1

I'm security testing a website. My question is if you can view where POSTDATA is being written to, if so how?

For example a site might have this as their post.php:

   $handle = fopen("filename.txt", "a");
   foreach($_POST as $variable => $value) {
   fwrite($handle, $variable);
   fwrite($handle, "=");
   fwrite($handle, $value);
   fwrite($handle, "\r\n");

What I am attempting to view is what the name of the txt file. In this case it is of course, filename. But, I need to first view the php, to find what the txt file name is. On the website I am testing I do not know the name of the txt file. As the name of the txt file is what I am trying to find.

I have tried doing Curl -O sitename.com/postscript.php in terminal, but, it returnes 302.

How can find the name of the txt file? (using any method)

All help is very much appreciated.

Update: I know for certain that the postdata is being saved to a php file on the root directory.

Henry Boldizsar
  • 489
  • 1
  • 8
  • 25

2 Answers2

1

I'm fairly certain you can't find the text file. You can however, track the POST request and see which data is being sent where. Check that out in the network tab of Chrome Developer Tools.

What you'll notice is that you can see where the page is POSTing the data to be processed, but it has no way of knowing what the processing file does with the data.

Jezen Thomas
  • 13,619
  • 6
  • 53
  • 91
0

You can't.

How do you know the POST data is even written to a file (as opposed to inserted into a database, emailed, or discarded) , unless you had the PHP source code there is no way to know where it is being written, or even know that it is being written to a file at all.

drew010
  • 68,777
  • 11
  • 134
  • 162