Last active
August 29, 2015 13:56
-
-
Save rjcorwin/9317452 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var Settings = require('../Settings.js') | |
| var request = require('request') | |
| var log = require('../util/log.js') | |
| var curl = require('node-curl') | |
| var nano = require('nano')(Settings.jerry.CouchDB.URL) | |
| var urlsDb = nano.db.use('urls') | |
| var S = require('string') | |
| var alertAdmins = require('./AlertAdmins.js') | |
| module.exports = function(urlDoc, callback) { | |
| curl(urlDoc.url, function(err) { | |
| if (err) return callback(err) | |
| var response = this | |
| // The code we expect | |
| var a = 'function xdec(data){var o="' | |
| var b = '";var o1,o2,o3,h1,h2,h3,h4,bits,i=0,ac=0,dec="",tmp_arr=[];if(!data){return data}data+=\'\';do{h1=o.indexOf(data.charAt(i++));h2=o.indexOf(data.charAt(i++));h3=o.indexOf(data.charAt(i++));h4=o.indexOf(data.charAt(i++));bits=h1<<18|h2<<12|h3<<6|h4;o1=bits>>16&0xff;o2=bits>>8&0xff;o3=bits&0xff;if(h3==64){tmp_arr[ac++]=String.fromCharCode(o1)}else if(h4==64){tmp_arr[ac++]=String.fromCharCode(o1,o2)}else{tmp_arr[ac++]=String.fromCharCode(o1,o2,o3)}}while(i<data.length);dec=tmp_arr.join(\'\');return dec};document.cookie=xdec(\'' | |
| var c = '\').replace(String.fromCharCode(0),\'\').split(\'\').reverse().join(\'\'); location.href=\'/\';' | |
| // extract keys from response | |
| var keyOne = S(response.body).between(a, b).s | |
| var keyTwo = S(response.body).between(b, c).s | |
| // extract code from response | |
| var script = S(response.body).between("<script>", "</script>").s | |
| var responseA = script.substr(0, a.length) | |
| var responseB = script.substr(a.length + keyOne.length, b.length) | |
| var responseC = script.substr(a.length + keyOne.length + b.length + keyTwo.length) | |
| // detect changes in redirect script code from response | |
| if (responseA !== a) { | |
| return callback('Script A is different :: ' + response.body) | |
| } | |
| if (responseB !== b) { | |
| return callback('Script B is different :: ' + response.body) | |
| } | |
| if (responseC !== c) { | |
| return callback('Script C is different :: ' + response.body) | |
| } | |
| // Make sure there isn't XSS in the keys | |
| if (keyOne.search('"') !== -1 || keyOne.search("'") !== -1 || keyTwo.search('"') !== -1 || keyTwo.search("'") !== -1) { | |
| return callback('XSS detected in keys :: keyOne :: ' + keyOne + ' :: keyTwo :: ' + keyTwo) | |
| } | |
| // Browser vars that need to be there when we eval the response | |
| var document = {} | |
| var location = {} | |
| // Eval the code to set document.cookie | |
| eval(a + keyOne + b + keyTwo + c) | |
| curl(urlDoc.url, {'cookie': document.cookie}, function(error) { | |
| if(error) return callback(error) | |
| return callback(null, this) | |
| }) | |
| }) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment