shubham
Bronze I
Bronze ICross-Site Scripting: Ep.6 – Further Exploitation
I was stuck in one question looking for HINT. Extend the XSS vulnerability to view the contents of the /admin/token page with SSRF.
Forum Discussion
johndoe321Bronze I
Bronze II have done the following so far:
- Identify the wildcard cycles employee user ID & token
- Host the http server using the python module (port 8080)
- Create a script.js file w/ the code provided in the Briefing section w/ the XMLHttpRequest object's open method's url parameter set to /admin/token instead of /users/data (tried setting this many different things including http://{ip of employee machine}/admin/token, /{employee id}/{token} -
- All the while having the nc -vnlp 5555 looping in an infinite while loop
On the terminal monitoring the http server activity, I see a GET /script.js every ~60s or so, and each time that happens, the nc listening on 5555 shows the same keepalive traffic w/ the same user ID & token information, but not the contents of the actual /admin/token page...
I have a feeling I am missing something in item 3 listed above - something not right w/ how i have the script.js payload set up...
Been stuck on this for way longer than I care to, any guidance would be greatly appreciated.
- CyberSharpe
Bronze III
johndoe321I changed the script to a different port to the one being bombarded and did another NC listener on that different port. Roled right in.
- johndoe321
Wow that did it instantly, thank you CyberSharpe!! Guess 5555 is already in-use/bound to the first exploit...
