August 2, 2012 at 7:13 pm #7746eyenit0Participant
So, I’ve found an XSS vuln that I’d like to exploit via a CSRF vuln, but I’m having trouble with encoding in the CSRF.
That obviously doesn’t work because the quotes in the payload screw up the form. I can’t URL encode the quotes because then they get double encoded and the payload won’t execute. I’ve tried changing the enctype of the form to text/plain and multi-part/formdata but no luck. The CSRF vulnerable link will only take POST, not GET.
Any input is appreciated!
August 2, 2012 at 7:19 pm #48378unicitydParticipant
Will any of the URL shortening services accept it?
August 3, 2012 at 4:32 am #48379eyenit0Participant
Do any of those work with POST requests? I am not aware of any that handle those, but I’d love to hear of something like that if you know of one.
August 3, 2012 at 7:50 am #48380
November 7, 2012 at 7:57 am #48381ambientParticipant
You could implement it by CSRF redirector technique.
I have posted here but the source code is unavailable.
PHP CSRF Redirector
$csrf = $_GET;
$tokens = preg_split('/?/',$csrf);
$url = $tokens;
$vars = preg_split('/|/',$tokens);
November 7, 2012 at 8:49 am #48382MaXeParticipant
Take a look at: http://www.intern0t.org/xssor/ for encoding methods.
Take a look at: http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ for a real world Proof of Concept (and former 0day).
The trojan.js file bypasses the built-in CSRF protection in vBulletin as well. ;D It’s probably the best PoC that I have ever made hehe
- You must be logged in to reply to this topic.