-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathindex.html
224 lines (187 loc) · 6.04 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
<a href=//egorhomakov.com>Egor Homakov</a> | Stuff: <a href="4sqlet.html">4sq app</a>
<a href="redmine.html">Redmine JS leaking</a>
<a href="anysquare.html">Clickjacking extractor</a>
<a href="stealpass.html">Steal pass with XSS demo</a>
<hr>
<b>ACT — Awesome CSRF Tool for demonstration, testing and exploitation CSRF.</b>
<p>CURL:</p>
<p><textarea rows="4" cols="100" id="curl">curl "http://homakov.blogspot.ru/2013/04/consulting.html" -H "version: HTTP/1.1" --data "key1=val&csrf_token=123qwe&hash[lol]=123"</textarea></p>
<div>
<input onclick="switch_auto()" type="checkbox" id="c1"><label for="c1">Auto-submission</label>
<input onclick="switch_base()" type="checkbox" id="c2"><label for="c2">Base64 URL</label>
</div>
<div id="form"></div>
<iframe id="postme" seamless sandbox="allow-scripts allow-forms" style="width:800px;height:200px;"></iframe>
<hr>
<p>I am going to create best & simplest CSRF tool ever. Writeup soon. Play with CURL and location hash input — you will love it! Propose your ideas @homakov.<p>
<img src="http://f.cl.ly/items/411t2m0W0n3h1k3g2F3w/Screen%20Shot%202013-05-05%20at%209.31.54%20PM.png"><p>
<script>
var match_re = '"([^"]+)"';
var url_re = new RegExp('curl '+match_re);
var headers_re = new RegExp('-H '+match_re);
var data_re = new RegExp('--data '+match_re);
var form_obj = {};
var base_enc = false; //useless anyway ;)
function parse_data(data){
var res = {};
var vars = data.split('&');
for (var i = 0; i < vars.length; i++) {
if(vars[i].length){
var pair = vars[i].split('=');
res[decodeURIComponent(pair[0])] = decodeURIComponent(pair[1] || '');
}
}
return res;
}
function dump_data(data){
var res = '';
for(var k in data){
res += encodeURIComponent(k)+'='+encodeURIComponent(data[k])+'&';
}
return res;
}
function submit_to(to){
genform.target = to;
genform.submit();
return false;
}
function no_ref(){
/*
var x=new XMLHttpRequest;
x.open(form_obj.method, form_obj.url);
x.send(form_obj.data);
*/
postme.src = 'data:text/html,'+get_html();
}
function switch_method(){
var swap = (form_obj.method == 'GET') ? 'POST' : 'GET'
form_obj.method = swap;
update_form();
}
function switch_url(url){
form_obj.url = url;
update_form();
}
function switch_auto(){
form_obj.autosubmit = !form_obj.autosubmit;
update_form();
}
function switch_base(){
base_enc = !base_enc;
dump_hash();
}
function get_inputs(){
return genform.getElementsByTagName('input');
}
function get_html(){
//alert invisible form
return (generate_form(form_obj, false)+'<script>genform.submit()<'+'/script>');
}
function generate_form(obj, visible){
var inputs = '';
if(obj.data){
var pairs = parse_data(obj.data);
inputs += '';
for(var k in pairs){
if(visible){
inputs += '<tr><td>'+esc(k)+' </td><td><input onchange="update_fields();" size=100 name="'+esc(k)+'" value="'+esc(pairs[k])+'"><a onclick="this.parentNode.parentNode.remove();update_fields();">[X]</a></td></tr>';
}else{
inputs += '<input type="hidden" name="'+esc(k)+'" value="'+esc(pairs[k])+'">';
}
}
if(visible) inputs = '<table>'+inputs+'</table>';
}
var outform = '<form id="genform" action="'+esc(obj.url)+'" method="'+obj.method+'">'+inputs+'</form>';
if(visible){
var out = '<p><a id="cur_method" title="Switch?" href="javascript:switch_method()">'+obj.method+'</a> <input size=120 value="'+esc(obj.url)+'" onchange="switch_url(this.value);"> </p>';
out += '<div>'+outform+'</div>';
out += '<div><input id="new_name" placeholder="name"> = <input id="new_value" placeholder="value"> <a href="javascript:update_fields(1);">add<a></div>';
out += '<p><input type="submit" onclick="return submit_to(\'_blank\')" value="New window"><input type="submit" onclick="return submit_to(\'_top\')" value="This window"><input type="submit" onclick="return submit_to(\'postme\')" value="Iframe below"><input type="submit" onclick="return no_ref();" value="Empty referer"> | <input type="submit" value="Get CSRF exploit" onclick="alert(get_html());"></p>';
out = '<div class="yelo">'+out+'</div>';
return out;
}else{
// hidden form
return outform;
}
}
var HTML = {
chars: {
'&':'&',
'<':'<',
'>':'>',
'"':'"',
"'":'''
},
escape: function(i){
return i.replace(HTML.re, function(m){
return HTML.chars[m];
})
}
}
HTML.re = new RegExp("("+Object.keys(HTML.chars).join('|')+')','g');
var esc = HTML.escape;
function parse_curl(){
var input = curl.value;
form_obj ={
url: input.match(url_re)[1],
autosubmit: false,
target: '_top'
}
if(data = input.match(data_re)){
form_obj.data = data[1];
form_obj.method = 'POST';
}else{
form_obj.method = 'GET';
}
update_form();
}
function dump_hash(){
var str = JSON.stringify(form_obj);
location.hash = base_enc ? btoa(str) : str;
}
function update_fields(new_pair){
var inputs = get_inputs();
var vals = {}
for(var k = 0; k<inputs.length;k++){
vals[inputs[k].name] = inputs[k].value;
}
if(new_pair) vals[new_name.value] = new_value.value;
form_obj.data = dump_data(vals);
update_form();
}
function update_form(){
form.innerHTML = generate_form(form_obj, true);
dump_hash(); //updating form? update hash too!
}
curl.onchange = parse_curl;
window.onload = function(){
if(location.hash){
//lets load CSRF template
curl.value = '';
var str = location.hash.substr(1);
if(str[0]!='{'){
base_enc = true;
str = atob(str);
c2.checked = true;
}
form_obj = JSON.parse(str);
// shame on you, asintsov and cyberpank!
if(form_obj.url.substr(0,4) != 'http') form_obj.url = 'http://yo.yo';
if(['POST','GET'].indexOf(form_obj.method) == -1) form_obj.method = 'POST';
// if autosubmit it should be hidden i guess
form.innerHTML = generate_form(form_obj, !form_obj.autosubmit);
if(form_obj.autosubmit){
c1.checked = true; //lolwhy?
submit_to(form_obj.target);
}
}else{
//demo
parse_curl();
}
}
</script>
<style>
.yelo{
background-color: yellow;
}
</style>