Taras, On Mon, Mar 16, 2009 at 4:58 PM, Taras P. Ivashchenko <naplan...@gmail.com> wrote: > Everybody, hi! > > > Hmmm, it looks strange, but when I tested it in PHP I got this: > > test URL: > http://localhost/w3af/core/htmlParser/abc.php?sp=1&sp=spam&sp=eggs > > abc.php: > ... > var_dump($_GET); > ... > > output (of abc.php): > array(1) { > ["sp"]=> > string(4) "eggs" > } > > So we can see that only the last one value is setted.
Yes, I know, but this code makes the trick [0] > We can make result in PHP as in topic by such query string like: > http://localhost/w3af/core/htmlParser/abc.php?sp[]=1&sp[]=spam&sp[]=eggs > > Output: > > array(1) { > ["sp"]=> > array(3) { > [0]=> > string(1) "1" > [1]=> > string(4) "spam" > [2]=> > string(4) "eggs" > } > } And that case will also work with the patch I applied to w3af, because the parameter is named sp[], and the [] are just part of the name. [0] http://w3af.svn.sourceforge.net/viewvc/w3af/extras/testEnv/webroot/w3af/core/repeated_parameter_names/repeated_parameter_names.php?revision=2758&view=markup > > On Thu, 2009-03-12 at 14:43 -0200, Facundo Batista wrote: >> 2009/3/11 Andres Riancho <andres.rian...@gmail.com>: >> >> > http://host.tld/index.do?sp=1&sp=spam&sp=eggs >> > >> > ... >> > XSS. After some small searching, I realized the repeated parameter >> > names are actually a valid thing in the RFC, and is supported by >> >> Yes, and one of the reasons why the cgi.parse_qs() function returns a >> list of values for each key. >> >> Like: >> >> >>> cgi.parse_qs("sp=1&sp=spam&sp=eggs&foo=bar") >> {'foo': ['bar'], 'sp': ['1', 'spam', 'eggs']} >> >> Regards, >> > -- > Тарас Иващенко (Taras Ivashchenko), OSCP > www.securityaudit.ru > ---- > "Software is like sex: it's better when it's free." - Linus Torvalds > -- Andrés Riancho http://www.bonsai-sec.com/ http://w3af.sourceforge.net/ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
