19 February 1998
This is a pretty important reversing exercise, since most username/password
cgi-scripts use analoguous systems. The angle of attack in such cases,
of course, is that most of the time
you know (or can easily imagine) the usual passwords and
username couples (like fred and fred
which is incredibly often used for obvious keyboard reasons :-)
Do I need to say more?
I have prepared 6 different valid combinations, as you will see in the
code... FOUR (to help you check your findings) will land you
to page 123456.htm... just to
show you the complete workings, and TWO will land
on the real page... ah yes, of course they may be not in the
same order as here when you look at the
username password 123456.htm
visitor password 123456.htm
fred fred 123456.htm reverser reverser 123456.htm
? ? ?.htm
? ? ?.htm
As you'll see, they all work... now to get to the real targeted page, you will have
to use one of the two possibile username/password combinations...
and it is up to you, now, to find the name (or,
better, the 'number') of the REAL URL... see you there!
Ah, I almost forgot: a little stalking/searching/sniffing could
help a lot, of course :-)
This script accepts six users... just
try to land in the correct
page... you'll find there Papazov's solution and more
You are deep inside reverser's page of reverse engineering,
choose your way out:
Back to the main entrance
Is reverse engineering legal?
Reverser 1995, 1996, 1997, 1998. All rights reserved