PDA

View Full Version : Viewing password protected photos on dating site



enzoweb
02-14-2006, 04:19 AM
As the subject says: I want to know if there's a way to view password protected photos on a dating site.

This is the only section of the page source that changes once a valid password is input:

Before a password is entered:


<tr>
<td bgcolor="#FFE***" align="center" width="200"><form name="showPhoto" action="/photo/showHiddenPhoto.jsp" method="post"><img align="center" src="/htdocs/common/images/passwordPhoto.gif" />
<br>
<span class="bodytext">Password:</span><br>
<input size=*5 maxlength=20 type="password" name="photoPass" value="">
<input type="hidden" name="handle" value="exotix" />
<br><br>
<input type=image src="/htdocs/common/buttons/click/submitButton.gif" width="6*" height="*7" submit value="submit" />
<input type="hidden" name="k" value="*22767005808*2*2085"/><input type="hidden" name="s" value="*046*24*"/><input type="hidden" name="l" value="en"/><input type="hidden" name="u" value="*5*000"/><input type="hidden" name="t" value="MEMBER"/></form></td>
</tr>


After the password is entered:


<tr><td><img border=*
src="/membermedia/*5*000_*8864*_0_*_0.jpg" />
</td></tr>
<tr><td><div class="bodytext" style="width:*00%;text-align:center;"><span
style="font-weight:bold;font-size:0.*em;text-transform:uppercase;">Password Protected</span></div></td></tr>
<tr>
<td><span class="bodytext"> Hello</span></td>

I discovered that the resulting image link (/membermedia/*5*000_*8864*_0_*_0.jpg) is made up of my id (*5*000) and the other person's id (*8864*). I've gone to another person's page who has a password protected photo, and tried using this syntax, but it just shows an image holder. It appears to build the image link on the fly.

The site is http://www.rsvp.com.au - it's free to join if anyone wants to have a go.

Edit: I've just spotted something - could the value="*22767005808*2*2085" be a password hash? The password for this photo is "ext*6". If I get enough, would it be possible to crack the algorithm used? I'm an amateur here, so please don't flame me for my ignorance. Unfortunately I don't have any more at the moment - once I enter a password I can only see the 'after' page source. If I get any more I'll capture them and post them here.

Edit: Got another hash and password:

<input type="hidden" name="k" value="840*4*4057586*6**6*"/><input type="hidden" name="s" value="**068856"/><input type="hidden" name="l" value="en"/><input type="hidden" name="u" value="*5*000"/><input type="hidden" name="t" value="MEMBER"/></form></td>

Password for this one is "memling".