From 3f82b0315a672eee2458ccb04b20ae923281fde6 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Fri, 2 Sep 2011 10:18:48 +0000 Subject: [PATCH] (Fixes issue 427): fixed sending back PoC for POST injection with xssrays. git-svn-id: https://beef.googlecode.com/svn/trunk@1251 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9 --- core/main/client/net/xssrays.js | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/core/main/client/net/xssrays.js b/core/main/client/net/xssrays.js index 3ce98a720..d00017017 100644 --- a/core/main/client/net/xssrays.js +++ b/core/main/client/net/xssrays.js @@ -234,7 +234,7 @@ beef.net.xssrays = { for (var k = 0; k < this.vectors.length; k++) { // skip the current vector if it's not compatible with the hooked browser - if (!this.checkBrowser(i)){ + if (!this.checkBrowser(k)){ beef.net.xssrays.printDebug("Skipping vector [" + this.vectors[i].name + "] because it's not compatible with the current browser."); continue; } @@ -377,8 +377,8 @@ beef.net.xssrays = { for (var i in params) { if (params.hasOwnProperty(i)) { - //poc = vector.input.replace(/XSS/g, "BUG"); - poc = "something"; + poc = vector.input.replace(/XSS/g, "alert(1)"); + poc = poc.replace(/<\/script>/g, "<\/scr\"+\"ipt>"); pocurl += i + '=' + (urlencode ? encodeURIComponent(poc) : poc); // + '&'; beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl; @@ -391,7 +391,6 @@ beef.net.xssrays = { form += '