I'm using the php mail function and I have a form with the name field, phone field, email field and message field which is a text area. The email field (along with the name and phone field) displays in the message and isn't used to send an email to that address. The To: fields and subject: fields and From: header are static in the script and is designed to always be the same.
I was recently trying to try email injection to my own script so I can then know if my preventative measures are working or not.
I've tried putting in the fields
%0ATo:mysecondemailaddress#provider.com and also %0ACc:mysecondemailaddress#provider.com, but the email doesn't even send to the proper email address at all. I was just wondering what is the correct method to do this, and also when I am using preventative methods such as identifying strings and either removing them or denying the email from being sent what characters such as % should I also be on the look out for?
It doesn't look like using the form to directly enter the injection works very well. I'm using the following to test out a mailer I'm putting together, it posts the data from the script. The $postData will have to be modified to suit your form. This just BCCs a 'victim':
<?php
$postData =
'contactname=Lord+Sauron&'.
'email=darklord#ciplit.com.au%0ABcc:frodo#ciplit.com.au'.
'&message=Sorry+about+that+whole+ring+thing.+No+hard+feelings%3F';
$url = 'http://'.$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']).'/onetrueformmailer.php';
$result = do_post_request($url, $postData);
echo($result);
// http://wezfurlong.org/blog/2006/nov/http-post-from-php-without-curl/
function do_post_request($url, $data, $optional_headers = null) {
$params = array('http' => array(
'method' => 'POST',
'content' => $data
));
if ($optional_headers !== null) {
$params['http']['header'] = $optional_headers;
}
$ctx = stream_context_create($params);
$fp = #fopen($url, 'rb', false, $ctx);
if (!$fp) {
throw new Exception("Problem with $url, $php_errormsg");
}
$response = #stream_get_contents($fp);
if ($response === false) {
throw new Exception("Problem reading data from $url, $php_errormsg");
}
return $response;
}
?>
Related
I try to submit a form to remote server: http://openconvert.clarin.inl.nl/openconvert/tagger#text, as you can see the required fileds are input and format, and the action url is http://openconvert.clarin.inl.nl/openconvert/text/, so I try the following in php:
<?php
function do_post_request($url, $data, $optional_headers = null)
{
$params = array('http' => array(
'method' => 'POST',
'content' => $data
));
if ($optional_headers !== null) {
$params['http']['header'] = $optional_headers;
}
$ctx = stream_context_create($params);
$fp = #fopen($url, 'rb', false, $ctx);
if (!$fp) {
throw new Exception("Problem with $url, $php_errormsg");
}
$response = #stream_get_contents($fp);
if ($response === false) {
throw new Exception("Problem reading data from $url, $php_errormsg");
}
return $response;
}
$remoteurl="http://openconvert.clarin.inl.nl/openconvert/text";
$rawdata=array(
'input'=>'test',
'format'=>'text');
$data=http_build_query($rawdata, '', '&'); //flags_, myvar_
var_dump($data);
echo "<br />";
echo do_post_request($remoteurl,$data,'Content-Type: text/html');
?>
I don't know why the server can't find my data?
The output is:
string(26) "input=test&format=text"
<br /><?xml version="1.0" encoding="UTF-8"?>
<error>Insufficient parameters. Required parameters: input, format</error>
There might be other problems, but the & value in http_build_query is definitely wrong. You're not embedding your urlencoded data into an html document, so you should not html-escape the ampersand. Replacing that line with:
http_build_query($rawdata, '', '&');
should be better, but it might not be 100% of your solution.
P.S.: Don't use #, ever. You are suppressing real errors that you should see.
I am using the example function given in this post:
<?php
function do_post_request($url, $data, $optional_headers = null)
{
$params = array('http' => array(
'method' => 'POST',
'content' => $data
));
if ($optional_headers !== null) {
$params['http']['header'] = $optional_headers;
}
$ctx = stream_context_create($params);
$fp = #fopen($url, 'rb', false, $ctx);
if (!$fp) {
throw new Exception("Problem with $url, $php_errormsg");
}
$response = #stream_get_contents($fp);
if ($response === false) {
throw new Exception("Problem reading data from $url, $php_errormsg");
}
return $response;
}
?>
I also tried a similar approach using file_get_contents(), like this:
$options = array(
'http'=>array(
'method'=>"POST",
'header'=>
"Accept-language: en\r\n".
"Content-type: application/x-www-form-urlencoded\r\n",
'content'=>http_build_query(
array(
'arg1'=>'arg_data_1',
'oper'=>'get_data',
'arg2'=>'arg_data_2',
'id_number'=>'7862'
),'','&'
)
));
$context = stream_context_create($options);
$refno = file_get_contents('/path/to/script/script.php',false,$context);
var_dump($refno);
With both these scripts, the response from the server script is the same, and it is the TEXT of the script.php. The code of the server script is never begin executed, and the text content (the PHP code) of the script is being returned to the original script.
A little strange that it doesn't return all the text, but just certain pieces... I tried making a test script (test.php) that just contains:
<?php
echo '{"a":1,"b":2,"c":3,"d":4,"e":5}';
?>
but that doesn't return anything from the POST request, so I didn't include that. The script.php is a must longer script that does a lot of logic and MySQL queries then returns a JSON object.
The desired output will be to have the PHP code execute and return a JSON object (the way it works with ajax).
What am I doing wrong?
You are trying access script localy.
You must call it like any other external script like
$refno = file_get_contents('http://yourhost/path/to/script/script.php',false,$context);
I'm trying to use PHP to authenticate to a web service by posting to an authentication method with a .txt file containing my username and password formatted in JSON.
It's not working and I'm having a hard time figuring out why not.
Here's the code I'm trying to use. First there's a function I'm using to do the posting. Then I create a variable for my data file and another for my URL for the AUTH service.
<?php
function do_post_request($url, $data, $optional_headers = null)
{
$params = array('http' => array(
'method' => 'POST',
'content' => $data
));
if ($optional_headers !== null) {
$params['http']['header'] = $optional_headers;
}
$ctx = stream_context_create($params);
$fp = #fopen($url, 'rb', false, $ctx);
if (!$fp) {
throw new Exception("Problem with $url, $php_errormsg");
}
$response = #stream_get_contents($fp);
if ($response === false) {
throw new Exception("Problem reading data from $url, $php_errormsg");
}
return $response;
}
// Let's get logged in and get an authkey
$url = 'http://service.com/auth';
$data= 'creds.txt';
$authkey = do_post_request($url, $data);
print_r($authkey);
?>
The text of my creds.txt file:
{
"auth": {
"username": "myusername",
"password": "mypassword"
}
}
What am I doing wrong? I'm getting an invalid data error. Do I need to use a full URL to the text file? Is the textfile not formatted properly?
The docs for the service only say that I need:
"a JSON-formatted text file with your username and password"
$data= 'creds.txt'; should be like:
$data= file_get_contents('creds.txt');
I don't see you open the creds.txt anywhere, I believe you should send in jSON format.
Without disclosing "service.com" or more details about the website itself it'll be hard to figure out a solution since it can be a number of things but you're never passing the actual data (only the file path).
Try:
$authkey = do_post_request($url, file_get_contents($data));
i want to post an xml document to a url, using simple php code.
i have a javascript code but the javascript will not support cross domain, so i just want to do it with php.
does any one have a code for this to support me...
Take a look at SimpleXML: http://us2.php.net/simplexml
Handling HTTP messaging in PHP is quite straightforward using the PECL HTTP classes.
In your instance you want to issue an HTTP request (that's a client->server message). Thankfully the HttpRequest::setPostFiles simplifies the process of including file content in an HTTP request. Refer to the PHP manual page (previous link) for specifics.
Unfortunately the manual pages for the HTTP classes are a bit sparse on details and it's not fully clear what the arguments for HttpRequest::setPostFiles should be, but the following code should get you started:
$request = new HttpRequest(HttpMessage::HTTP_METH_POST);
$request->setPostFiles(array($file));
$response = $request->send(); // $response should be an HttpMessage object
The manual for HttpRequest::setPostFiles states that the single argument of this method is an array of files to post. This is unclear and may mean an array of local file names, an array of file handles or an array of file contents. It shouldn't take long to figure out which is correct!
Here's an example that uses streams and does not rely on PECL.
// Simulate server side
if (isset($_GET['req'])) {
echo htmlspecialchars($_POST['data']);
exit();
}
/**
* Found at: http://netevil.org/blog/2006/nov/http-post-from-php-without-curl
*/
function do_post_request($url, $data, $optional_headers = null)
{
$params = array('http' => array('method' => 'POST',
'content' => $data));
if ($optional_headers !== null) {
$params['http']['header'] = $optional_headers;
}
$ctx = stream_context_create($params);
$fp = #fopen($url, 'rb', false, $ctx);
if (!$fp) {
throw new Exception("Problem with $url, $php_errormsg");
}
$response = #stream_get_contents($fp);
if ($response === false) {
throw new Exception("Problem reading data from $url, $php_errormsg");
}
return $response;
}
// Example taken from: http://en.wikipedia.org/wiki/XML
// (Of course, this should be filled with content from an external file using
// file_get_contents() or something)
$xml_data = <<<EOF
<?xml version="1.0" encoding='ISO-8859-1'?>
<painting>
<img src="madonna.jpg" alt='Foligno Madonna, by Raphael'/>
<caption>This is Raphael's "Foligno" Madonna, painted
in <date>1511</date>-<date>1512</date>.</caption>
</painting>
EOF;
// Request is sent to self (same file) to keep all data
// for the example in one file
$ret = do_post_request(
'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['SCRIPT_NAME'] . '?req',
'data=' . urlencode($xml_data));
echo $ret;
I'm trying to send an XML file to a server as part of the POST method for an internal API.
All the PHP documentation points to using the $postVars['file']='#/path/to/file.xml' to actually send the file.
I want to send the file from a string, but it still needs to be sent as a file upload, not a string.
Help?
Take a look at this thread it deals with what you want to do I think: http://www.webmasterworld.com/php/3164561.htm
The last entry might be of help (reformatted by me):
function do_post_request($url, $data, $optional_headers = null) {
$params = array('http' => array(
'method' => 'post',
'content' => $data
));
if ($optional_headers!== null)
$params['http']['header'] = $optional_headers;
$ctx = stream_context_create($params);
$fp = #fopen($url, 'rb', false, $ctx);
if (!$fp)
throw new Exception("Problem with $url, $php_errormsg");
$response = #stream_get_contents($fp);
if ($response === false)
throw new Exception("Problem reading data from $url, $php_errormsg");
return $response;
}
Basically the solution is to make use of the built-in php stream handling for urls.
http://www.sematopia.com/?p=153 and http://www.daniweb.com/forums/thread150772.html might help.