Source Code Viewer

  Back

Validation Error: Bad Selection
To see the source of the file, choose and click "View File". Note that not all files are listed.
Source File Name	login.phpsecret-administrative-pages.phparbitrary-file-inclusion.phppassword-generator.phphtml5-storage.phpadd-to-your-blog.phpphpMyAdmin.phpindex.phpsite-footer-xss-discussion.phpregister.phpframing.phpcredits.phpview-someones-blog.phpauthorization-required.phprene-magritte.phpbrowser-info.phpcapture-data.phpnotes.phpset-background-color.phpshow-log.phpsource-viewer.phpinstallation.phpfooter.phpphpinfo.phpusage-instructions.phppage-not-found.phpuser-info.phpprocess-login-attempt.phptext-file-viewer.phphome.phpheader.phplog-visit.phpcaptured-data.phpdns-lookup.phppen-test-tool-lookup.phpphp-errors.phpredirectandlog.phpuser-poll.phpprocess-commands.php

Hints

For Malicious File Execution/Insecure Direct Object Reference: So, this script shows the source of most of the php files in this site, but not all. Giving even this level of information about the application is a bad idea. What would be another good script to checkout? A script that you see in the menu list on the left, but not the dropdown box? Using GET instead of POST makes this one easier to abuse, but with "Tamper Data" or "Paros" you could still screw with POST data. I wonder what the traffic generated by this page looks like? Wireshark is a good tool to examine network traffic. Some code contains naive protections such as limiting the width of HTML fields. If your If you find that you need more room, try using a tool like Firebug to change the size of the field to be as long as you like. As you advance, try using tools like netcat to make your own POST requests without having to use the login web page at all. You can use a page normally but then simply change the parameters is Tamper Data. Because Tamper Data is allowing the user to manipulate the request after the request has left the browser, any HTML or JavaScript has already run and is completely useless as a security measure. Any use of HTML or JavaScript for security purposes is useless anyway. Some developers still fail to recognize this fact to this day. So if this page is grabbing files, loading them, then displaying there contents, is it possible to use this page to grab any HTML file from any site? There is nothing special about HTML files except their format. Functions that load files usually do not care about the files contents. (An exception might be .NET Framework's MSXML.loadfile() which is simply a shortcut function to both load and parse XML in one call.) If the loader doesn't care what it loads, could this page be used to load any arbitrary file? Do the files have to be PHP source files or could they be any local file?