Form Hack / XSS / SQL Injection - forms

I got a big problem with a Botnet...I think it is a botnet...
What happens?
The bot fills out the form and spams the database.
Here is the form:
<form method="POST" action="">
<textarea name="text2" style="width: 290px; margin-bottom: 10px;"></textarea>
<center>
<img id="captcha" alt="Captcha" src="http://www.mysite.de/php/captcha/Captcha_show.php?sid='2d7dd1256d06a724c34b9d703f3733e9">
<br>
<a onclick="document.getElementById('captcha').src = 'php/captcha/Captcha_show.php?' + Math.random(); return false" href="#">
<br>
<input id="mod" class="inputbox" type="text" alt="Bitte die Zeichen des Bildes eingeben." style="width: 280px" maxlength="15" name="captcha_code" value="">
<sub>Bitte die Zeichen des Bildes abschreiben</sub>
<br>
<br>
<input class="button" type="submit" value="Hinzufügen" name="submit">
</center>
</form>
Here is an array with words that can´t be inserted:
$badWords = array("/delete/i","/deleted/i","/deletee/i", "/update/i", "/updateu/i", "/updateup/i","/union/i","/unionu/i","/unionun/i", "/insert/i","/inserti/i","/insertin/i","/drop/i","/dropd/i","/dropdr/i","/http/i","/httph/i","/httpht/i","/--/i", "/url/i", "/urlu/i", "/urlur/i", "/true/i", "/truet/i", "/truetr/i", "/false/i", "/falsef/i", "/falsefa/i","/!=/i","/==/i", "/insurance/i", "/eating/i", "/viagra/i");
$text3 = preg_replace($badWords, "a12", $text2);
if($text3 != $text2){
echo "<center><b>No valid data!</b></center> <meta http-equiv=\"refresh\" content=\"2; URL=http://www.mysite.de\">";
exit;
}
So normally the user should not be able to post any text with e.g. "viagra" in it.
I can´t understand how someone or a bot could insert a text with some of these bad words?
I am using PDO and functions like htmlspecialchars() stripslashes() strip_tags() htmlspecialchars() to prevent the hack...
Any ideas?

Your script can be hacked by HTML entities:
Example:
The input is "Hello" but in code it is Hello.
If you now run a preg_match you will not find anything
var_dump(preg_match('/Hello/i','Hello'));
// returns int 0
If you want to prevent SQL injections: Use prepared statements.
If you not want to be spammed, you have also to look for an other way, as long as I could simply insert a valid string many times.
Notice: I think you can prevent my hack by using html_entity_decode
var_dump(preg_match('/Hello/i',html_entity_decode('Hello')));
// returns int 1

Related

Declare variable to use inside #helper.repeat - PlayFramework

I want to use helper.repeat to create several input elements. But I want to declare the input tags as html instead of using #helper.input methods. But to do that I have to use a #index inside this loop. I am unable to instantiate and increase this variable. I tried something like the code below but I this output appear in html page:
BaseScalaTemplate(play.twirl.api.HtmlFormat$#5a8a0ced) = {0}
is output in html.
<div class="form-group">
<div class="col-sm-offset-2 col-sm-10">
#index = {0}
#helper.repeat(questionForm("answer.alternatives"), min = 7) { (alternative) =>
<div class="checkbox">
<input type="checkbox" value="#alternative("correct") ">
<input type="text" id="answer_alternatives_(#index)_text" name="answer.alternatives[#index].text" value="">
</div>
}
</div>
</div>
Is there another maybe cleaner way to do what I want? Maybe with #for?
I use playframework 2.4.6 with Java8.
Playframework will let you do what you need, but you will have to do it in another way.
1) Your form definition will have a Seq[String] to save the results that come from the template.
2) Your form definition will need to include this change. In your case:
"answer_alternatives" -> seq(nonEmptyText)
3) Change the name and id from the template to #{alternative.name} so Playframework can link your input text to the sequence of String.
<input type="text" id="#{alternative.name}" name="#{alternative.name}" value="">

Passing Text into URL from a Form

I'm trying to insert a variable collected from a form into a URL, but I don't want the "?variable=value" part of the URL.
<form action="http://www.example.com/<?php echo htmlspecialchars($_GET['entry']);?>/" method="GET">
<input type="text" value="" name="entry" id="entry">
<input type='submit'>
</form>
Is there any easy way to do this? I want the browser to go to the following URL when the user types "whatever"
http://www.example.com/whatever/
Edit:
I've changed the code to the following, which seems to work, but have I now introduced a script vulnerability?
<form onSubmit=" location.href = 'https://www.example.com/' + document.getElementById('entry').value + '/' ; return false; ">
<input type="text" value="" name="entry" id="entry" placeholder="Your Promo Code">
<input name="promoSubmit" type="submit" value="Buy Now">
</form>
you could use javascript for this kind of tasks, i don't see why would you involve server side for such thing
but the easiest answer will be like:
<script>
function go(){
window.location='http://www.example.com/'+document.getElementById('url').value;
}
</script>
<input type='text' id='url'>
<button id='btn_go' onclick='javascript:go();'>Go</button>

.asp validate_form wrong somehow?

I've got a little problems with my "contact us" form, whenever i submit it i get the error message 500. IE tells me it's a error at line 62, and that validate_form is not specified.
My code goes like this:.
<form method="POST" action="/cgi-bin/emailer.asp" onsubmit="return validate_form(this); ">
I really don't know anything about .asp, .php, .js etc. so some help would really be needed.
Thanks
-Niko
Update:
function validate_Form(form)
{
var x=document.forms["yhteys"]["email"].value;
var atpos=x.indexOf("#");
var dotpos=x.lastIndexOf(".");
if (atpos<1 || dotpos<atpos+2 || dotpos+2>=x.length)
{
alert("Sähköposti osoite ei ole oikein.");
return false;
}
}
that's how the code looks right now, but it still isn't working.
<form name="yhteys" method="POST" action="/cgi-bin/emailer.asp" onsubmit="return validate_form(this);">
<div style="float:left;">
Aihe:<b>*</b><br>
<select name="Aihe" required="required" id="Aihe">
<option value="Yhteydenotto">Yhteydenotto</option>
<option value="Arviokäynti">Arviokäynti</option>
<option value="Esitetilaus">Esitetilaus</option>
<option value="Esittelyajan varaus">Esittelyajan varaus</option>
<option value="Palaute">Palaute</option>
<option value="Muu viesti">Muu viesti</option>
</select><br><br>
Nimi:<b>*</b><br>
<input type="text" required="required" name="nimi" size="35"><br><br>
Osoite:<b>*</b><br>
<input type="text" required="required" name="osoite" size="35"><br><br>
Puhelin:<b>*</b><br>
<input type="text" required="required" name="puh" size="35"><br><br>
Sähköposti:<b>*</b><br>
<input type="text" required="required" name="email" size="35"><br><br>
Viesti:<b>*</b><br>
<textarea rows="5" name="viesti" cols="45" required="required" id="Viesti"></textarea>
<div style=" margin-right: 2px; margin-top: 2px;"><input type="submit" value="Lähetä" name="B1"></div><br />
<p>Tähdellä merkityt kohdat ovat pakollisia.</p>
</form>
</div>
There is the whole form section, just so you could tell me more specifically what's wrong.
validate_form(this) is a call to a JavaScript function you have to define.
it might look something like this:
function validate_form(form){
if (form.fieldname.value /* fulfills some condition */)
{
//this will abort the submit
return false;
}
//will only get called when the if-statement does not return true
//this allows the submit to procede
return true;
};
alternatively you can declare a function like this:
var validate_form = function(form){/*your code here*/};
you should put that block of code in the <head>-section of your page inside of:
<script type="text/javascript" >
// your code
</script>
EDIT:
As of your javascript:
If you send this to your function, you do not have to crawl DOM to get your elements.
--> to get any field in your form (which you pass to function with this-Keyword) you can do the following:
form.fieldname
this allows you to access your email like that:
var email = form.email.value;
You can now check your email with a custom-validation, but i recommend using a freely available regex to check it. you can find a nice one in the answer no.3 here
if (!isValid(email)){ //if the given email is not Valid by the function you call
alert("Sähköposti osoite ei ole oikein.");
return false;
}

Jquery selector seems not to work in google chrome

I want to update the value from a input/textfield with a calculated value from the cookie.It's like a mini local cookie cart.
Saving and retrieving the json from the cookie is a piece of cake.
In my behavior I fail to make the following work:
I added a class for every node in the input field, it's constructed like the example below.
Myid = 'webform_cart_nid_10';
formElement = $('.' + Myid);
console.log(formElement);
The html is quite nested and can be seen http://it2servu.be/broodjes/bestellen (if I may link?) .
the field whose value I want to update looks like this:
<input class="webform_cart_nid_10 webform_cart_nid form-text" type="text" id="edit-submitted-cart-item-cart-elements-10" name="submitted[cart_item][cart_elements][10]" value="0" size="3" maxlength="128">
Is contained in drupal output with severe div-itis.
<div class="page clearfix" id="page">
<div id="section-content" class="section section-content">
<div id="zone-content-wrapper" class="zone-wrapper zone-content-wrapper clearfix">
<div id="zone-content" class="zone zone-content clearfix container-12">
<div class="grid-12 region region-content" id="region-content">
<div class="region-inner region-content-inner">
<div class="block-inner clearfix">
<div class="content clearfix">
<div class="node node-webform node-promoted view-mode-full clearfix ">
<div class="field field-name-title field-type-ds field-label-hidden">
<form class="webform-client-form" enctype="multipart/form-data" action="/broodjes/bestellen" method="post" id="webform-client-form-5" accept-charset="UTF-8">
<div>
<fieldset class="collapsible form-wrapper collapse-processed" id="edit-submitted-cart-item-cart-elements">
<div class="fieldset-wrapper">
<div class="form-item form-type-textfield form-item-submitted-cart-item-cart-elements-10">
<input class="webform_cart_nid_10 webform_cart_nid form-text" type="text" id="edit-submitted-cart-item-cart-elements-10" name="submitted[cart_item][cart_elements][10]" value="0" size="3" maxlength="128">
...
probably it's something stupid, I just can't figure out what it is?
Your problem is with jQuery. If you pop open the console in Chrome and type jQuery, it returns the jQuery function. If you type $ it returns undefined. You have some sort of collision causing $ not to be set to jQuery.
use "jQuery" instead of "$"
Myid = 'webform_cart_nid_10';
formElement = jQuery('.' + Myid);
console.log(formElement);
the "$" never worked for me in Drupal 7.

One click to trigger several search forms?

I have 1 main search form with a submit button and several secondary search forms with submit buttons.
What I would like to do is when I enter text and click on the submit button of the main search form, the same text gets copied in all of the secondary search forms and all the submit buttons of the secondary search forms get automatically hit.
The HTML code for the mains earch form is shown below:
<form action="query.php" method="get">
Search: <input type="text" name="item" size="30">
<input type="submit" value="send">
</form>
One of the several secondary search forms is shown below:
<FORM action="http://www.dpbolvw.net/interactive" method="GET" target="_blank">
<div style="float: left; padding: 0 3px 0 0;">
<INPUT type="text" name="src" size="9"
value="<?php
$input = $_GET['item'];
echo $input;?>" style="width: 110px; height: 22px;margin:0; padding: 0; font-size:140%;">
</div>
<div style="float: left; padding: 0 3px 0 0;">
<input type="image" name="submit" value="GO" src="http://images.guitarcenter.com/Content/GC/banner/go.gif"
alt="Search" style="font-size:140%">
/div>
<input type="hidden" name="aid" value="1234"/>
<input type="hidden" name="pid" value="1234"/>
<input type="hidden" name="url" value="http://www.guitarcenter.com/Search/Default.aspx"/>
</form>
Notice the php code that I put in the "value" field of the secondary search form:
<?php
$input = $_GET['item'];
echo $input;?>
This automatically copies the text that I entered in the main search form into the secondary search form. I thus figured out how to do that.
The problem is to "simulate" an "Enter" keystroke or a click on the "GO" button with the mouse on the secondary search form when the user hits the Enter key or hits the "SEND" button with the mouse on the main search form.
Thank you for your insight!
I'm not sure what the point of that would be, It looks like all of these are search forms all pointing to different sites. Web browsers won't allow that. They can navigate to one page at a time. When you post a form to a page you are navigating to that page. Therefore, you are trying to navigate to several pages at once. It's like trying to be in Paris and London at the same time. I don't see how your plan will work the way you're describing it.
That said, You can use client-side javascript to call
document.forms[0].submit();
so if you can come up with a plan that does not involve trying to have the user see all the different search results in one window, you could try this on your first form...
<form action="query.php" method="get" onSubmit="document.forms(1).Submit();">
You should use AJAX (JQuery) as Brandon Suggested. Read http://docs.jquery.com/Events/submit
Example:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script src="http://code.jquery.com/jquery-latest.js"></script>
<script>
$(document).ready(function(){
$("#submit").click(function() {
//Do you stuff here like triggering other submits
//Like:
$("input#submit2").click();
$("input#submit3").click();
return false;
});
});
</script>
</head>
<body>
<form action="javascript:alert('success!');">
<div>
<input type="text" />
<input type="submit" id="submit" />
</div>
</form>
<form >
<div>
<input type="text" />
<input type="submit" id="submit2" />
</div>
</form>
<form >
<div>
<input type="text" />
<input type="submit" id="submit3" />
</div>
</form>
</body>
</html>
Take a look at the submit() event in jQuery. That is going to be your key.
I am assuming that you are planning on submitting via ajax? Otherwise it is futile.
So you could do something like this-
Give all of your forms a certain class, let's call it 'ajax_search_forms'. So now you can actually hook into the submit event.
$('.ajax_search_forms').submit(function(){
var search_string = $('input[name=src]').val();
$('.ajax_search_forms').each(function(){
$.ajax({
url : $(this).attr('action'),
data : 'search_string=' + search_string,
success : function(html){
// Do something with the result
}
});
});
// Return false is VERY important so that the form submission does not continue
return false;
});