest way to gain access.

Next check for the kind of Password access, if you view the source and
see something like 
<form method="post" action="http://www.server.com/cgi-bin/login?">
Then you can assume this page is protected by a CGI-script and you
won't have a very good chance of getting in.  You can however try
default usernames/passwords for this site.  Try leaving both fields
blank and hitting ok, then try user/pass and then any other
combinations of likely logins you can think of, anonymous/guest,
fred/fred, 1234/1234, etc.

Perhaps though you go to the page and click to enter and the login box
looks different than most other sites do.  This is a tip-off that it
is "protected" by javascript.  Not much of a protection, usually the
password will be hard-coded into the source.  Do a view-source and see
where it checks the user/pass.  It will have some kind of if statement
and possible some long string of text of seemingly random characters. 
This is just a front to "encode" the password so it is not obvious. 
There will either be a custom function or they will use the default
function to retrieve only certain characters from the long string,
this is the password. For example consider this pseudocode:

if (username=getletter(12) + getletter(1) + getletter(7)) {

do whatever

}


This is obviously checking your input with the strings returned by
getletter.  Look around and see if you see something like

getletter(int x) {
return mid(bwertyucopasadfghjklzxcvbnm,x,1)
}

The 1 probably means return only one character starting at x.  So you
count over 12 letters and get "a", 1 letter is "b", and 7 letters is
"c".

The password is "abc".

Another technique with javascript it the document.open function.  It
opens a page, they simply use the user input as the argument for
document.open, so it opens whatever you enter.  The password will be
the name of the html page.  There is really no way to get past this
other than by guessing the correct page name.

If you are trying to get into a page and it is hosted on another site
as in the case of www.server.com/users/~jobob/page.html
and you want to access files in this directory try to go to
www.server.com/users/~jobob/.  Sometimes this will let you list all
the files in that directory provided there is not a default file to
open.  This is a useful technique for all kinds of pages, simply take
the html file name off the end of the url and see what happens, you
can find out many things this way.

Also try an ftp search, there are some isp's, webcom.com comes to
mind, that put all your files in a world-readable directory on their
ftp thus you can login to ftp.server.com/users/jobob and see a listing
and download all of his files.  This rarely works but when it does it
is an easy way to access a page.

A real backdoor that works is at www.bondage.com.

Go to the guest section.  Click the searchable pic database, notice
the .asp as the page extension.  This stands for Active Server Page
and means MS's CGI-Wannabe Scripting Language.  Look around especially
at the limitations of the guest level that everyone is at.  It says
you are allowed to download 5 images per day.  Search for any image,
now notice what it returns to you.  Notice the file names are listed,
this wouldn't be that bad except for something else we are about to
find out. Click a file name and it links to
http://www.bondage.com/show_pic.asp?id=somenumber
All this tells us is that there is a database somewhere the file names
indexed by their id number.  The image should be loading on your
screen.  Do a copy image address.  
You should get
http://www.bondage.com/sortedpictures/filename.jpg

Wait, isn't file name the same filename that was on the search page ?
Go back and select another picture and this time copy the filename and
append it to http://www.bondage.com/sortedpictures/

Thus you get http://www.bondage.com/sortedpictures/newfilename.jpg,
now go here and you can view the image.  Then go back and click on the
regular link to an image.  You get the msg, This ip address has
downloaded 1 image today.  It didn't count the file we linked to
directly, this is your exploit.  You can view any image as long as you
just go to the filename and no through the asp script file.