Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Need Proficient PHP Scripter To Help Create CSRF Concept Worm
Date: October 18, 2006 06:46PM

I'm sorry if this is in the wrong section though I figured it'd work under the "Projects" section due to its nature. I need someone who is fully capable of writing a simple PHP script for me, which would aid in the proof-of-concept for a large scale CSRF worm. I don't plan on releasing it publically (well I'll post it here after I've confirmed it works, and the site owner is alerted), but just implementing it as a test so that I can show the site's owner and CEO their vulnerability to CSRF. I don't want to release too much information here until I can complete the job, but if you're interested please reply here. I can understand PHP, but do not know functions by name or anything as I'm more proficient in other languages.
I'm just looking for a really small script, which will automate certain processes for me, and was hoping someone with skills such as WhiteAcid's could aid.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Need Proficient PHP Scripter To Help Create CSRF Concept Worm
Posted by: rsnake
Date: October 18, 2006 07:02PM

Sounds like something quite a few of us could help out with. Can you post some more information on what you need it to do?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Need Proficient PHP Scripter To Help Create CSRF Concept Worm
Date: October 18, 2006 08:18PM

I am not quite sure what exactly you want to achieve with this but from what I can see you need an XSS proxy. There is one that I wrote here http://www.gnucitizen.org/projects/attackapi/ click on the channel.php link. If that is what you need that use it.

Options: ReplyQuote
Re: Need Proficient PHP Scripter To Help Create CSRF Concept Worm
Posted by: WhiteAcid
Date: October 18, 2006 08:48PM

To simulate a CSRF worf you'd still need a pretty large script, almost require someone to re-create myspace (minus most of the crappy features). To actually perpetuate CSRF worms requires a browser, no way am I going to simulate that in a browser.

In short, please be more specific with what you need.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Need Proficient PHP Scripter To Help Create CSRF Concept Worm
Date: October 19, 2006 05:35PM

I'm more familiar with client-side scripting, and Visual Basic, and so I can only really read PHP, and barely write it. I need a script (which I'm assuming is would be small), which would basically grab the referer, which would be the page it was implemented on remotely, and then cut it up grabbing the server number, the name of the page, excetra, then reform the URL and submit it via POST. I had someone writing it, but they haven't really done anything for it since I asked them over a month ago. He did say however that cookie data wasn't sent along with the request though I figured since the actual CRSF took place on the page it'd go through. Input?


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Need Proficient PHP Scripter To Help Create CSRF Concept Worm
Posted by: rsnake
Date: October 19, 2006 06:01PM

that's almost exactly what he's written: http://www.whiteacid.org/misc/xss_post_forwarder.php

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Need Proficient PHP Scripter To Help Create CSRF Concept Worm
Posted by: maluc
Date: October 19, 2006 06:21PM

and yes, whatever cookies the client has stored are sent automatically by the browser.. long as the domain matches up

i believe whiteacid provides the source for that on his site somewhere.. and it should be easy enough to modify it to autosubmit (<body onload=submitform()>)

-maluc

Options: ReplyQuote
Re: Need Proficient PHP Scripter To Help Create CSRF Concept Worm
Posted by: WhiteAcid
Date: October 19, 2006 06:29PM

aah... now I understand what you want, I think.
Yes, the source code is here: http://www.whiteacid.org/misc/xss_post_forwarder.phps

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote


Sorry, only registered users may post in this forum.