:[ Forums ]:
Topic: Help with PHP fusking anyone?
| Author: | Message: |
| xyberz09 Offline Forum Rank: Contributor   Posts: 50 Thanks: 9 Contributor   | Hello everyone!
I've been testing a website (just for fun) and found out about a possible vulnerability in the way it manages images uploaded by it's users. I think I found a way to access private and locked images without needing the user's permission. Right now, it's a real pain to access any of these images and there is now way of knowing whose picture you're accessing. But I think I can make a lot more sense of the accumulated data if I can grab a lot of pictures and analyze them with TinEye (http://www.tineye.com) Can any one of you guys help me whip up something that can fusk the images from the website? The format string of the URL is something like this: http://<target site>/members/delete_photo.php?id=delete-photo&sbook_id=200050964 On accessing the page, It returns an image (as specified by the sbook_id number). Do you know how I could increment the sbook_id number sequentially and grab the images displayed for each number and dump them on to some folder on my computer? I read somewhere that a fusker can parse this: http://<somesite.com>/images/image[000-100].jpg and return all images ranging from image000, image111, etc. to image100. But in my case, the images aren't stored as a sequentially, only the URL to access them can be fusked. The images are stored with filenames that look like their MD5 hash. Can you help me extract the images from the site by suggesting a method of fusking the URL and then reading the returned HTML for the <img src> tag and retrieving the images therin? |
| #1 Back To Top | |
| kjangwa Offline Forum Rank: kiddie  Posts: 23 Thanks: 2 Standard User | Well i've learned something new, never heard of fusking before.
It seems like a good programming project, you just need a simple script to access the URL and do a little parsing. What programming language do you know? |
| #2 Back To Top | |
| xyberz09 Offline Forum Rank: Contributor Posts: 50 Thanks: 9 Contributor | I'm learning PHP at the moment and it's embarassing but the language I feel at home with is Visual Basic .NET
|
| #3 Back To Top | |
| xyberz09 Offline Forum Rank: Contributor Posts: 50 Thanks: 9 Contributor | kjangwa, if you found fusking interesting, you'll absolutely be blown away by TinEye. Check out the unbelievably scary yet supreme power of TinEye at www.tineye.com. It's an image search engine. :-)
|
| #4 Back To Top | |
| kjangwa Offline Forum Rank: kiddie Posts: 23 Thanks: 2 Standard User | Yes I have already used both TinEye and GazoPa to aid me in solving challenges.
Nothing wrong with Visual Basic .NET. I am also learning PHP and i think cURL is what you need, however i have never used it. If you feel it will be helpful to you, i will have a go at making a simple script. |
| #5 Back To Top |
Online (last 15 mins): metallover
