The Sapience Society The advice of a self-proclaimed technological ninjician

4Jun/100

Form Request Hijacker Javascript Bookmarklet

The idea: Lets say you want to use some service hosted at another site, but there isn't an API or anything.. just a user-accessible form. Well, in order to use that form, you're going to have to use something like cURL to submit some POST variables or something to the form handler.

Here's the problem: What information is actually getting submitted with the form?

The only way to form your curl request is if you know every single bit of data that's getting sent to the form. You could do this with a tool like the "Web Developer" add-on for Firefox, but then if there's some onsubmit javascript that affects the form in any way, you don't get those changes.

My solution: Using javascript, hijack the form and have it submit to a custom URL which will then tell you any variables sent through the headers.

The original javascript:

var index=prompt('Form index?', '0');
if(confirm('The action url is:\\n'+document.forms[index].action.substr(0,100)+'\\n\\nDoes that look right?')){
	document.forms[index].action='https://lococobra.com/showreq.php';
	document.forms[index].submit();
}

As you (maybe) can see, the code targets the Xth form on the page you're currently on, tells you where the form submits to (so you can submit to that url in cURL), and finally, submits the form to another script located at 'http://trappar.net/showreq.php'.

Lets make that into a bookmarklet! (Take a look at this to see how I made it)

javascript:eval(atob('dmFyIGluZGV4PXByb21wdCgnRm9ybSBpbmRleD8nLCAnMCcpO2lmKGNvbmZpcm0oJ1RoZSBhY3Rpb24gdXJsIGlzOlxuJytkb2N1bWVudC5mb3Jtc1tpbmRleF0uYWN0aW9uLnN1YnN0cigwLDEwMCkrJ1xuXG5Eb2VzIHRoYXQgbG9vayByaWdodD8nKSl7ZG9jdW1lbnQuZm9ybXNbaW5kZXhdLmFjdGlvbj0naHR0cHM6Ly9sb2NvY29icmEuY29tL3Nob3dyZXEucGhwJztkb2N1bWVudC5mb3Jtc1tpbmRleF0uc3VibWl0KCk7fQ=='))

Here's that in a link, if that helps: Bookmarklet

Now what does that new action URL do? It shows you all of the header variables that were sent through the form. Here's the code for that page (PHP)

<?
$vars = array('$_GET', '$_POST', '$_REQUEST', '$_FILES');
foreach($vars as $var)
	eval('if(count('.$var.') > 0) echo \'<h3>'.$var.'</h3><pre>\'.var_export('.$var.',true).\'</pre>\';');
?>

Voila! With one click you can take over any form and find out exactly what it's doing.

Tagged as: , , , , Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

(required)

No trackbacks yet.

» «

Donate to this blog!

Help me pay for server costs, or just show your appreciation!
USD

Categories

Archives

Tags

.TSI 4-Deck AT&T beta Blog Bookmarklet connect default dotfile download dual boot essential files file sharing Firefox hidden iphone jailbreak javascript jdownloader Launchpad LED Leopard linux M-Audio Mac Mapping MIDI mime Native Instruments OS X PHP police problems rapidshare Samba Share SMB software SSH stumbleupon Traktor tunnel ubuntu unix