Sunday, 1 December 2013

Cross Site Request Frogery [ CSRF ]


Hello! Today my tutorial is about Cross Site Request Frogery [CSRF].




Understanding Attack Method


Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data.

For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request.

In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website.

Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.

Synonyms: CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.


Finding Vulnerable Target

Okay, let's get it started.

Dork:
  1.  inurl:/wp-content/themes/clockstone2/images/jplayer/
  2.  inurl:/wp-content/themes/clockstone_3.2/images/jplayer/
  3.  inurl:/wp-content/themes/money/images/jplayer/
  4.  inurl:/wp-content/themes/trymee/images/jplayer/
  5.  inurl:/wp-content/themes/pacifico/images/jplayer/
  6.  inurl:/wp-content/themes/pacifico/images/jplayer/
  7.  inurl:/plugins/simple-forum/ inurl:/wp-content/themes/cleanple/

Exploiter : Download Here

1- Choose any of the dorks and paste it on Google.

2- Pick any site as your target.

3-Exploit, for example if you target is like this,


4-You need to remove /images/jplayer/ and replace it with /theme/functions/ .

Your target will looks like this , 

5- After that, find  

  1.  upload.php
  2.  upload-bg.php
  3.  upload-icon.php 


6- Click on any of those. If you get "error" , that means the site is vuln. But if you get something like "You have to login to access this form" , the site is not vuln.

7- Open Exploiter (CSRF.html) that you've downloaded with notepad first, and change the site with your target site.

8- Open the exploiter with your browser and upload your shell.php or deface page.html.

To view your file, go to

  1. http://www.yourtargetsite.com/wp-content/themes/pacifico/theme/functions


It would be in hash md5 or anything else. :D

That's all. Thanks for reading :)