CSRF with XSS payload encoding help

Viewing 5 reply threads
  • Author
    Posts
    • #7746
      eyenit0
      Participant

      Hey everyone,

      So, I’ve found an XSS vuln that I’d like to exploit via a CSRF vuln, but I’m having trouble with encoding in the CSRF.
      Right now my CSRF exploit is just a hidden html form that’s auto submitted by javascript. The XSS payload requires double quotes, which breaks the HTML form. For example, the value with the payload would look something like this:

      value=”

      That obviously doesn’t work because the quotes in the payload screw up the form. I can’t URL encode the quotes because then they get double encoded and the payload won’t execute. I’ve tried changing the enctype of the form to text/plain and multi-part/formdata but no luck. The CSRF vulnerable link will only take POST, not GET.

      Any ideas on how to get around this? I was thinking it may be possible to dynamically construct an http POST request with Javascript to submit it, but I’m not sure how.

      Any input is appreciated!

    • #48378
      unicityd
      Participant

      Will any of the URL shortening services accept it?

    • #48379
      eyenit0
      Participant

      Do any of those work with POST requests? I am not aware of any that handle those, but I’d love to hear of something like that if you know of one.

    • #48380
      unicityd
      Participant

      No; they won’t work with POST requests. There are other websites that will submit a POST for you though.

      http://tomengineering.tripod.com/gettopost.html
      http://get-to-post.nickj.org/

    • #48381
      ambient
      Participant

      You could implement it by CSRF redirector technique.
      I have posted here but the source code is unavailable.

      http://pornsookk.wordpress.com/2011/07/08/csrf-redirector/



      PHP CSRF Redirector

      <?php
      /*   Call
      *   http://hackerhost.net/csrf_redirect.php?csrf=http://vulnerable.net?username=john|passwd=12345
      */
      $csrf   = $_GET;
      $tokens = preg_split('/?/',$csrf);
      $url    = $tokens[0];
      $vars   = preg_split('/|/',$tokens[1]);
      print ('
      ');
      for($i=0;$i<sizeof($vars);$i++)
      {  /* $vars[$i]:  key=value;
          * key   = terms[0]
      * value = terms[1]  
      */
         $terms = explode('=',$vars[$i]);
      print('');
      } //end for loop
      print("
      ");
      ?>

       document.forms[0].submit();




    • #48382
      MaXe
      Participant

      Take a look at: http://www.intern0t.org/xssor/ for encoding methods.

      Take a look at: http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ for a real world Proof of Concept (and former 0day).

      The actual tool is available via: http://www.exploit-db.com/sploits/evilwebtool.tar.gz where trojan.js contains the javascript payload. (Note that the python tool reads php code or the reverse php shell (from pentestmonkey) and parses it into the trojan file before serving it.

      It took some clever encoding, but it works 100% (tested in FireFox) and has been used in a few demo’s that I’ve made. Knowing JavaScript, HTML and attack vectors within these, including various encoding methods, will be sufficient to pull off any XSS attack even defeating Anti-CSRF tokens.

      The trojan.js file bypasses the built-in CSRF protection in vBulletin as well.  ;D It’s probably the best PoC that I have ever made hehe

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?