DrupalBin

Summary:

Tags:

Any tags you'd like to associate with your code, delimitered by commas (example: Views, CCK, Module, etc).

Source code: * function page_xss_injector() { for($i=0;$i<2;$i++) { // Extract the forms url and id $form_details = db_fetch_array(db_query("SELECT f.id,l.path FROM {crawler_forms} f INNER JOIN {crawler_links} l ON f.page_id = l.id WHERE status = 2 LIMIT 1")); // Visit that url $obj = new drupal_security_scanner_test(); $session_cookie = variable_get('security_scanner_cookie',''); $obj->curl_options = array( CURLOPT_COOKIE => $session_cookie, ); //$obj->drupalGet($form_details['path']); $html = $obj->drupalGet('http://localhost/soc2008/?q=node/add/page'); $obj->parse(); // Selecting only textareas and input type = 'text' before seeding // (already included inside handleFormModified, but repeated to build the array of the value to seed) $all_inputs = $obj->elements->xpath("//input[@type='text']|//textarea"); //echo "<pre>".print_r($all_inputs,1)."</pre>"; foreach ($all_inputs as $input) { $name = (string)$input->attributes()->name; $edit[$name] = "<\script\>alert('xss');</\script\>"; } echo "<pre>".print_r($edit,1)."</pre>"; // $obj->drupalPostModified($html, $form_details['id'], $form_state, TRUE); $obj->drupalPostModified($html, 'edit-page-node-form', $edit, TRUE); die; } // Function drupalPostModified and handleFormModified (I have to change its name) function drupalPostModified($html, $form_id, $edit, $submit) { $submit_matches = FALSE; if ($this->parse()) { $edit_save = $edit; // Let's iterate over all the forms. $forms = $this->elements->xpath("//input[@id='".$form_id."']/parent::*"); $form = $forms[0]; $edit = $edit_save; $post = array(); $upload = array(); $submit_matches = $this->handleFormModified($post, $edit, $upload, $submit, $form); $action = isset($form['action']) ? $this->getAbsoluteUrl($form['action']) : $this->getUrl(); // This part is not pretty. There is very little I can do. if ($upload) { foreach ($post as &$value) { if (strlen($value) > 0 && $value[0] == '@') { $this->fail(t("Can't upload and post a value starting with @")); return FALSE; } } foreach ($upload as $key => $file) { $post[$key] = '@' . realpath($file); } } else { $post_array = $post; $post = array(); echo "<pre>".print_r($post_array,1)."</pre>"; foreach ($post_array as $key => $value) { // Whether this needs to be urlencode or rawurlencode, is not // quite clear, but this seems to be the better choice. $post[] = urlencode($key) . '=' . urlencode($value); } $post = implode('&', $post); } die; $out = $this->curlExec(array(CURLOPT_URL => $action, CURLOPT_POSTFIELDS => $post, CURLOPT_POST => TRUE)); // Ensure that any changes to variables in the other thread are picked up. $this->refreshVariables(); return $out; } } /** * Handle form Modified */ protected function handleFormModified(&$post, &$edit, &$upload, $submit, $form) { // Retrieve the form elements. $elements = $form->xpath("//input[@type='text']|//textarea"); $submit_matches = FALSE; foreach ($elements as $element) { // SimpleXML objects need string casting all the time. $name = (string)$element['name']; // This can either be the type of <input> or the name of the tag itself // for <select> or <textarea>. $type = isset($element['type']) ? (string)$element['type'] : $element->getName(); $value = isset($element['value']) ? (string)$element['value'] : ''; $done = FALSE; if (isset($edit[$name])) { switch ($type) { case 'text': case 'textarea': $post[$name] = $edit[$name]; unset($edit[$name]); break; } } if (!isset($post[$name]) && !$done) { switch ($type) { case 'textarea': $post[$name] = (string)$element; break; case 'submit': if ($submit == $value) { $post[$name] = $value; $submit_matches = TRUE; } break; default: $post[$name] = $value; } } } return $submit_matches; }

Syntax highlighting mode: ActionScriptColdFusionDiffDrupalDrupal 5Drupal 6HTMLJavascriptMySQLPHPPythonrobots.txtSQLText

Select the syntax highlighting mode to use.