PassProtectLevel2

BreakDown Of "How to Hack Password Protected Web Pages!" Level 2 By Jeff You can access Level two here: http://www.proweb.co.uk/~greenway/Java/leveltu.htm

One of the first things I am discovering from reading the Sandmans and The Seekers essays is that we must learn to eliminate all the trash that only serves to confuse us:

We can do this by opening up the original source and making a copy to another editor page; I use Homesite; and then previewing each line-change to understand what each line performs...

So first lets take a look at the source code from Level #2 here:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE></TITLE>
<META NAME="GENERATOR" CONTENT="Mozilla/3.01Gold (Win16; I) [Netscape]">
</HEAD>
<BODY>

<TR align="CENTER">
<TD>
<H3 ALIGN=CENTER><B><I>LOGIN</I></B></H3>
</TD>

<TR align="CENTER">
<TD>
<H3 ALIGN=CENTER><B><I>PASSWORD</I></B></H3>
</TD>

<P>..............................................................all of this downward........... can be eliminated right away!
<HR WIDTH="100%"></P>
<P>
<HR WIDTH="100%"></P>
<P>
<HR WIDTH="100%"></P>
<P>
<HR WIDTH="95%"></P>
<P>
<HR WIDTH="90%"></P>
<P>
<HR WIDTH="80%"></P>
<P>
<HR WIDTH="70%"></P>
<P>
<HR WIDTH="60%"></P>
<P>
<HR WIDTH="50%"></P>
<P>
<HR WIDTH="40%"></P>
<P>
<HR WIDTH="30%"></P>
<P>
<HR WIDTH="25%"></P>
<P>
<HR WIDTH="20%"></P>
<P>
<HR WIDTH="15%"></P>
<P>
<HR WIDTH="10%"></P>
<P>
<HR WIDTH="5%"></P>
<P>
<HR WIDTH="4%"></P>

</BODY>
</HTML>

I know right away that I want to keep all text between the SCRIPT LANGUAGE="JavaScript" and the END statement ;</SCRIPT>
So I cut and paste this to my editor and run it; Hummm; nothing in the window; this means I need some more code info in there; eh?

We now have this to work with:

Note: By cutting and pasteing each line below into your editor, from each of the following groups, we can determine what their functions are: Having done so line by line (actually I have done it group by group) I slowly create and see what each of these groups are doing......

<CENTER><TABLE BORDER=4 CELLSPACING=2 CELLPADDING=2 > ;this creates a BORDER and cells containing the below text and inputs...
<TR>
<TD></TD>
</TR>

<TR align="CENTER">
<TD>
<H3 ALIGN=CENTER><B><I>LOGIN</I></B></H3> ;this creates the 'word' LOGIN
</TD>

<TD><FORM name="login"><INPUT NAME="ID"></TD> ; this creates the INPUT BOX for LOGIN
</TR>

<TR align="CENTER">
<TD>
<H3 ALIGN=CENTER><B><I>PASSWORD</I></B></H3> ; this creates the 'word' PASSWORD
</TD>

<TD><INPUT NAME="pass" type="password"></TD> ; this creates the INPUT BOX for PASSWORD
</TR>

<TD><INPUT TYPE="RESET" VALUE="Clear"></FORM></TD> ; This creates the "CLEAR" button
</TR>
</TABLE></CENTER>

<CENTER><P>
<HR></P></CENTER> ;This created a line to split the "View Source button below

<CENTER><P><FORM><INPUT TYPE="BUTTON" VALUE="View Source" ; This creates the "VIEW SOURCE" button...

onClick= 'window.location = "view-source:" + window.location.href' ; activates the view source
<</FORM></P></CENTER>
<B><FONT COLOR="#000000"></FONT></B>

Okay; we have done some homework and we have built our input field; So now lets take a deeper look at the stuff that makes the wheel turn:

<P><SCRIPT LANGUAGE="JavaScript">
<!----- Script CopyRight © 1996 - 1997 S.Chris Brown (Spikeman)
// This JavaScript code Originally by S.Chris Brown (Spikeman) 1996 - 1997
function Spikeman_password(form) {                      ; this is the function statement; (form) is the function
if (form.ID.value=="location") {                              ; "IF" 'form' =="location" then......goodguy
    if (form.pass.value=="password") {                      : IF   "form password value ==the word "password" then....goodguy
      location="tucong.htm"                                        ;location="tucong.htm"   open new window goto goodguy at "tucong.htm"

} else {
      alert("Sorry " +form.ID.value+ ", wrong password.") ; pop error box ...

...which states "Sorry (hardcoded) the value you typed in to the Password box = form ID value...plus "wrong password" (hardcoded)

NOTE HERE: This code; +form.ID.value+....does not seem to return a very good value in real world...since anything that is typed in wrong produces a badguy error; BUT when you type in the correct word of "location"... and then say type in an incorrect password.....the error you recieve states....."Sorry , (location) wrong password"......there would seem to be an error of thought to this use of this type of code as if it were supposed to have produced say....."Sorry, Jeff wrong password"
In this case writting only:

alert("Sorry , wrong password.") ......would have been better here...... (though I am probably not interpeting it correctly)

    }
} else {                                                                   ; another check here
    alert("Invalid Name")                                             : pop error box "Invalid (login) name"
location="ertu.htm"                                                   ; open new window; goto badguy page at; "ertu.htm"
}
}
//--> </SCRIPT></P>

Once again we can reverse this snippet of code by changing equal values to non equal values:

function Spikeman_password(form) {                      ; this is the function statement; (form) is the function
if (form.ID.value=="location") {                              ; "IF" 'form' =="location" then......goodguy
    if (form.pass.value=="password") {                      : IF   "form password value ==the word "password" then....goodguy
      location="tucong.htm"                                        ;location="tucong.htm"   open new window goto goodguy at "tucong.htm"

Lets change the above to:

if (form.ID.value !="location") {                              ; "IF" 'form' !=" is NOT equal to "location" then......goodguy
    if (form.pass.value !="password") {                      : IF   "form password value != is NOT equal to the word "password" then....goodguy
      location="tucong.htm"                                        ;location="tucong.htm"   open new window goto goodguy at "tucong.htm"

And we can test this by inserting this re-written code in an editor and running it in Browser-Preview.....

So lets Use this:

<P><SCRIPT LANGUAGE="JavaScript">
<!----- Script CopyRight © 1996 - 1997 S.Chris Brown (Spikeman)
// This JavaScript code Originally by S.Chris Brown (Spikeman) 1996 - 1997
function Spikeman_password(form) {
if (form.ID.value !="location") {                                          ; notice our change here
    if (form.pass.value !="password") {                                 ; and our change here
      location="tucong.htm"

} else {
      alert("Sorry " +form.ID.value+ ", wrong password.")
    }
} else {
    alert("Invalid Name")
location="ertu.htm"
}
}
//--> </SCRIPT></P>

Now lets run it ......Nope; a blank page....we MUST also insert the balance of the code which builds the input area:

<TR align="CENTER">
<TD>
<H3 ALIGN=CENTER><B><I>LOGIN</I></B></H3>
</TD>

<TR align="CENTER">
<TD>
<H3 ALIGN=CENTER><B><I>PASSWORD</I></B></H3>
</TD>

OKAY; Now run it and type in the REAL login and password......what happens?
Nothing? Something?
Yep; Thats right!
Now when we type in the correct LOGIN word of " location"- name- value we get the prompt error:

"INVALID NAME!"

Now lets type in any LOGIN value other than "location" and the REAL PASSWORD value of "password"....

The code recognizes that the LOGIN value is now true; and the password value is now false and returns a good guy value to the LOGIN check and then moves to check the password value: Seeing now that the only value in the world that is NO GOOD...... HAS BEEN typed into the password box...... it now displays the error box:

"SORRY, whomever wrong Password"

ON the flip side if we now type in any values into both input boxes we should now be able to pass....

So lets do it:

Hummmmmmm; clicking on the "Proceed" button takes us nowhere!
Not having access to the authors ftp site and to the directory, tucong.htm, I can not proceed to that page...
How can we check to see if these values are true then?
How about inserting an alert statement???????
Lets try it:
Lets insert an alert statement after the check and before the "else statement"

<TR align="CENTER">
<TD>
<H3 ALIGN=CENTER><B><I>LOGIN</I></B></H3>
</TD>

<TR align="CENTER">
<TD>
<H3 ALIGN=CENTER><B><I>PASSWORD</I></B></H3>
</TD>

Ahah!!! Now when we run this and click on the "Proceed button" we get a return of:

"Good Job!"

Now... we know that our changes are valid and operating correctly.......
AND.....Now any password will be accepted from the User..:)

This is about as far as my limited knowledge on javascript reversing can take me for this level...I hope I have things correctly explained and that it helped someone to understand a couple of ways we can de-bone this code and learn from it...

If the Sandman or The Seeker see any faults\confusing explanations please feel free to edit...

And so, Reversing the Code in the above essay is only to show what the code is saying to us... and how we can interupet and
understand and even change its meaning...

Regards to The Sandman who's efforts to build a nureo-network of various studies for newbies is unsurpassed!
and to our new friend and JavaTeacher "The Seeker"

Greetz to tnwo; Dogbytes; snake;EB;Bjanes;Volatility, and to all others; ya know who ya all are!

Jeff
2/16/99