July 30th, 2002, 05:47 AM
POST a Form with specially crafted URL
Maybe this isn't the place for this question (and my bad if it isn't), but it seems to fit the best here.
Does anyone know how to craft a URL so that it executes a FORM POST/SUBMIT when visited?
IE: I need to be able to fill in a form (got this done) and then post it all with a URL.
I'm working on this for a odd XSS bug I found. However, I can't find how submit the form and it seems there should be safeguards against doing it since you could fake submissions, votes/polls, and tons of other stuff.
Thanks for the help (I'm hoping),
DarC Infinity Rising
July 30th, 2002, 06:15 AM
You can only edit submited info through the URL if the form uses the GET methode... Using the POST method, it's doable but more complicated as you have to craft an http request... (there are probably tools that though...)
Credit travels up, blame travels down -- The Boss
July 30th, 2002, 07:29 AM
July 30th, 2002, 09:46 AM
What you can do is make a form yourself in php or whatever with the same named inputs and set the form action to the url of whatever script you want it to send to. Another thing you could possibly do (depending on what language this is) is view the source, look at the names of the inputs then make a url yourself. If you see a page with the form action of post.php and inputs named text1 and text2, then you could make a url http://thesite.com/post.php?text1=wh...ext2=whatever. Im not positive that this will work but its worth a try.
July 30th, 2002, 02:02 PM
Where theForm is the name of the form.
August 2nd, 2002, 05:30 AM
Some of the posts have been semi helpful (and I haven't tried them yet but I decided to write this now, pffT).
The daemon I'm butt raping at the moment is a webmail daemon that operates under NT. TO THE BEST OF MY KNOWLEDGE it operates as a executable that handles the mail/connections/client/server/everything. The code of the button I need to push (or make the server believe I pushed IE: submitted) is as
<INPUT CLASS="button" TYPE="submit" NAME="Save_x" VALUE="Save Changes">
That is what I need to pull off; as far as PHP or CGI scripting I'm not sure where to send it to. The URL never shows it if it uses scripts and the page code doesn't help any except for showing the names of the inputs. The code above is all the relevant code that composes the button, HOWEVER the following code appears at the top of the page where it declares several hidden inputs.:
<INPUT TYPE="hidden" NAME="Save_x" VALUE="13">
I'm assuming they're related (as per the Save_x name) but not sure how (this seems a rudimentary piece of code so I'm sure someone with more webcode experiance than me can ID it).
Maybe this helps you understand my situation better?
DarC Infinity Rising
August 5th, 2002, 09:15 PM
give the submit a try and let us know.